What is MIRACL Trust® Zero-Factor Authentication for Users?
MIRACL Trust® Authentication for users is a simple, secure way for any user to log into a mobile or web application through “strong authentication” (providing two or more of the following: something a user has; something only the user knows; something the user is).
Why Is MIRACL Trust® called Zero Factor Authentication (ZFA)?
MIRACL Trust® is called Zero Factor Authentication because there are no critical credentials transmitted to/from the platform or stored in the platform (unlike current password and two-step authentication solutions). This means that MIRACL Trust® is both stronger and safer authentication.
Why is a short PIN more secure than a password?
ZFA platform provides two factor authentication. That means you authenticate into a web application with something you have (in this case a key from the ZFA platform stored in the mobile application) and something you know (the PIN). Both factors are needed.
If an attacker stole your mobile device, he’d still need to guess your PIN in three attempts before authentication is locked out on this device.
PINs used in ZFA are never stored, and there is no way to steal them from storage and crack them offline.
What is two-factor authentication and why do I need it?
Two factor authentication means you need two things to be able to login to a website or application. Typically these are “something you know”, in this case a PIN and “something you have”, in this case your mobile device and MIRACL Trust® application.
With Two-factor authentication a password (a secret you know) is not enough to get access to a resource, and a second factor is required. That makes it extremely difficult for a malicious actor to impersonate a user and gain access to a resource they are not authorized to access.
Usually, the user needs to prove they are in possession of a second factor (something you have). The second factor that is most familiar to end-users is private keys that the entitled end-users are supplied with for the purpose. Usually, such private keys reside on a hardware dongle, which is either plugged in to another device to complete the two-factor authentication or used to generate a one-time password, used as a second step in the authentication.
Why is ZFA two-factor authentication better than using a hardware or soft token?
A hardware token is essentially a device that stores a private key that is usually used as the second factor in two factor authentication. The token needs to be protected and stored securely, since it actually contains the complete second factor used during authentication. It is also an additional physical thing that you must carry everywhere in case you need access. If for any reason you don’t have it with you, you cannot gain access to certain resources you are entitled to access.
Software tokens are more flexible, especially as they are used very often with mobile applications. Still, software tokens store your whole private key, so are vulnerable to key compromise or theft.
ZFA mobile apps never store a whole private key and never store a PIN, which means, nobody can steal the “something you have” from your ZFA mobile app, because they’re simply not there.
Why is using the same password for different websites insecure and do I have the same problem if I reuse my PIN?
When you type a password to gain access to a resource, what you type is compared to a constant value stored in a database. If the database is compromised and your password stolen, the first action hackers will take is to try that same password on the most popular web sites with your account. This way they can get access to sensitive functions, like on-line shopping with your credit card.
PINs used in ZFA are never stored anywhere, so no hacker can steal them from a database in the first place. Plus, knowing your username and your PIN with ZFA is not enough to gain access to anything, because they need the second factor, “something you have”.
Can a keystroke logger steal my PIN?
If your computer has been infected with a virus or other malware and it has installed a keystroke logger, this cannot be used to capture your PIN because you enter it with a mouse and not the keyboard. More sophisticated malware can potentially capture your PIN by recording your screen and mouse actions.
However, because MIRACL Trust® is two-factor authentication, the bad guys would also need to physically steal the “something you have” factor, your computer. Your PIN is tied to the web browser on your computer.
At MIRACL, security comes first and we have already thought of this albeit unlikely case. We allow you to login to a website without typing your PIN into your computer. When you access the website it gives you a code that you can enter into a smartphone app, along with your PIN, and that logs you into the website on your computer.
What happens if someone steals my mobile device?
ZFA is two-factor authentication. So in order for someone to login to a web application as you, that someone would need both of the two factors – your mobile device that you used to register and your PIN. Unless they have your PIN too they cannot login as you.
Can someone steal my computer or mobile device and guess my PIN?
Just like bank ATMs, if the thief tries to guess your PIN unsuccessfully your account is locked after three failed attempts. There is no possibility for an attacker to crack the PIN without connecting to the ZFA service.
Does MIRACL know my PIN?
Your PIN is not saved anywhere, not even encrypted. Your PIN is saved only in your memory. Not even MIRACL knows your PIN!
Can I access a web application from different devices? Do they need to use the same PIN?
You can register as many devices as you like to access the same website or application. During a simple registration process each creates a unique “something you have” and “something you know” pair so the PIN can be the same or different – it doesn’t matter.
Can I use ZFA to access a web site from my mobile device?
If you use your mobile browser to access a website that utilizes ZFA for authentication, you’ll be able to use your ZFA mobile app to login, seamlessly. You just need to navigate to the right URL: your mobile app will be launched automatically and you’ll be redirected to your account when the authentication is complete.
What happens if I lose my phone, or I forget my PIN?
First off, if you lose your phone, no one will be able to login without your PIN. SO your accounts are safe. If so desired, you may contact customer support to disable login from the lost device.
If you forgot your PIN, the simplest solution is to enter a PIN three times. After the third time, you will be asked to re-register, which is a quick and simple process that only requires access to your email account. During registration you can select and enter a new PIN.
Is MIRACL HIPPA, PCI, SOC2 compliant?
Since MIRACL Trust does not sync, send or store relevant information in whole form to deliver its multi-factor authentication as a service for web and mobile apps, we do not need to be compliant with information/ data security guidelines for businesses in regulated industries - which means that any organization who needs to be HIPPA or PCI compliant can meet relevant regulations by removing the security practices that introduce risk. (Remove risk, remove requirement).
Is MIRACL Trust certified to UK Government GPG44/ 45: LoA 2 and LoA 3?
MIRACL is not independently certified at GPG44/ 45: LoA 2 and LoA 3, but the identity and authentication products we empower have been approved for use in the UK.Gov/Verify programs, which covers all components of Experian’s offering (including MIRACL’s m-pin protocol).
Is MIRACL Trust certified to FIPS 140-2 Level 2?
MIRACL Trust currently uses AWS KMS which currently being certified for FIPS 140-2. However, MIRAC Trust will release in Q3 2017 a transparent key rotation program, which eliminates the need to store keys on KMS-related hardware, thereby removing the centralized cybersecurity risk.
What’s behind the strength of the cryptography of MIRACL’s m-pin protocol?
The security of M-Pin is predicated on a certain hard problem in cryptography (the External Decisional Diffie-Hellman problem - or XDH assumption), on which not a glove has been laid in the 15 years since it was first proposed. Many other cryptographic schemes have been proposed based on XDH, and none of them has been broken either, so we share a boat with lots of others.
Once a protocol is shown to depend on one of these established hard assumptions, attackers tend to give up. Like no-one would even try and attack RSA any more, based as it is on the hard problem of integer factorisation, as "everyone knows" integer factorisation is hard, and will remain so this side of a quantum computer.
Is MIRACL compliant with NIST Digital Identity Guidelines SP 800-63 in the United States?
MIRACL is a UK based company, currently independent of US government guidelines, and uses a similar but separate set of measurements (GPG44/ 45 in the UK instead of SP 800-63 in the US). Once SP 800-63 version three is published in late summer 2017 we will consider and compare against our current UK certifications and reconcile where required.
Is MIRACL certified to level ISO 27001?
MIRACL as a security company is currently in the process of completing is ISO 27001 Certification and expects to be complete before the end of the 2017 calendar year.
Is MIRACL OIDC Certified?
MIRACL Trust itself is an implementation of the Open ID Connect protocol and the company is currently in the process of having its certification recognized.
Is MIRACL certified as a PSD2 compliant solution?
Current requirement of PSD2 related to providing customer security identifies that a solution delivers “strong authentication” which is defined as something a user has (software token in a web browser / mobile app) and something only a user knows (4 digit PIN memorized). Since MIRACL Trust meets both of those definitions, our multi-factor authentication meets the needs of PSD2.