What is MIRACL Trust® Zero-Factor Authentication for Users?
MIRACL Trust® Authentication for users is a simple, secure way for any user to log into a mobile or web application through “strong authentication” (providing two or more of the following: something a user has; something only the user knows; something the user is).
Why Is MIRACL Trust® called Zero Factor Authentication (ZFA)?
MIRACL Trust® is called Zero Factor Authentication because there are no critical credentials transmitted to/from the platform or stored in the platform (unlike current password and two-step authentication solutions). This means that MIRACL Trust® is both stronger and safer authentication.
Why is a short PIN more secure than a password?
ZFA platform provides two factor authentication. That means you authenticate into a web application with something you have (in this case a key from the ZFA platform stored in the mobile application) and something you know (the PIN). Both factors are needed.
If an attacker stole your mobile device, he’d still need to guess your PIN in three attempts before authentication is locked out on this device.
PINs used in ZFA are never stored, and there is no way to steal them from storage and crack them offline.
What is two-factor authentication and why do I need it?
Two factor authentication means you need two things to be able to login to a website or application. Typically these are “something you know”, in this case a PIN and “something you have”, in this case your mobile device and MIRACL Trust® application.
With Two-factor authentication a password (a secret you know) is not enough to get access to a resource, and a second factor is required. That makes it extremely difficult for a malicious actor to impersonate a user and gain access to a resource they are not authorized to access.
Usually, the user needs to prove they are in possession of a second factor (something you have). The second factor that is most familiar to end-users is private keys that the entitled end-users are supplied with for the purpose. Usually, such private keys reside on a hardware dongle, which is either plugged in to another device to complete the two-factor authentication or used to generate a one-time password, used as a second step in the authentication.
Why is ZFA two-factor authentication better than using a hardware or soft token?
A hardware token is essentially a device that stores a private key that is usually used as the second factor in two factor authentication. The token needs to be protected and stored securely, since it actually contains the complete second factor used during authentication. It is also an additional physical thing that you must carry everywhere in case you need access. If for any reason you don’t have it with you, you cannot gain access to certain resources you are entitled to access.
Software tokens are more flexible, especially as they are used very often with mobile applications. Still, software tokens store your whole private key, so are vulnerable to key compromise or theft.
ZFA mobile apps never store a whole private key and never store a PIN, which means, nobody can steal the “something you have” from your ZFA mobile app, because they’re simply not there.
Why is using the same password for different websites insecure and do I have the same problem if I reuse my PIN?
When you type a password to gain access to a resource, what you type is compared to a constant value stored in a database. If the database is compromised and your password stolen, the first action hackers will take is to try that same password on the most popular web sites with your account. This way they can get access to sensitive functions, like on-line shopping with your credit card.
PINs used in ZFA are never stored anywhere, so no hacker can steal them from a database in the first place. Plus, knowing your username and your PIN with ZFA is not enough to gain access to anything, because they need the second factor, “something you have”.
Can a keystroke logger steal my PIN?
If your computer has been infected with a virus or other malware and it has installed a keystroke logger, this cannot be used to capture your PIN because you enter it with a mouse and not the keyboard. More sophisticated malware can potentially capture your PIN by recording your screen and mouse actions.
However, because MIRACL Trust® is two-factor authentication, the bad guys would also need to physically steal the “something you have” factor, your computer. Your PIN is tied to the web browser on your computer.
At MIRACL, security comes first and we have already thought of this albeit unlikely case. We allow you to login to a website without typing your PIN into your computer. When you access the website it gives you a code that you can enter into a smartphone app, along with your PIN, and that logs you into the website on your computer.
What happens if someone steals my mobile device?
ZFA is two-factor authentication. So in order for someone to login to a web application as you, that someone would need both of the two factors – your mobile device that you used to register and your PIN. Unless they have your PIN too they cannot login as you.
Can someone steal my computer or mobile device and guess my PIN?
Just like bank ATMs, if the thief tries to guess your PIN unsuccessfully your account is locked after three failed attempts. There is no possibility for an attacker to crack the PIN without connecting to the ZFA service.
Does MIRACL know my PIN?
Your PIN is not saved anywhere, not even encrypted. Your PIN is saved only in your memory. Not even MIRACL knows your PIN!
Can I access a web application from different devices? Do they need to use the same PIN?
You can register as many devices as you like to access the same website or application. During a simple registration process each creates a unique “something you have” and “something you know” pair so the PIN can be the same or different – it doesn’t matter.
Can I use ZFA to access a web site from my mobile device?
If you use your mobile browser to access a website that utilizes ZFA for authentication, you’ll be able to use your ZFA mobile app to login, seamlessly. You just need to navigate to the right URL: your mobile app will be launched automatically and you’ll be redirected to your account when the authentication is complete.
What happens if I lose my phone, or I forget my PIN?
First off, if you lose your phone, no one will be able to login without your PIN. SO your accounts are safe. If so desired, you may contact customer support to disable login from the lost device.
If you forgot your PIN, the simplest solution is to enter a PIN three times. After the third time, you will be asked to re-register, which is a quick and simple process that only requires access to your email account. During registration you can select and enter a new PIN.