News and updates
2 step verification vs 2 factor authentication
Published on: 21 Aug 2013
Several super high profile smash and grab attacks on global scale cloud service providers have prompted stronger authentication to be deployed on Google, Twitter, Evernote and many more providers. The balance between user friendliness and credible security is a key issue for these providers or any web site owner needing to increase secure authentication. There is no point in making the service exorbitantly difficult to use of course. When looking at the security they choose, however it raises the question why they would bother at all! In the interest to make things easy for users the secure authentication systems they deploy aren’t actually secure. Perhaps it’s just cost. Adding strong user authentication to any service is naturally a cost issue.
What is 2 step verification?
Essentially the user authentication method we have all become used to is the user name and password technology we have come to know and use since UNIX days. Ironically quite hard to get to grips with and a real issue on small screens and fiddly keyboards on any mobile device, it is what everyone knows and understands. 2 step verification is simply a process where the provider will ask for a user name and password and then add 1 step before authorizing you to the service. Usually sending a SMS text message to the phone number you had previously registered. The content of the SMS is really a One-Time-Password that authenticates the user name and password credentials as being those of the person that registered the phone number against the account previously.
What is 2 factor authentication?
Two Factor Authentication, also known as 2FA, is a substantial layer of additional security that is collectively known as “multi factor authentication”. One factor is something the user – and only the user has and the second factor is something the user – and only the user knows. An extremely successful implementation of 2 factor authentication is the global ATM network. For over 30 years bank customers have been able to securely access their account and be given cash anywhere any time using simply a PIN and their ATM card. This has been so successful because it’s extremely simple to use and yet cryptographically very strong authentication. There are no credentials passed between the server and the client on the ATM network. No token information, no pins and no passwords actually ever cross the wire. If either side is compromised, it reveals nothing about any of the other party!
2 step verification vs 2 factor authentication
The differences are probably best described by looking at the weaknesses of 2 step verification.
Take a look at these four related problems before deciding to activate any strong user authentication to your web site or application:
1. Don't Lose Your Mobile Phone
What happens if your users lose their mobile phone and can't receive the SMS credential or simply doesn’t have the phone to hand? Usually, the answer doesn't look good: password-reset systems still require a user who has activated two-factor authentication to enter an SMS-sent PIN code before being allowed to change the password. Some others let users print out one-time codes -- in the event that their mobile phone is lost or stolen, or they're travelling and don't have cellular network connectivity – whilst this is an improvement your users will have to have the print out to hand.
2. The System Doesn't Allow Activations For Incompatible Carriers
Not all carriers' networks are compatible with two-step verification capabilities. This effectively means that two-step verification users can add two-step authentication to their account, but then not receiving the SMS PIN code they needed to access their account, because their mobile telecom carrier doesn't support the system. In other words, they've locked themselves out of their account.
This will lead to user resignation, churn and a dramatic increase in help desk load. Hardly, the aim of the exercise is to protect valued users.
3. One Mobile Phone Secures Only One Account
People with more than one account must also decide which single account to protect using two-step verification, unless they also have more than one mobile phone number. That's because 2 step verification allows a mobile phone number to be associated with only a single account name.
By the same token, users can not register multiple mobile phones to one account name. This is simply a dramatic inflexibility of 2 step authentication.
4. Usernames Undermine 2-step verification
Two-step verification, as a step beyond user name and passwords doesn’t address the fact that usernames are often public account handles such as email addresses.
Instead, providers should implement a system whereby usernames are no longer the same as a person's email address. Further by the same token, as well as user ID’s being made secret and truly unique, the concept of both user name and password should be eradicated everywhere instead of adding further steps to a fundamentally flawed system.
2 Factor authentication: Simple – Cost effective and no more user names and passwords
MIRACL has patented and created the M-Pin protocol and the M-Pin server. It is a software only implementation of exactly the secure 2 factor authentication process used in ATMs – but without the ATM card, in software only ready to work in any browser on any device. The usability is incredibly simple – a simple 4 digit pin. The security is incredibly high – utilizing authenticated key agreements to validate the user’s correct use of a PIN within 3 tries against a M-Pin server installed by the web site owner or on-premise with any organization.
Effectively the users browser on the mobile device becomes “the ATM card” with a cryptographic secret “Minus the PIN” being stored in the browser. The user simply needs to register their browser on any device to the service, select a PIN and consequently log on easily with a 4 digit PIN which only they know and the browser on their device which only they have.
M-Pin is different to deploying any other 2 factor authentication solution. Not only is it simple to use, MIRACL has made it fully open source and free to use on a core managed service. It can be branded, changed and integrated any way necessary.
What do you think of the current verification models adopted and trending with service providers at the moment? Do you worry about the authentication solution you are currently using for your own business? Let us know your thoughts on verification vs authentication.