![]() In addition, because the codes are time-sensitive and the process requires back-and-forth between two services, users inevitably mistype codes. ![]() Įven if the user makes the effort to download and sign up for external software, they’ll still have to switch to a different app to retrieve their code every time. Effectively, it puts up a barrier for users of a certain age or level of comfort with technology – the same users who are often the most vulnerable to malicious actors. This excludes many users who are either unable to download an app, unwilling to take the time and effort, or don’t understand the process. From a UX perspective, authenticator apps are a big ask: they require the user to have a smartphone with storage, and take the time to download an external app. We all know that any friction in the user experience (UX) causes users to drop off, especially at onboarding. Is an external app the best user experience? The lack of connection between the identity and the device also means the technology could be used against a victim: an attacker who learns a victim’s credentials could set up 2FA for that account on the attacker’s own phone, locking the user out remotely. So what happens if their device is lost or stolen? Most mobile phone passcodes are easy to guess - meaning anyone with that device could quickly gain access to a TOTP, even if the user takes action to call their carrier and deactivate their SIM. Īuthenticator apps aim to demonstrate that the user is in possession of a device they previously authorised. All it proves is that in the past, the user once authorised the app using the first set of credentials. However, there’s a flaw here: App B is not actively connected with any form of identity. App B is now able to generate a TOTP (time-based one-time password) which the user can use to authenticate themselves in future for Service A. ![]() They open App B and connect to Service A, using that username and password to prove their identity initially.The user creates an account for Service A with a username and password.Is a past action the same as a present check?Īuthenticator apps typically work like this: Īuthenticator apps were developed specifically to address these vulnerabilities by generating the OTP within the (supposedly) protected environment of the application, and imposing a time-based limitation. Users can be tricked into sending the OTP to a criminal, as in phishing scams, or criminals can directly intercept the OTP with an MITM (man-in-the-middle) attack or by committing SIM swap fraud. However, when these codes are sent by SMS or email, they can easily be stolen by a bad actor. īut when is a possession not a possession? The user is considered to possess the OTP, even though it’s digital, because it’s just been generated and sent ‘only’ to them. And not all users are able (or willing) to share biometric inherence information such as their fingerprint – so for a second factor, most businesses turn to possession: usually a randomly-generated code known as an OTP (one-time password). Passwords are a type of knowledge-based security, which is flawed because knowledge can be shared or stolen. ![]() Possession (something you have, eg a code or a mobile phone.) .Inherence (something you are, eg a fingerprint or a face scan).Knowledge (something you know, eg a password or a secret answer).(You can also see a handy at-a-glance comparison here.) Let’s start with a look at why authenticators were developed in the first place.įor robust security, it’s recommended by many authorities, such as UK Finance’s Strong Customer Authentication guidelines, to reinforce your initial identity method or credential with one of three factors for proving identity: In this blog, we’ll explain the strengths and weaknesses of app-generated codes when it comes to security, accessibility, and risk of compromise, and compare them with passwordless login with SIM-based authentication. Authenticator apps offer a stronger alternative to vulnerable email and SMS authentication – but are they the right choice for your verification? īut with so many 2FA solutions now available, it can be daunting to work out the best way to authenticate real users. As a result, businesses that sign in users digitally are now recognising the need for a form of two-factor authentication (2FA) – explained below – to ensure users are who they say they are. Experts have known this for a long time, and the rest of us are becoming aware, as more and more security leaks and cases of fraud hit the headlines. ![]()
0 Comments
Leave a Reply. |