Knowledge based factors while sounding incredibly secure (people can’t steal your thoughts, yet.?) in practice are horrible. Scarier still, is the ease at which SIM swapping attacks can occur. For those with a higher risk profile, SMS messages and emails can be intercepted at telecom companies ( or through their partners it seems). Thankfully, attacks on this factor typically require nation-state abilities and/or a focus on specific victims. While authenticating someone by way of possession of a device associated with them for most people is better than knowledge based factors this isn’t always enough. It’s increasingly easy to compromise single factors. MFA (multi-factor authentication) is an important aspect of operational security today both for professionals and regular people, for good reason. What are some weaknesses of OTP over SMS/Email? Admittedly this process is not perfect, but it’s arguably better than passwords for the vast majority of users. The user doesn’t have to remember anything, and we’ve authenticated them using “something they have” (possession-based factor) - a phone or email account as opposed to “something they know” (knowledge-based factor) such as a password. The user is prompted to enter this code to complete the login process. Lockdrop then sends a time-limited one-time passcode to their email address or mobile number via SMS. When a user logs into Lockdrop, they are asked for the email address or mobile number associated with their account. We initially opted for a method that would introduce the least amount of friction for our users - OTP (one-time passcodes) via SMS or Email. We built Lockdrop’s user authentication system to be “passwordless” from the start. The password problem has improved in recent years, with NIST now recommending passphrases instead of passwords, but if you can avoid passwords altogether, why not?
0 Comments
Leave a Reply. |