Replacing two-factor authentication

Introduction

2014 can be called the year of the hacked accounts. According to the Identity Theft Resource Center , data has been stolen more often than ever since 2005.



Also according to Have I been pwned? more than 175 million accounts have been stolen. And it's one thing when absolutely all data leaked and completely different when only user accounts flowed away. It is the latter that will be discussed in this publication.

Two-factor authentication

Two-factor authentication is essentially an industry standard that prevents the use of account leaks, since an attacker will not be able to log in as a stolen user without a second authentication. It also negates the brute force of passwords, removes the need to use captcha and makes some other things more pleasant depending on the application.
')
There are several known ways to implement two-factor authentication:

1. Physical token
2. SMS Gateway.
3. Authenticator application.

Physical token

Pros:

1. Very safe. If the authenticator is compromised - we will know about it instantly, because it must be stolen.

Minuses:

1. Costs money.
2. You need to have it authenticated if necessary.
3. If you have B2C, you absolutely can not distribute the token to everyone.

SMS gateway

Pros:

1. Safely.

Minuses:

1. We do not control it. Absolutely. We do not know what is happening inside, we do not know what is happening with our database of numbers, we do not know if the SMS has been sent. What happens when the service drops?
2. Cost I took prices with Clickatell . On average, send one SMS costs 0.03 dollars. If you send 100 thousand messages per month, it will cost you $ 3,000 per month (~ 180 thousand rubles) or 36 thousand dollars a year (~ 2 million rubles). And what if you are a little bigger? And sent 1 million messages per month? It will cost you 30 thousand dollars a month (360 thousand a year). And what if you have grown to the size of hoo? And sent 10 million messages per month? Then please put 300 thousand dollars a month or 3,600,000 dollars a year (~ 216 million rubles). This is bad. If you put money out of your pocket, you could buy something interesting on them. If this is the investor's money, then you could use it on the project development, new servers, salary increase and other useful things.
3. Your user should always carry with him a phone with an authorized SIM card. All troubles flow from this if the user changes the SIM card or loses the phone, or the battery sits on it.

Authenticator application

Pros:

1. Safely.
2. We have complete control over it.

Minuses:

1. Sometimes the total cost of developing and maintaining such an application is more expensive than using SMS gateway.
2. Your user should always have an authorized device with him.

Third-party authenticator application

For example, Google Authenticator or Microsoft Authenticator.

Pros:

1. Safely.

Minuses:

1. We do not control it and do not know what is happening inside.
2. What will happen with this application tomorrow? Will they kill him as unnecessary?
3. Your user should always have an authorized device with him. However, it must support a third-party authenticator.

One more authentication (the Sign)

I called it the Sign. The user does not need anything at all, except for his email and access to the mail with him.

It looks like this:

1. The user enters email in our service.
2. We add it to the database if it was not there.
3. We send the user a letter with the generated authorization link and code if the authorization is in the application.
4. The user is authorized by the link or by code.
5. ...
6. Profit!

Process Diagram:



Pros:

1. Safely.
2. The user does not need to think about the password or give us or not access to his social network profile. If we first made a landing page to check the popularity of the idea, then we will have no difficulty sending the user authorization links and not fooling them with authorization.
3. We fully control and monitor the entire process.
4. The cost of the solution is extremely low.
5. Works on any device.
6. The user does not need an authorized device at all, only access to mail.
7. Design once and forget. Do only support. But you already support the mailing service in your project, aren't you?
8. In order to enter the code in the application, you need to make exactly the same effort as with SMS.

Minuses:

1. The user needs access to the email account.

Conclusion

This process is still a concept and is not used in live applications. He is not tested by time. Since it came up with exactly one head. He is not tested by criticism. But I did not find possible attacks and generally significant drawbacks. Therefore, he submitted for public discussion. I would like to understand whether the use of such authorization limits anything other than the fact that it is not widely used.