Today we are introducing an essential improvement in user account security. OnePass will now embrace the latest authentication security technique known as Two Factor Authentication (2FA).

As a Chief Software Architect leading Research & Development (R&D) team, choosing between security, functionality, and convenience is not an easy task. In this blog post, I will share some of the decision factors made by the R&D team to ensure maximize account security while minimizing inconveniences.

What is Two Factor Authentication?

Two Factor Authentication (2FA) is a technique to use more than one method to confirm the user’s identity. In other words, the access to the user account will not be granted on an unknown machine without additional confirmation. If you wish to dive deep into 2FA technical details, check out the Wikipedia topic on Multifactor Authentication.

Different types of 2FA that we’ve explored

By default, the primary authentication method will be Username and Password. The challenge is deciding what’s the secondary method of authentication to ensure the user that is attempting to login is the real account owner. We’ve explored different types of secondary authentication technique and listed out the pros and cons of it during our R&D phase.

Option #1: Security Question

A security question is a pair of questions and answers. The user needs to provide the correct answer to the question in order to validate that the user has rightful access.

Pros	Cons

Pros	Cons
Easy to setup Answer stored in the user’s head	Many security question answers can be found in public records (i.e., your mother’s last name) Phishing emails and phone calls can extract answers to the security question If the user enters a fake answer to the security question (which is technically stronger than the real answer), it is very likely the user will not remember the “correct” answer.

Option #2: Text Messages

To validate the user has rightful access, upon login, the system can send a text message to the user’s registered mobile phone number with a dynamically generated verification code that expires. The user then enters the number to complete the log in process.

Pros	Cons

Pros	Cons
Text messaging is very convenient. Most of the people have access to a mobile phone. If the device is lost or stolen, the user can easily transfer the phone number to a new device and prevent the stolen device from receiving further authentication code.	Some disreputable software app will have permission accidentally grated to access the user’s mobile phone text messages. Since the phone number isn’t burned into the device at the hardware level, hackers can replicate the sim-card and circumvent the security and receive text messages without ever touching the user’s mobile phone

Option #3: Time-Based One-Time Password

Time-Based One-Time Password is a technique where a code-generating app generates a new password every so often (i.e., 30 seconds) and uses the secret key provided by the server. The code that’s produced can be validated by the server to ensure the user has rightful access to the account.

Pros	Cons

Pros	Cons
The code generator uses the secret key and current time, so no internet connection is needed to generate a code The code generated cannot be intercepted The code generated cannot be predicted	The user will need to run the app everytime If the app is reset and the secret key is lost, then the user will lose the access to the account If the device that runs the app is out of battery or lost/stolen, the secret key is also lost/stolen If the device is not secured, anyone with the device who knows the username and password can be validated as a rightful user.

Option #4: U2F Keys

Universal 2nd Factor (U2F) is a device that can connect physically with the computer to authenticate the user.

Pros	Cons

Pros	Cons
A U2F key is a physical device Cannot be intercepted Phishing-proof The most secure 2FA method available	Newer technology Not widely supported by most computers U2F keys also have an additional cost involved Anyone with the physical device can be authenticated as a rightful user to the account

Option #5: E-mail

The concept is the same as Text Messaging. Upon login, the server will send an e-mail with dynamically generated authentication code to the email address that’s registered with the user’s account. Once the authentication code is entered, the user can be considered as a rightful user of the account.

Pros	Cons

Pros	Cons
Widely accessible by anyone Can be accessed cross-platform (desktop, mobile, tablet, etc…) Phishing-proof No cost involved	Unreputable e-mail service provider has access to email messages If a hacker gains access to the e-mail account, the secondary authentication may be compromised

Why will OnePass choose to use 2FA with E-mail?

After factor in convenience, security, and functionality, we’ve decided to go with the 2FA with E-mail. The reasoning is simple.

We do not want to have the user use an additional physical device to get authenticated. Although it is secure, it is too troublesome (Option #4 is eliminated)
We do not want the user to get locked out of the account because 3rd party devices are lost or stolen (Option #3 is eliminated)
We want to provide a higher level of security where the authentication answer cannot be found anywhere (Option #1 is eliminated)
We want to make sure user can be authenticated using any devices that are available (Option #2 is eliminated)

With reasons provided above, the R&D team believes 2FA with E-mail is the most optimal decision at this point of technology.

Conclusion

Kuusoft R&D team choose 2FA with E-mail as the authentication method for unknown machines. To ensure ease of use, OnePass will intelligently detect if the user’s device had already authenticated and whether or not the integrity of the machine is compromised. If there are no red flags, OnePass will only require the user to provide the primary method of authentication to access the account.

Kuusoft Knowledge Base

2 Factor Authentication

Analytics