M-Factor Authentication

Some will say M is for multifactor, but lemme clarify that before i start. M is just inspired from the word M-Pesa, sorry but it looks like i'm becoming a fanatic of M-Pesa. Recently we have had people naming some of the innovations they deem will be successful with the “M” prefix. So i decided to flow with the trend.

Recently a friend of mine shared a very interesting way of authentication used by an Irish bank on their mobile app. It uses patterns instead of just access codes. So what i deduced from the app screenshot is that a client is given a 8 alphanumerical personal access code (PAC). Somehow it looks like you have to memorize this code or have it pinned somewhere so that every time you want to login you reference it.

The login code is deduced from the 8 digit code presented to you at registration or maybe sent via sms (I do not bank with I….something bank so am basing my argument on general knowledge). When you are logging in to the mobile banking application, you are given a pattern which you use to enter the passcode. So it’s more like solving a puzzle. I deemed this to be very brilliant but one limitation to this is cramming the 8 digit code. So i thought about how this could be applicable to the current ecosystem where your pass is your everything e.g mobile banking, internet banking, ATMs etc.

Currently i use a 4 digit pin for my ATM card and Mobile banking account. This means it is easy to remember it and if given a pattern i can easily come up with my session password. To elaborate this i will make the following assumptions:

1. The application uses a 4 numerical digit.
2. The index starts at 0.
3. Our pin for the tutorial will be 8217
4. You kept your original password save.

Generating a random index String

My concept works on the principle that we have a four digit pin and each digit has an index i.e 0,1,2,3. The image illustrates that. So to get a unique password every time we will generate a random index which we will use in the next step of generating the session password.

Generating a session password

To get a session password we will use the random index generated previously to extract the contents at each index of the original pin which is stored by the respective organization. This will create the new password to be used for that session.

This therefore means that for every session there will be a new password which should match the pattern given.

Generating pattern and inputting password

Comparing passwords

To check if the two passwords are equal we will compare the password which the client entered vs the session password which was generated from the pattern.

Matching passwords

The code to the proof of concept is publicly available via the following URL

Pros

1. There are several combinations which makes it hard for hackers to deduce your password easily.
2. For an attacker to successfully hack your account, they need to know the random pattern generated and the original password.
3. Your original password is never exposed.

Cons

The sad part is if the attacker can get both your session password and the pattern. This means they can deduce your password and you are done!!!

Conclusion

This article illustrates how we can securely authenticate with our internet applications and avoid the trap of giving our passwords to the eavesdroppers. I believe it has so many loopholes but through an active conversation we can be able to create a production model for the same. Whatever is written here though are all my opinions and everyone is entitled to theirs. This is just but a proof of concept.

If your feel this is a thing we can explore for a better authentication future. Recommend so that more people can join the conversation and build something worthy.