Two-factor and multi-factor authentication need to be redesigned
Single-factor authentication isn’t enough, let’s move on to two-factor authentication… that’s not enough either, let’s go multi-factor… how many? I don’t know, three? Five? Ten factors? Where does it end?
An interesting article just out on TechCrunch, titled “A leaky database of SMS text messages exposed password resets and two-factor codes”, shows yet one more weakness of one of the most traditional forms of two-factor authentication: a verification code sent via text message (SMS).
Just months after Kevin Mitnick showed how to bypass one of the most used two-factor authentication schemes, the world is once again wearing the surprised-emoji face because yet another way to break whatever-factor authentication has been found.
Seems like there’s a pattern here: AES-128 is not enough anymore, let’s double the bits and make AES-256… similarly, a single authentication factor is not enough anymore, let’s double that and make two-factor authentication. The difference is that when it comes to encryption the price is paid by the computer’s CPU, but when it comes to authentication the price is paid by the user whose log-in experience becomes longer and more cumbersome, oftentimes without an actual improvement in terms of security.
Here at Xiid we don’t take the easy way out, we don’t just double the factors whenever the current number is not enough anymore; we study, we brainstorm, and we design new authentication methods, conceptually different from the status quo, respectful of the user experience yet impervious to all typical (and well-known) attacks like the ones described above.
Xiid OTID, for example, our most recent patent application, can be used as the sole authentication scheme or as one of the factors in any multi-factor authentication, but it has the advantage of delivering a seamless and amazingly simple user experience together with some truly unique security features, like:
- concealing of the claimed identity (no derivable username)
- single one-time identification+authorization code
- offline code generation (no need for any network connection to generate an Xiid OTID one-time code)
Welcome to the future of Identity Management. Welcome to Xiid.
