AirSecure — Own Your One-Time Passwords
Today we are sharing a guest post authored by Cody Hatfield. Cody brought the idea of AirSecure to EthDenver, where he helped build it over a day with some of the Textile Team. Cody is passionate about decentralization and peer-to-peer networks and hopes to help make the web and internet better for everyone.
What is two-factor authentication?
Anyone who has used the Web knows how to use passwords. You visit a website that asks you to enter a username and password combination. If you enter the correct password, you successfully login and can now access the account. Pretty straightforward.
The issue with this system is that anyone else trying to access your account only needs one thing: your password. The strength of protection on your account depends entirely on the strength of your password. There is only one factor needed to access your account.
Two-factor authentication (2FA) uses another factor alongside your password to grant access to your account. These “factors” fall into three different categories:
- Something you know
- Something you have
- Something you are
Since there are now two factors needed to access your account, you have now made it more difficult for someone to have unauthorized access to your account. Even if they know your password, they must have another piece of information along with it.
Today, this second piece of information is most likely your phone or other mobile device. A common way of determining if someone has possession of a particular phone is to send an SMS to the phone number with a code and ask for the person to send the code back through another channel (like a web form).
Most people have probably come across this at some point. SMS, however, has been known to have security issues and is not the recommended method for using two-factor authentication.
Another common way to determine if someone has possession of a particular phone is through one-time passwords.
Why use one-time passwords?
One-time passwords are also temporary codes that are inputed alongside passwords in a web form. But unlike SMS, these codes are generated by the device instead of being sent to the device.
This is much more secure than SMS codes. Since the codes are not being sent to the device, they cannot be sniffed, copied, or changed along the way. An attacker must have access to the device in order to see these codes or generate them on their own.
Authenticator apps
Managing these one-time passwords (OTP) can be difficult for users. They cannot be memorized, since they change every 30 or 60 seconds, nor can they be calculated easily by humans. This is why we have apps do it for us! This category apps is classified as authenticator apps.
One of the most popular and basic authenticator apps is Google Authenticator. It is simple, secure, free, easy to use, and works with pretty much every 2FA account out there.
There is, of course, a downside to these simple authenticator apps. These one-time passwords can only be generated by keys living on your device. That is what makes them secure. But what happens if you lose your device? Or delete the authenticator app? Your OTP keys are gone forever. This may result in you being locked out of all your accounts or going through painful recovery steps to get them back. Not a great user experience. Even if this is rare, it is a barrier for the average user to adopt it.
Having more secure systems is great. But if nobody adopts them because they are harder to use, what is the point?
How can people prevent losing their OTP keys? Just like preventing the loss of any data, they can be backed up! And that is exactly what some other authenticator apps are helping people do.
Authy and Duo are both authenticator apps that help users backup their OTP keys. I use Authy personally, and usually recommend it to people to use as their main OTP app. Your keys are encrypted on your device before being backed up to their servers. They can never be read by Authy and can only be recovered by using a master password that (hopefully) only you know.
I have never had to recover my keys from Authy (and hopefully never will) but overall it is a great solution. It is just as easy to use and secure as Google Authenticator and everyone can have the peace of mind of backing up their OTP keys. So…what is the problem?
Why AirSecure matters
Relying on a single app to manage your OTP keys does not come without risks. Authy explains their methodology and encryption techniques on their website, but how do we know that is all true? Even if it is true, what happens if they go out of business? What if they accidentally delete everyone’s backups? What if they get hacked? An attacker may not be able to read the backups, but they could delete them or render them useless without you knowing.
These scenarios may all sound like paranoia, but they are all possible and some have even happened before. Even if you trust these apps to always do the right thing, everyone makes mistakes. Relying on a single entity to always do the right thing and never make mistakes just is not realistic.
These risks are unnecessary. There is no technical reason why you need to rely on a single app or company in order to use the best security standards. You should never have to sacrifice privacy or introduce risk in order to improve security. Everyone has the right to use the best security possible.
These OTP keys are some of the most sensitive digital information about you that exists. They control access to your social media, email, banking, investment, and messaging accounts. They control access to your digital life. You should be the sole owner of that control.
AirSecure was built by two members of the Textile team, Carson and Andrew, and myself during ETHDenver 2019. It is an authenticator app that allows you to backup your OTP keys without ever needing to trust or rely on a single entity. It is built on top of Textile and IPFS.
AirSecure is still in beta and is not too different today from Authy and other backup-enabled OTP apps. But the gap between AirSecure and other centralized solutions will only increase as more features of Textile are built out. Users will soon be able to sync and recover keys across multiple devices and even choose or manage the servers that are backing up their keys. This is all possible through Textile Threads, end-to-end encrypted append-only logs built on top of IPFS.
This lays the foundation for anyone to use one-time passwords without sacrificing usability or privacy. No need to rely on a single entity, any of the developers, Textile, or even IPFS. No need to be locked-in to using AirSecure as the only UI. Other developers will be able to build their own OTP apps on top of the same platform and let users transfer their OTP keys freely. Want to backup your keys on your own servers and nowhere else? No problem. Want to increase the redundancy of backups without building your own OTP app? No problem. Want to leave all the technical stuff for someone else to figure out? No problem.
We all have the right to take control of our one-time passwords.
What’s next for AirSecure?
We can build a better app (than Google!) together… AirSecure is open source, so if you want to get involved we’d love your help! We’ve got big plans, including multi-device sync and backup, which are already in the works. Check out the mini-roadmap on the project README for additional details.
The source code for AirSecure can be found on GitHub, so feel free to take a look around and report any issues or feedback you may have. The Android version of AirSecure can be downloaded from the Google Play Store, and the iOS beta can be downloaded from TestFlight.
Lastly, be sure to also check out Textile and IPFS, the amazing technologies that make these types of projects possible. While you’re at it, feel free to reach out to the creators (@carsonfarmer, @andrewxhill, @codynhat) for any technical questions or comments you may have.
