Show HN: The easiest 2-factor auth
developer.mepin.comHow is it easier than TOTP, which is an IETF standard, and implemented by Google Authenticator (amongst others)?
It's easier because you only need to tap the app to verify. No need for OTP codes, though OTP is a fallback if your device is offline.
So, users are locked into MePIN's proprietary app and depend on MePIN's website to log in, rather than using a open standard that can run offline. If you use HOTP/TOTP, you can use open source Google Authenticator, DuoSecurity, libpam, or any number of clients.
It's pretty easy to implement your own TOTP client if you don't like any of those. Here's a JS reference in 250 lines of code and HTML: https://code.google.com/p/google-authenticator/source/browse...
In MePIN's defense, DuoSecurity also has their own push notification for a single-tap login, so users are willing to trade interoperability for convenience.
Are you concerned that it is a lot easier to trick users into clicking a button to authorize the login?
Of course user behavior has to be considered. The MePIN app does allow the user to set up a personal PIN code, so an authorization would then require the PIN code and a tap.
A PIN would do nothing to keep a user from being tricked into authorizing an attacker's login.
Don't want to argue, but yes it would. It would stop the user for a second, giving time to the brain to process for a while what's going on.
If a user is willing to press the button, a PIN isn't going to stop them. Your app is decreasing security in favor of usability, which is not something look for when they are looking to implement two factor auth.
I think anyone who would blindly use your proprietary two factor solution that makes it easier for end users to authorize other people to log in would be silly.
I can use similar arguments; a user can be tricked to enter an OTP to a phishing site. For that the hacker does not need to time the attack to the same second, so it's much much easier attack for the hacker.
'No 2FA' is the real silly one here. Any 2FA is so much better than no 2FA, and usability has been a big issue so far in 2FA adoption.
Hate to be one of these guys, but the site is totally unreadable on Android Chrome. The left bar covers everything and won't move. Maybe offer a close or collapse button for it?
This is now fixed. Thanks for the kick.
Working on it.
We use MePIN in our service and I have to say that it's working really great. Easier for the user and also more secure than Google Authenticator (for which secret key can be stolen more easily).
So what happens to my users if your service ever goes down or disappears?
Apparently they offer an in-house solution.
> MePIN comes as a distributed hosted service containing simple-to-use REST API and handy client side scripts. Hosted or in-house white label solution is also possible, contact sales@meontrust.com.
Cool! I wondered the same question you are responding to after getting a 2-factor mobile app for an online service I use.
"What happens if/when these fellas implode?"
The answer in the site's case would be to fall back to SMS. Something like this that could be integrated into the site itself would be better, working in tandem with a more typical fall-back of course.
The service is distributed and hosted at 3 continents with 3 different hosting providers, so we take this seriously.
Other than that; You own your users and user database. No user data is stored at MePIN servers.
From your home website, it looks like you are relying on users deciding if they should authorize a request based on OS, web browser, ip address, and location.
Users are going to essentially ignore ip address. OS, web browser, and location are easy to spoof. If a half competent attacker makes a request, how is the user to know if they should authorize a request.
I understand that using OTP codes can be annoying to some users, but it is MUCH harder for a user to hand that code over to someone in order to login.
First; the user does not have to care about OS, browser, ip address or location. Though those can be shown to a user if the service provider wants.
Authorization requests can only be initiated at the back-end by authorized service providers and only for users who have linked their MePIN app with that specific provider. Though of course login verification could be initiated with stolen username/password, which would then alert the user for verification.
Now the added benefit here is that with MePIN the user would immediately know that her username and password is at wrong hands if she receives a login verification request while not actually performing a login.
So obviously the user should not authorize unexpected requests. You would not authorize a login if you are not actually performing a login, etc. Concerned users can additionally set up a personal PIN code in the app.
Lack of good usability is currently hampering 2FA adoption, we are working hard to fix that.
In this model, all you have to do is time the authorization request appropriately. If an attacker can time their authorization at the same time that the user is logging in, a large number of users are simply going to authorize both requests thinking that it is some sort of glitch.
With the standard OTP model, a user physically can not enter their code for another user.
Unfortunately there are several cases where users have entered an OTP code for another user. The recent high profile case was with World of Warcraft's OTP.
While two-factor authentication is a good thing from a security standpoint from service providers, I can't help but worry that it's a worry from an individual's standpoint: It's nothing but serving an IP address+account <-> mobile phone number relationship on a silver tablet. Do we really want that?
Note that MePIN does not collect or need user's phone number, e-mail address or any other user information. You can use MePIN fully anonymously.
What's with those url changes? After a while about a dozen url anchors is cycled through which effectively kills the "back" functionality. If you go past them, you can't stay on the "main" page because another ones are added.
Am I correct to assume that you have logged in? An automated setup creates the user account and other objects you need to get started. I admit that actually posting the forms is not the most elegant solution, but a hack. We did it to let you read the full contents of the MePIN Dev Portal without having to fill in any personal information.
I just clicked on the link posted here, that is https://developer.mepin.com/.
In that case I have no idea what has happened. The only automatic redirects are related to the first time login. There are just few steps, and back button should work nicely in that flow.
I am not able to reproduce that behavior on any device or browser I have at hand. If you experience that again, Please give information about the OS, Web Browser, and the URL you end to, and we'll have a look into the issue.
What methods are you using to make sure that an authorization comes from an authorized phone?
The solution is based on Public Key Infrastructure (PKI). Each authorization must be signed with the user's private key. The app is managing and protecting the keys and certificates, so user does not have to figure out key/cert management. Some info here; https://www.mepin.com/technical-overview/