Two-factor authentication for all

02-08-2012

By Rob Stevenson

We've recently seen many headlines calling out big companies who should know better for the way they secure our passwords. Authy have just taken away one more excuse for us and made it stupidly easy to implement two-factor security into our own apps.

The idea is great and I hope it encourages better security across the Internet and more importantly draws attention towards the importance of security. I would love to see a lot of technical details on how this works safely and perhaps an independent security audit.

I have one query though. I'm sure it's either me missing something, a limitation of the demo or it will be quickly resolved: During testing I received an SMS:

Registration complete. Your Authy reset PIN in: [xxxxxxx]. Write it down NOW! and store it in a safe place.

I used this to reset my demo account. All I needed to do to was go to a url (which contained a 4 digit user id), provide a new phone number and input this 7 digit code. Granted, I did get confirmations to my old phone and email address that this had happened but this can be dealt with, with a little knowledge about the victim.

All I had to do to bypass a two-factor authentication system was to provide a numerical user id and a 7 digit code that doesn't expire... Isn't that just one-factor security?

Rob Stevenson