Emoji based authentication for mobile (opens in new tab)

(medium.com)

12 pointsshifte10y ago7 comments

7 comments

7 comments · 5 top-level

alexbock10y ago· 1 in thread

While the article admits that this isn't very secure, I think giving any visitor a one in three chance to "authenticate" with any given mobile number is well beyond "not very secure" and into "false sense of security/no security at all" territory.

The introduction indicates that this is intended to be on par with confirmation emails or six digit SMS pins, but both of those actually prove that you own the indicated resource; asking someone which of three emojis they received does not.

theoh10y ago

I'm not up to date on terminology to do with two-factor authentication, but shouldn't it be "currently possess" rather than "own" the resource or device in question? It is important to remember what can go wrong and invalidate the assumptions of the protocol, e.g. theft or duress.

volaski10y ago· 1 in thread

Even before getting to security issues, why would anyone prefer typing in emoji instead of numbers? I can imagine people struggling to find some random emoji from the keyboard before the notification banner disappears. (Normally I don't switch back to the message ui but try my best to finish typing in the auth codes before the notification banner disappears, and even 6 digit codes are annoying because sometimes it disappears before I type them in. Most people will have probably only typed in one emoji before the notification banner goes away). This guy should build it himself and realize how out of touch this solution of his was instead of telling the users to build it and let him know. Personally if I ever came across any app that implemented this scheme, I would feel offended because it feels like the developer is trolling me.

todd383410y ago

His UI shows an interface where you can select from 3 emoji, so you don't have to use the emoji keyboard. Although insecure, I'm not sure it is user un-friendly

Deregibus10y ago

Even assuming the insecure "choose 1 of 3" was for example, I don't really understand how this is better than e.g. a 4-digit numeric code?

It seems like this kind of authentication could be provided by the OS. I'm pretty sure I've used apps that sent a code via SMS to verify identity that detected when the SMS arrived and performed the authentication automatically. Given that you don't want to give every app unnecessary access to your text messages/email/whatever, I would think you could have a fairly secure process like:

1. App requests a unique session code from the OS and registers a callback. 2. App sends the session code to the server. 3. Server sends SMS to the phone # containing the app auth code + session code in a standard format. 4. OS detects that SMS is an auth message, matches the session code with the callback, and sends the auth code to the app. 5. App sends the auth code to the server for verification.

I haven't done any mobile dev so for all I know something like this already exists.

tedmiston10y ago

Neat idea, but way too insecure for real life.

Slack's Magic Links are a very user friendly and much more secure approach to a similar problem.

http://louiiisechg.tumblr.com/post/130650909766/slack-magic-...

brudgers10y ago

Related use as banking PIN's: http://www.wired.com/2015/06/maybe-emoji-passcodes-arent-goo...

j / k navigate · click thread line to collapse