OneID compared to Authentify, PhoneFactor, and other second factor add-ons

OneID and 2-factor authentication

OneID is inherently 2-factor on the primary device used by the user. This is significant because it means that financial services get in-band MFA security (equivalent to an RSA SecurID or PhoneFactor SMS) without a change in user behavior. The user logs in by hitting the OneID login button, and types their OneID password into OneID. There is no second device and no transcription of code numbers. This is a huge consumer benefit. Consumers hate having to use a second device (adoption at Google for MFA is less than 1%). With OneID, you get 100% MFA compliance on login, and when you really need to raise the LoA (e.g., a large wire to a new recipient), you (or the user) can require a spectrum of higher value LoA including out-of-band ((OOB) confirmation, OOB with a PIN, and OOB with a PIN timeout where the RP sets the timeout (short for high value transaction, longer for low value transactions). That timeout is based on when the user last presented a PIN code, regardless of the RP, and it cannot be changed by malware in the mobile device.

Benefits:

  1. Login is easier for the user because he just uses his OneID password

  2. Login is much more secure because it is two-factor

  3. The login for the customer is now painless and easy. Only when the customer does a risky transaction such as a wire to a new recipient, then the FI can ask for a higher level of assurance commensurate with the risk of the transaction.

  4. It is all self managed. The customer can set even higher LoA standards

  5. If your IdP is hacked, it's not a problem

None of the two-factor systems can do this because they are secondary factors. They do NOT address the primary login.

OneID is two-factor security without the pain.

When an out-of-band second factor is required (such as a large wire transfer or a transfer to a new recipient), then the user is prompted on his phone to confirm the transaction (without using SMS).

Therefore, the user is protected with two-factor on his primary login without being inconvenienced, and is only prompted for higher assurance (use of a second device) when needed.

If a user's device is lost or stolen, it will self disable for use anywhere on the Internet after 5 password attempts. Or if the user discovers his device is missing, he can disable it. Two factor add-on solutions don't provide this level of convenience, control. and security.

OneID is immune to attacks such as number porting, app spoofing, and Eurograbber without the need for a second device or token.

OneID is scalable so the relying party can demand the LoA it needs.

Usability is improved because there is only password the user has to know for all sites, he can pick the password he wants, and he can easily see the hint (but only on his devices). He might not be prompted for a password at all (e.g., the bank might allow that if he authenticated in the last 5 minutes with a password that it won't prompt him again). Or a user can choose to do an out of band confirm or an out of band PIN code. Lots of choices to fit each person's preferences.

Customers hate two-factor solutions in general. OneID's two-factor appears to the user as if it were a single factor, the user's password. This creates much greater user satisfaction than any two-factor "add on" solution (such as Authentify, PhoneFactor, Google Authenticator, etc). Not only that, but OneID on a single device is immune to Eurograbber, whereas two-factor add on solutions requiring a second device and SMS are not immune.

Bottom line: OneiD is both much easier to use and more secure...without requiring SMS or a second device. And when you do use a second device, it cannot be compromised by any of these attacks.

Description of 2-factor add-on attacks

Porting:  Attacker learns your phone number from your contacts or asking you or watching you. Then calls phone carrier and says device was stolen and now in the hands of thieves. Attacker now gets your SMS for all your services on his device. Uses malware to generate transaction and approves on his phone. This loophole cannot be closed because phone companies aren't in the security business. They are in the customer service business. See Indian two-factor authentication fraudsters busted by Delhi cops for example.

App spoofing: attacker sends SMS to user about security update of the mobile app and to downloads a new app. Because the app completely duplicates legit app for all external communications, neither the user nor the app vendor can distinguish between the legit app and the fake app. User is tricked into re-initializing it.

Eurograbber: malware on PC asks the user for his cell phone number. The malware sends your phone a link to a "security fix". This "security fix" can read SMS messages. The rogue app sends codes to attacker so attacker can approve his own transactions. Therefore, any system using SMS codes for security is vulnerable to this attack.

Man In The Middle (MITM): This is a malware attack where malware controls some area between the user and the relying party. This allows the malware to change the transaction before the relying party gets it.

Man In The Browser (MITB): This refers to a MITM attack where the malware is in the browser.

Five ways to attack two-factor systems

1.       Number porting

2.       App spoofing

3.       Eurograbbber

4.       MITM

5.       MITB

How OneID is immune to each attack

1.       We don’t use SMS

2.       App has to be initialized from the old app by scanning QR code. Since a phone cannot scan itself, even if the user is complete fooled, they simply cannot execute the instructions to get the secrets from the existing OneID app.

3.       We never use SMS for authorization or authentication

4.       We support both single device two-factor (without a token) as well as out-of-band two-factor

5.       Same as 4

Why OneiD

1.       Not just second factor; replaces username, password too

2.       Immune to all 5 attacks

3.       Convenient for user (easy to create, authenticate all factors, no extra device, already know how to use it, no username/pwd, simple setup, already have it)

4.       User managed (if lost, user doesn’t have to notify bank)

5.       End-to-end security for both authentication factors

6.       No shared secrets to provision

Vunerability of OneID vs. hardware or soft tokens

RSA SecureID tokens and soft tokens are all vulnerable to MITM and MITB attacks because they are always used in-band (typed in by the user on the same device that the user used to initiate the transaction) and because they do not digitally sign the transaction.

Vunerability of OneID vs. Authentify, PhoneFactor

When SMS is used to send a code that is entered into the application, these applications are all vulnerable to attacks 1,3,4,5 above.

If an app is used, it vulnerable to attack #2. OneID avoids this because the spoofed app cannot get the secrets from the real app (because it is not physically possible for a phone cannot scan itself).

OneID vs. YubiKey

YubiKey is simply a more highly automated RSA SecurID. Uses a shared secret, doesn’t sign the transaction, “in band”, and suceptible to MITM, MITB attacks.

OneID:

  • is more secure (digitally signs the request, the signature is OOB so no MITM or MITB)
  • is free
  • is easier to use (no second device is required to get 2FA in-band security that is comparable to YubiKey)
  • it uses devices you already have (nothing extra to carry or buy)
  • does a lot more than just “a second factor”
  • gives you a lot more security options

OneID advantages over 2-factor add ons such as Authentify, PhoneFactor

  1. OneID is a full identity system including user attributes, claims, authentication, authorization, form fill, secure checkout, etc. So we make authentication more convenient and more secure. We eliminate username and password. We are not just "yet another add on" to an existing username/password.
  2. OneID is immune to all five known 2-factor in-band and out-of-band compromise techniques: phone number porting (which can defeat both voice and SMS authentication techniques), SMS intercept (such as Eurograbber), MITM/MITB, and app spoofing/cloning of the security app itself.
  3. OneID is easy to provision and is provisioned by the user. User logs into your website the normal way, clicks “Link” and it’s done. Once and permanently and never needs to be re-done.  PhoneFactor and Authentify's app requires a shared secret setup from the financial institution.
  4. OneID provides end-to-end secure transactions that are digitally signed. In OneID, transaction is shown to the user on  on each end-user signing device, and the hash is verified. All digital signatures are verified by the RP.
  5. OneID has 5 different LoA that can be set by user or the RP. It respects the greater of the two.
  6. OneID is much more than an authentication second factor. It is authorization, information sharing, secure information repository, proving digital claims.
  7. Device-centric so it is inherently two-factor within a single device (device signature + password), but user or RP can choose to elevate to out-of-band two-factor with or without a PIN (and set whatever PIN timeout). The fundamental OneID basic authentication includes password, so if the RP requires a password, OneID is already two factor since digital signatures associated with the password and the device are needed to login. A second device can be required for suspect transactions, e.g., new recipient or large transaction.
  8. OneID is very easy to use
  9. User already knows how to use and manage OneID from the other sites. Nothing new to learn, download, provision, setup, or ask questions about.
  10. The burden is on each RP to maintain user and phone number lists. OneID allows the user to both provision and manage his devices
  11. There is no re-configuation at an RP if a user changes his devices. The user manages his own devices.
  12.  OneID is an app; no SMS or phone number dependencies. OneID doesn't use SMS (which is insecure due to number porting attacks)
  13. User will (soon) already have and know how to use a OneID and will want to use it everywhere
  14. Easy and short integration time (20 lines of code)
  15. Secure and simple account recovery immune to call center gaming
  16. OneID architecture is very flexible. Additional factors can be added without changing any code at the RP. For example, the user can instruct his OneID repo not to sign a transaction over $500 unless he taps a NFC smart card to his mobile phone.
  17. OneID provides two factor authentication but does not require a download or mobile phone and works on all modern browsers
  18. OneID is bring your own device (BYOD) as well as bring your own identity (BYOI)
  19. OneID is the future of identity; two-factor add-ons are security band-aids on legacy approaches to identity
  20. Phone calls used by PhoneFactor are disruptive and annoying.
  21. Phone calls and SMS are not end-to-end secure
  22. PhoneFactor requires username and password authentication and won't work without it. OneID gets rid of both.
  23. OneID allows the user to control how often PIN entry is required (on out-of-band authentication requests).
  24. OneID uses secrets found only on the user's devices to validate the request. The PIN is never known by OneID. PhoneFactor knows your PIN.
  25. The OneID app doesn't need to be provisioned for each RP. Once a user has linked his OneID to his legacy username/password, the mobile phone works instantly for all mobile devices the user has.
  26. If user is accessing your site from a mobile phone exclusively, we can provide a truly independent second factor through an inexpensive NFC sticker, PIV card, etc. The user can change these at any time without having to re-register at any relying party.
  27. OneID uses a QR code pairing process to transfer secrets between mobile apps so even if a user is fooled, they cannot authorize the spoofed app!
  28. OneID doesn't use any shared secrets.
  29. OneID is self managed. If I lose my phone, I can setup a new phone myself and it instantly works with all the RPs. I do NOT need to go to any RP to notify them. None of the public keys stored in any financial institution need to change. This is a major benefit because there is no good way to ensure that it is the legitimate customer requesting the change and changing certificates is a manual operation as well as a security risk (it is equivalent to a password reset). OneID avoids this. The keys never need to be reset.
  30. We do not use X.509 certificates. Those are not end-to-end secure.
  31. Fewer vendors for the bank to manage since OneID does both

Here is an email I sent to an SSO provider who uses the standard two-factor authentication:

1) the current MFA XXX offers is in-band. That means single point of compromise (MITB, for example). And the compliance on soft tokens is under 1% (unless users are forced to do it).

OneID can give you 100% compliance for in-band 2FA so you get the two-factor security of a token, but WITHOUT any of the pain. That's a NICE selling point to an enterprise customer vs. your competition. No more phishing or keylogging attacks. Those are gone. And there is no XXX specific password to remember either which is a major plus. The user just uses his OneID password that he already knows.

2) OneID OOB and OOB/PIN are 2FA, but out-of-band, so these LoAs protect against a single factor compromise.

So, right now, an attacker could compromise a single computer in your company with malware that will wreak havoc internally.

Similarly, a single MITB attack on one of your customers, would yield similar results. That's a much bigger problem. You aren't offering your customers protection from a single point of compromise.

OneID is immune to all the known modern day threats while:

  • improving the user experience (much easier login than username and password, even though it is 2FA)

  • gives you by default 2FA for all logins (looks to the user like a single factor login)

  • providing increased security in places (and times) that it is warranted (and our OOB 2FA still much easier to use than your current in-band 2FA offerings!)

 

For more information see:
OneID documentation guide