

Show HN: The easiest 2-factor auth - markkum
https://developer.mepin.com/

======
AndrewDucker
How is it easier than TOTP, which is an IETF standard, and implemented by
Google Authenticator (amongst others)?

~~~
markkum
It's easier because you only need to tap the app to verify. No need for OTP
codes, though OTP is a fallback if your device is offline.

~~~
davis_m
Are you concerned that it is a lot easier to trick users into clicking a
button to authorize the login?

~~~
markkum
Of course user behavior has to be considered. The MePIN app does allow the
user to set up a personal PIN code, so an authorization would then require the
PIN code and a tap.

~~~
davis_m
A PIN would do nothing to keep a user from being tricked into authorizing an
attacker's login.

~~~
markkum
Don't want to argue, but yes it would. It would stop the user for a second,
giving time to the brain to process for a while what's going on.

~~~
davis_m
If a user is willing to press the button, a PIN isn't going to stop them. Your
app is decreasing security in favor of usability, which is not something look
for when they are looking to implement two factor auth.

I think anyone who would blindly use your proprietary two factor solution that
makes it easier for end users to authorize other people to log in would be
silly.

~~~
markkum
I can use similar arguments; a user can be tricked to enter an OTP to a
phishing site. For that the hacker does not need to time the attack to the
same second, so it's much much easier attack for the hacker.

'No 2FA' is the real silly one here. Any 2FA is so much better than no 2FA,
and usability has been a big issue so far in 2FA adoption.

------
mmastrac
Hate to be one of these guys, but the site is totally unreadable on Android
Chrome. The left bar covers everything and won't move. Maybe offer a close or
collapse button for it?

~~~
markkum
This is now fixed. Thanks for the kick.

------
M4v3R
We use MePIN in our service and I have to say that it's working really great.
Easier for the user and also more secure than Google Authenticator (for which
secret key can be stolen more easily).

------
huhtenberg
So what happens to my users if your service ever goes down or disappears?

~~~
tokenizerrr
Apparently they offer an in-house solution.

> MePIN comes as a distributed hosted service containing simple-to-use REST
> API and handy client side scripts. Hosted or in-house white label solution
> is also possible, contact sales@meontrust.com.

~~~
streetnigga
Cool! I wondered the same question you are responding to after getting a
2-factor mobile app for an online service I use.

"What happens if/when these fellas implode?"

The answer in the site's case would be to fall back to SMS. Something like
this that could be integrated into the site itself would be better, working in
tandem with a more typical fall-back of course.

------
davis_m
From your home website, it looks like you are relying on users deciding if
they should authorize a request based on OS, web browser, ip address, and
location.

Users are going to essentially ignore ip address. OS, web browser, and
location are easy to spoof. If a half competent attacker makes a request, how
is the user to know if they should authorize a request.

I understand that using OTP codes can be annoying to some users, but it is
MUCH harder for a user to hand that code over to someone in order to login.

~~~
markkum
First; the user does not have to care about OS, browser, ip address or
location. Though those can be shown to a user if the service provider wants.

Authorization requests can only be initiated at the back-end by authorized
service providers and only for users who have linked their MePIN app with that
specific provider. Though of course login verification could be initiated with
stolen username/password, which would then alert the user for verification.

Now the added benefit here is that with MePIN the user would immediately know
that her username and password is at wrong hands if she receives a login
verification request while not actually performing a login.

So obviously the user should not authorize unexpected requests. You would not
authorize a login if you are not actually performing a login, etc. Concerned
users can additionally set up a personal PIN code in the app.

Lack of good usability is currently hampering 2FA adoption, we are working
hard to fix that.

~~~
davis_m
In this model, all you have to do is time the authorization request
appropriately. If an attacker can time their authorization at the same time
that the user is logging in, a large number of users are simply going to
authorize both requests thinking that it is some sort of glitch.

With the standard OTP model, a user physically can not enter their code for
another user.

~~~
markkum
Unfortunately there are several cases where users have entered an OTP code for
another user. The recent high profile case was with World of Warcraft's OTP.

------
beefhash
While two-factor authentication is a good thing from a security standpoint
from service providers, I can't help but worry that it's a worry from an
individual's standpoint: It's nothing but serving an IP address+account <->
mobile phone number relationship on a silver tablet. Do we really want that?

~~~
markkum
Note that MePIN does not collect or need user's phone number, e-mail address
or any other user information. You can use MePIN fully anonymously.

------
rplnt
What's with those url changes? After a while about a dozen url anchors is
cycled through which effectively kills the "back" functionality. If you go
past them, you can't stay on the "main" page because another ones are added.

~~~
teemi
Am I correct to assume that you have logged in? An automated setup creates the
user account and other objects you need to get started. I admit that actually
posting the forms is not the most elegant solution, but a hack. We did it to
let you read the full contents of the MePIN Dev Portal without having to fill
in any personal information.

~~~
rplnt
I just clicked on the link posted here, that is
[https://developer.mepin.com/](https://developer.mepin.com/).

~~~
teemi
In that case I have no idea what has happened. The only automatic redirects
are related to the first time login. There are just few steps, and back button
should work nicely in that flow.

I am not able to reproduce that behavior on any device or browser I have at
hand. If you experience that again, Please give information about the OS, Web
Browser, and the URL you end to, and we'll have a look into the issue.

------
davis_m
What methods are you using to make sure that an authorization comes from an
authorized phone?

~~~
markkum
The solution is based on Public Key Infrastructure (PKI). Each authorization
must be signed with the user's private key. The app is managing and protecting
the keys and certificates, so user does not have to figure out key/cert
management. Some info here; [https://www.mepin.com/technical-
overview/](https://www.mepin.com/technical-overview/)

