
Emoji based authentication for mobile - shifte
https://medium.com/@ivanderbyl/emoji-based-authentication-ecad9b69192e#.h310xdud3
======
alexbock
While the article admits that this isn't very secure, I think giving any
visitor a one in three chance to "authenticate" with any given mobile number
is well beyond "not very secure" and into "false sense of security/no security
at all" territory.

The introduction indicates that this is intended to be on par with
confirmation emails or six digit SMS pins, but both of those actually prove
that you own the indicated resource; asking someone which of three emojis they
received does not.

~~~
theoh
I'm not up to date on terminology to do with two-factor authentication, but
shouldn't it be "currently possess" rather than "own" the resource or device
in question? It is important to remember what can go wrong and invalidate the
assumptions of the protocol, e.g. theft or duress.

------
Deregibus
Even assuming the insecure "choose 1 of 3" was for example, I don't really
understand how this is better than e.g. a 4-digit numeric code?

It seems like this kind of authentication could be provided by the OS. I'm
pretty sure I've used apps that sent a code via SMS to verify identity that
detected when the SMS arrived and performed the authentication automatically.
Given that you don't want to give every app unnecessary access to your text
messages/email/whatever, I would think you could have a fairly secure process
like:

1\. App requests a unique session code from the OS and registers a callback.
2\. App sends the session code to the server. 3\. Server sends SMS to the
phone # containing the app auth code + session code in a standard format. 4\.
OS detects that SMS is an auth message, matches the session code with the
callback, and sends the auth code to the app. 5\. App sends the auth code to
the server for verification.

I haven't done any mobile dev so for all I know something like this already
exists.

------
volaski
Even before getting to security issues, why would anyone prefer typing in
emoji instead of numbers? I can imagine people struggling to find some random
emoji from the keyboard before the notification banner disappears. (Normally I
don't switch back to the message ui but try my best to finish typing in the
auth codes before the notification banner disappears, and even 6 digit codes
are annoying because sometimes it disappears before I type them in. Most
people will have probably only typed in one emoji before the notification
banner goes away). This guy should build it himself and realize how out of
touch this solution of his was instead of telling the users to build it and
let him know. Personally if I ever came across any app that implemented this
scheme, I would feel offended because it feels like the developer is trolling
me.

~~~
todd3834
His UI shows an interface where you can select from 3 emoji, so you don't have
to use the emoji keyboard. Although insecure, I'm not sure it is user un-
friendly

------
tedmiston
Neat idea, but way too insecure for real life.

Slack's Magic Links are a very user friendly and much more secure approach to
a similar problem.

[http://louiiisechg.tumblr.com/post/130650909766/slack-
magic-...](http://louiiisechg.tumblr.com/post/130650909766/slack-magic-link)

------
brudgers
Related use as banking PIN's: [http://www.wired.com/2015/06/maybe-emoji-
passcodes-arent-goo...](http://www.wired.com/2015/06/maybe-emoji-passcodes-
arent-good-idea/)

