So, users are locked into MePIN's proprietary app and depend on MePIN's website to log in, rather than using a open standard that can run offline. If you use HOTP/TOTP, you can use open source Google Authenticator, DuoSecurity, libpam, or any number of clients.
In MePIN's defense, DuoSecurity also has their own push notification for a single-tap login, so users are willing to trade interoperability for convenience.
Of course user behavior has to be considered. The MePIN app does allow the user to set up a personal PIN code, so an authorization would then require the PIN code and a tap.
If a user is willing to press the button, a PIN isn't going to stop them. Your app is decreasing security in favor of usability, which is not something look for when they are looking to implement two factor auth.
I think anyone who would blindly use your proprietary two factor solution that makes it easier for end users to authorize other people to log in would be silly.
I can use similar arguments; a user can be tricked to enter an OTP to a phishing site. For that the hacker does not need to time the attack to the same second, so it's much much easier attack for the hacker.
'No 2FA' is the real silly one here. Any 2FA is so much better than no 2FA, and usability has been a big issue so far in 2FA adoption.
Hate to be one of these guys, but the site is totally unreadable on Android Chrome. The left bar covers everything and won't move. Maybe offer a close or collapse button for it?
We use MePIN in our service and I have to say that it's working really great. Easier for the user and also more secure than Google Authenticator (for which secret key can be stolen more easily).
> MePIN comes as a distributed hosted service containing simple-to-use REST API and handy client side scripts. Hosted or in-house white label solution is also possible, contact sales@meontrust.com.
Cool! I wondered the same question you are responding to after getting a 2-factor mobile app for an online service I use.
"What happens if/when these fellas implode?"
The answer in the site's case would be to fall back to SMS. Something like this that could be integrated into the site itself would be better, working in tandem with a more typical fall-back of course.
From your home website, it looks like you are relying on users deciding if they should authorize a request based on OS, web browser, ip address, and location.
Users are going to essentially ignore ip address. OS, web browser, and location are easy to spoof. If a half competent attacker makes a request, how is the user to know if they should authorize a request.
I understand that using OTP codes can be annoying to some users, but it is MUCH harder for a user to hand that code over to someone in order to login.
First; the user does not have to care about OS, browser, ip address or location. Though those can be shown to a user if the service provider wants.
Authorization requests can only be initiated at the back-end by authorized service providers and only for users who have linked their MePIN app with that specific provider. Though of course login verification could be initiated with stolen username/password, which would then alert the user for verification.
Now the added benefit here is that with MePIN the user would immediately know that her username and password is at wrong hands if she receives a login verification request while not actually performing a login.
So obviously the user should not authorize unexpected requests. You would not authorize a login if you are not actually performing a login, etc. Concerned users can additionally set up a personal PIN code in the app.
Lack of good usability is currently hampering 2FA adoption, we are working hard to fix that.
In this model, all you have to do is time the authorization request appropriately. If an attacker can time their authorization at the same time that the user is logging in, a large number of users are simply going to authorize both requests thinking that it is some sort of glitch.
With the standard OTP model, a user physically can not enter their code for another user.
Unfortunately there are several cases where users have entered an OTP code for another user. The recent high profile case was with World of Warcraft's OTP.
While two-factor authentication is a good thing from a security standpoint from service providers, I can't help but worry that it's a worry from an individual's standpoint: It's nothing but serving an IP address+account <-> mobile phone number relationship on a silver tablet. Do we really want that?
What's with those url changes? After a while about a dozen url anchors is cycled through which effectively kills the "back" functionality. If you go past them, you can't stay on the "main" page because another ones are added.
Am I correct to assume that you have logged in? An automated setup creates the user account and other objects you need to get started. I admit that actually posting the forms is not the most elegant solution, but a hack. We did it to let you read the full contents of the MePIN Dev Portal without having to fill in any personal information.
In that case I have no idea what has happened. The only automatic redirects are related to the first time login. There are just few steps, and back button should work nicely in that flow.
I am not able to reproduce that behavior on any device or browser I have at hand. If you experience that again, Please give information about the OS, Web Browser, and the URL you end to, and we'll have a look into the issue.
The solution is based on Public Key Infrastructure (PKI). Each authorization must be signed with the user's private key. The app is managing and protecting the keys and certificates, so user does not have to figure out key/cert management. Some info here; https://www.mepin.com/technical-overview/
