Back to List

DualAuth Insight

2FA & MFA User Authentication: Is It Secure?

User authentication technologies including 2FA/MFA have been known to be more secure than a traditional user password, however these technologies are still highly vulnerable to fake online services and have suffered breaths in previous years. Recent user authentication technologies only check the user’s authentication, e.g., their password, so, if a user connects to a fake online service first, they’d be giving their credentials to a fake online service and then authenticating access by an SMS code, OTP code, approval of mobile push notification, finger print or IRIS scan without knowing. Therefore, it’s extremely difficult to be 100% sure where/who we are connecting to, as we presume we are connecting to a genuine online service.

To fight against fake online services, a user would also need to verify the authenticity of an online service, like an online service authenticator. So far, we can only verify the online service’s authenticity with an SSL certificate, which shows the user a green padlock symbol in their web browser as an indentation of security.

However, it’s not always easy to use this padlock as an indicator of an authentic service. Sometimes, a user could meet a fake online service that actually does have a genuine SSL certificate, but with a similar domain. So, how could you tell if that service is authentic if it has the same design, similar domain and a genuine SSL certificate? Also, an SSL certificate is mainly used as a secure data transfer layer between a user and a web-server, rather than a verification method to authenticate an online service. So, without providing a solution for a user to check the authenticity of a registered online service, and if online services keep continuing to check the authenticity of each user two or three times, it just increases the user’s burden without enhancing their security at all.

Strictly speaking, all kinds of user authenticators are designed for online service’s security, not the user’s, and also for the benefit of online services, we are asked to not only present a user password but also use highly inconvenient 2FA/MFA methods. Therefore, existing user authentications are great to protect online services but they’re still vulnerable to fake online services and continue to give the password burden to the user. This explains why less than 10% of Gmail users adopt an OTP Authenticator, under the worst privacy data breach era in history.

Similar to how we love to choose different online services for ourselves, we should also choose the right authentication technology for ourselves as well. The technology should not only decrease the burden of user, but also enhance their security, without jeopardizing the security of the online service. In that case, AutoPassword is the first authentication technology to allow users to verify the authenticity of the online service first without typing any inconvenient codes, whilst the online service simultaneously verifies the authenticity of the user internally.

As shown in the above image, if AutoPassword technology is applied to an online service, that online service generates an AutoPassword code in the password field automatically, after the user types in their user ID. It allows the user the opportunity to verify the authenticity of the online service with their smart phone.

If the two codes match, all the user needs to do is touch their fingerprint on their smart phone, and the request will be approved as a sign of authenticity of the online service.

When the user touches their finger print on to their mobile, it sends their authentication code to the server internally. AutoPassword adds an extra layer of security on top of existing user authentication technologies such as OTP, PKI, FIDO, so that online services can also check the authenticity of the user, like existing 2FA/MFA technologies.

Technically, AutoPassword is a mutual authentication technology but it looks like a service authenticator that grants authentication permission to a user. It eliminates not only the need for the user to type an inconvenient code to gain access to an online service, but also enhances the users security so they don’t fall victim to a fake online service.

Compared to other existing mutual authentication technologies, such as Kerberos and PKI, AutoPassword makes a user verify the authenticity of an online service with their own eyes, whereas existing authentication technologies don’t let the user authenticate the online service at all , they just run internally between the client’s machine and servers machine by typing a user ID and password.

Even if existing mutual authentication technologies are being used, if a user can’t check the authenticity of an online service first, then the user can still fall victim to a fake service. In fact, some technologies that claim to use mutual authentication, were not even developed for that purpose, instead they were made to prevent eavesdropping and replay attacks, not for the user to verify the authenticity of online services.

In summary, existing authentication technologies, including 2FA and MFA, are designed for protecting online service providers, not the user. As users, we need a new solution which prevents us from falling victim to fake online services and eliminates the burden of authentication.

AutoPassword’s Smart-Two-Way Authentication technology marks a new era in “Mutual 2FA and MFA” and provides the ultimate solution for both security and convenience.