What you may not know about 2FA

If you’re like most people, you’ve been happy with the shift from PINs, to thumb print scans, to biometric/faceID scans as a method for authenticating on your smartphone.

Without a doubt, biometrics like facial recognition are a faster and easier way to authenticate.

However, what you may not have realized is that the shift away from the PIN is actually less secure. Let me explain.

Strong two-factor authentication consists of 2 things:

Something you have

and

Something you know

What’s considered “something you have?”

  • Your phone
  • Your fingerprint
  • Your face
  • Your Google Authenticator (or other authenticator that doesn’t require a “secret” to access)
  • Your email account
  • Your text messages
  • (And more)

These are all things that can be stolen and/or spoofed.

What’s considered “something you know?”

Any secret combination of numbers, letters, symbols and/or words. These are thing that usually come in the form of a password or PIN.

So what’s the problem?

The problem with current authentication methods is that most people use the same password for more than one account, or insecurely store their passwords digitally.

We’ve written more about passwords here and here.

So you take something that can be spoofed or stolen and combine it with something whose security relies on being stored only in your head (that most often isn’t) and you end up with an authentication system that merely gives an illusion of security, rather than actual protection.

How is 4 digit pin safer?

LockDown uses a 4 digit PIN as a 3rd factor in our authentication system to ensure that only you can access your account. When a person uses LockDown, they have:

1st factor: Physical possession of your smartphone (each LockDown user’s private keys are stored only on their device and are tied to that device). Something you have. 

2nd factor: Biometric (thumb or face scan) authentication used by the smartphone to gain access to the smartphone. Something you have. 

3rd factor = 4 digit PIN. Something you know. 

The 4 digit PIN is stronger as something you know if it doesn’t need to be written down and therefore only lives secretly in your head. Most people can easily remember four digits, which is also why banks use 4 digit PINs for ATM cards.

With LockDown, the 4 digit PIN is not stored on the phone and is verified by our services. If there are 5 consecutive invalid PIN attempts, we lock your account. After a lock-out, the app is no longer accessible until you unlock it with your unique, printed recovery code.

This means even if your phone is tampered with (cracked) it will not expose your PIN or allow attackers more than 5 attempts in 10,000 possible combinations.

If you’d like to learn more about LockDown’s technology, you can do so here.

Recent Posts

You’ve heard of Signal, but what about LockDown?

Last week, following a viral tweet from Elon Musk, Signal became the #1 downloaded free app in both the Apple App and Google Play stores. Here at LockDown, we’re often … Read More

The SolarWinds Hack Screams Need for Containerization

The SolarWinds hack that impacted the U.S. Treasury, Department of Homeland Security and Commerce departments, as well as other government agencies and private companies was a big wake up call … Read More

Why privacy matters more than we think.

What is privacy? Contrary to widespread belief, privacy is more than just personal identifying information, medical records, and personal communication. Privacy, by our definition, includes any digital information you decide … Read More