Show HN: The easiest 2-factor auth (opens in new tab)

(developer.mepin.com)

27 pointsmarkkum12y ago29 comments

29 comments

How is it easier than TOTP, which is an IETF standard, and implemented by Google Authenticator (amongst others)?

It's easier because you only need to tap the app to verify. No need for OTP codes, though OTP is a fallback if your device is offline.

sweis12y ago

So, users are locked into MePIN's proprietary app and depend on MePIN's website to log in, rather than using a open standard that can run offline. If you use HOTP/TOTP, you can use open source Google Authenticator, DuoSecurity, libpam, or any number of clients.

It's pretty easy to implement your own TOTP client if you don't like any of those. Here's a JS reference in 250 lines of code and HTML: https://code.google.com/p/google-authenticator/source/browse...

In MePIN's defense, DuoSecurity also has their own push notification for a single-tap login, so users are willing to trade interoperability for convenience.

davis_m12y ago

Are you concerned that it is a lot easier to trick users into clicking a button to authorize the login?

1 more reply

mmastrac12y ago

Hate to be one of these guys, but the site is totally unreadable on Android Chrome. The left bar covers everything and won't move. Maybe offer a close or collapse button for it?

markkumOP12y ago

This is now fixed. Thanks for the kick.

markkumOP12y ago

Working on it.

M4v3R12y ago

We use MePIN in our service and I have to say that it's working really great. Easier for the user and also more secure than Google Authenticator (for which secret key can be stolen more easily).

huhtenberg12y ago

So what happens to my users if your service ever goes down or disappears?

tokenizerrr12y ago

Apparently they offer an in-house solution.

> MePIN comes as a distributed hosted service containing simple-to-use REST API and handy client side scripts. Hosted or in-house white label solution is also possible, contact sales@meontrust.com.

streetnigga12y ago

Cool! I wondered the same question you are responding to after getting a 2-factor mobile app for an online service I use.

"What happens if/when these fellas implode?"

The answer in the site's case would be to fall back to SMS. Something like this that could be integrated into the site itself would be better, working in tandem with a more typical fall-back of course.

markkumOP12y ago

The service is distributed and hosted at 3 continents with 3 different hosting providers, so we take this seriously.

Other than that; You own your users and user database. No user data is stored at MePIN servers.

davis_m12y ago

From your home website, it looks like you are relying on users deciding if they should authorize a request based on OS, web browser, ip address, and location.

Users are going to essentially ignore ip address. OS, web browser, and location are easy to spoof. If a half competent attacker makes a request, how is the user to know if they should authorize a request.

I understand that using OTP codes can be annoying to some users, but it is MUCH harder for a user to hand that code over to someone in order to login.

markkumOP12y ago

First; the user does not have to care about OS, browser, ip address or location. Though those can be shown to a user if the service provider wants.

Authorization requests can only be initiated at the back-end by authorized service providers and only for users who have linked their MePIN app with that specific provider. Though of course login verification could be initiated with stolen username/password, which would then alert the user for verification.

Now the added benefit here is that with MePIN the user would immediately know that her username and password is at wrong hands if she receives a login verification request while not actually performing a login.

So obviously the user should not authorize unexpected requests. You would not authorize a login if you are not actually performing a login, etc. Concerned users can additionally set up a personal PIN code in the app.

Lack of good usability is currently hampering 2FA adoption, we are working hard to fix that.

davis_m12y ago

In this model, all you have to do is time the authorization request appropriately. If an attacker can time their authorization at the same time that the user is logging in, a large number of users are simply going to authorize both requests thinking that it is some sort of glitch.

With the standard OTP model, a user physically can not enter their code for another user.

1 more reply

beefhash12y ago

While two-factor authentication is a good thing from a security standpoint from service providers, I can't help but worry that it's a worry from an individual's standpoint: It's nothing but serving an IP address+account <-> mobile phone number relationship on a silver tablet. Do we really want that?

markkumOP12y ago

Note that MePIN does not collect or need user's phone number, e-mail address or any other user information. You can use MePIN fully anonymously.

rplnt12y ago

What's with those url changes? After a while about a dozen url anchors is cycled through which effectively kills the "back" functionality. If you go past them, you can't stay on the "main" page because another ones are added.

teemi12y ago

Am I correct to assume that you have logged in? An automated setup creates the user account and other objects you need to get started. I admit that actually posting the forms is not the most elegant solution, but a hack. We did it to let you read the full contents of the MePIN Dev Portal without having to fill in any personal information.

rplnt12y ago

I just clicked on the link posted here, that is https://developer.mepin.com/.

1 more reply

davis_m12y ago

What methods are you using to make sure that an authorization comes from an authorized phone?

markkumOP12y ago

The solution is based on Public Key Infrastructure (PKI). Each authorization must be signed with the user's private key. The app is managing and protecting the keys and certificates, so user does not have to figure out key/cert management. Some info here; https://www.mepin.com/technical-overview/

j / k navigate · click thread line to collapse

29 comments

AndrewDucker12y ago

How is it easier than TOTP, which is an IETF standard, and implemented by Google Authenticator (amongst others)?

markkumOP12y ago

It's easier because you only need to tap the app to verify. No need for OTP codes, though OTP is a fallback if your device is offline.

sweis12y ago

It's pretty easy to implement your own TOTP client if you don't like any of those. Here's a JS reference in 250 lines of code and HTML: https://code.google.com/p/google-authenticator/source/browse...

In MePIN's defense, DuoSecurity also has their own push notification for a single-tap login, so users are willing to trade interoperability for convenience.

davis_m12y ago

Are you concerned that it is a lot easier to trick users into clicking a button to authorize the login?

1 more reply

mmastrac12y ago

Hate to be one of these guys, but the site is totally unreadable on Android Chrome. The left bar covers everything and won't move. Maybe offer a close or collapse button for it?

markkumOP12y ago

This is now fixed. Thanks for the kick.

markkumOP12y ago

Working on it.

M4v3R12y ago

We use MePIN in our service and I have to say that it's working really great. Easier for the user and also more secure than Google Authenticator (for which secret key can be stolen more easily).

huhtenberg12y ago

So what happens to my users if your service ever goes down or disappears?

tokenizerrr12y ago

Apparently they offer an in-house solution.

> MePIN comes as a distributed hosted service containing simple-to-use REST API and handy client side scripts. Hosted or in-house white label solution is also possible, contact sales@meontrust.com.

streetnigga12y ago

Cool! I wondered the same question you are responding to after getting a 2-factor mobile app for an online service I use.

"What happens if/when these fellas implode?"

markkumOP12y ago

The service is distributed and hosted at 3 continents with 3 different hosting providers, so we take this seriously.

Other than that; You own your users and user database. No user data is stored at MePIN servers.

davis_m12y ago

From your home website, it looks like you are relying on users deciding if they should authorize a request based on OS, web browser, ip address, and location.

I understand that using OTP codes can be annoying to some users, but it is MUCH harder for a user to hand that code over to someone in order to login.

markkumOP12y ago

First; the user does not have to care about OS, browser, ip address or location. Though those can be shown to a user if the service provider wants.

Lack of good usability is currently hampering 2FA adoption, we are working hard to fix that.

davis_m12y ago

With the standard OTP model, a user physically can not enter their code for another user.

1 more reply

beefhash12y ago

markkumOP12y ago

Note that MePIN does not collect or need user's phone number, e-mail address or any other user information. You can use MePIN fully anonymously.

rplnt12y ago

teemi12y ago

rplnt12y ago

I just clicked on the link posted here, that is https://developer.mepin.com/.

1 more reply

davis_m12y ago

What methods are you using to make sure that an authorization comes from an authorized phone?

markkumOP12y ago

j / k navigate · click thread line to collapse