What you may not know about 2FA

If you’re like most people, you’ve been happy with the shift from PINs, to thumb print scans, to biometric/faceID scans as a method for authenticating on your smartphone.

Without a doubt, biometrics like facial recognition are a faster and easier way to authenticate.

However, what you may not have realized is that the shift away from the PIN is actually less secure. Let me explain.

Strong two-factor authentication consists of 2 things:

Something you have

and

Something you know

What’s considered “something you have?”

  • Your phone
  • Your fingerprint
  • Your face
  • Your Google Authenticator (or other authenticator that doesn’t require a “secret” to access)
  • Your email account
  • Your text messages
  • (And more)

These are all things that can be stolen and/or spoofed.

What’s considered “something you know?”

Any secret combination of numbers, letters, symbols and/or words. These are thing that usually come in the form of a password or PIN.

So what’s the problem?

The problem with current authentication methods is that most people use the same password for more than one account, or insecurely store their passwords digitally.

We’ve written more about passwords here and here.

So you take something that can be spoofed or stolen and combine it with something whose security relies on being stored only in your head (that most often isn’t) and you end up with an authentication system that merely gives an illusion of security, rather than actual protection.

How is 4 digit pin safer?

LockDown uses a 4 digit PIN as a 3rd factor in our authentication system to ensure that only you can access your account. When a person uses LockDown, they have:

1st factor: Physical possession of your smartphone (each LockDown user’s private keys are stored only on their device and are tied to that device). Something you have. 

2nd factor: Biometric (thumb or face scan) authentication used by the smartphone to gain access to the smartphone. Something you have. 

3rd factor = 4 digit PIN. Something you know. 

The 4 digit PIN is stronger as something you know if it doesn’t need to be written down and therefore only lives secretly in your head. Most people can easily remember four digits, which is also why banks use 4 digit PINs for ATM cards.

With LockDown, the 4 digit PIN is not stored on the phone and is verified by our services. If there are 5 consecutive invalid PIN attempts, we lock your account. After a lock-out, the app is no longer accessible until you unlock it with your unique, printed recovery code.

This means even if your phone is tampered with (cracked) it will not expose your PIN or allow attackers more than 5 attempts in 10,000 possible combinations.

If you’d like to learn more about LockDown’s technology, you can do so here.

Recent Posts

Before you travel this summer, read this.

Now that most travel restrictions have lifted, people are flocking to the airport for a much-needed vacation. If you’re taking a trip, you’ll need to bring a few important documents … Read More

So Your Child is Headed Off to College… Here’s Why You Need LockDown

The grad caps have been tossed, a long awaited high school diploma has been received, and it’s time for your kid to leave the nest. There’s no doubt you have … Read More

The Low Down on LockDown Business

LockDown Business is an encrypted communication platform that offers businesses tight controls over the information they send and share. Here is everything you need to know to understand how LockDown … Read More