Blog Feed

10 Most Popular Two-Factor Authentication Apps on Google Play Compared

Posted by on 21:55 in Engineering, R&D | 0 comments

10 Most Popular Two-Factor Authentication Apps on Google Play Compared

This article discusses two-factor authentication apps, which feature different functionalities, are based on different principles but serve one purpose – reliable protection of access to sensitive information. Today, we will try to review some of the most popular applications for one-time passwords generation from the Google Play market and two hardware OTP tokens that can replace two-factor authentication apps. There are a lot of convenient or security-oriented features that the apps’ and OTP tokens’ authors offer. Let’s finally figure out some of the pros and cons of each. Turn on all security features like two-factor authentication. People who do that generally don’t get hacked. Don’t care? You will when you get hacked. Do the same for your email and other social services, too. Robert Scoble Google Authenticator Google two-factor authentication app is probably the most popular and best known among 2FA evangelists. It’s free, handy, and offered on many websites by default. Let’s have a look at its features: User-friendly. Google Authenticator has decisive, easy to use, clear UI (user interface) that even a child would find informative. Besides, it should be noted that the software works on almost all versions of Android and takes no more than 2 MB, which is significant for owners of phones with a small amount of RAM. TOTP and HOTP algorithms. Google Authenticator app supports both Time-based One-Time Password (TOTP) and HMAC-based one-time password (HOTP) OTP generation algorithms, which allows using it with more resources. TOTP is more widespread and reliable – this is an algorithm in which time is used as one of the parameters for one-time passwords generation. Though there are still websites using HOTP algorithm where the counter is used to compute the passwords. The lifetime of all OTP passwords generated according to TOTP or HOTP algorithms is 60 seconds, i.e. every minute a new password is created. No need for network connection.The use of such OTP generation algorithms allows Google Authenticator to work without the network connection. The same one-time passwords would be generated on your smartphone without access to the Internet or cellular network and on the authentication server (in client-server paradigm), if the one-time passwords match, you get access to your account. Many accounts in one place. You can use one app for all your accounts on different websites as well as for your multiple accounts on one website. This is very convenient when compared with SMS authentication, but mind that you may have a lot of troubles when losing or wiping a phone if you don’t take care of Google Authenticator backup. Are there any drawbacks in Google Authenticator? Here we have some black clouds above the app: There is no built-in possibility to backup your data. It means that the users must renew information each time they change the phone or account. They say it’s not quite convenient to use this app if you turn on 2-factor authentication for more than 4 websites. Four one-time passwords are enough to occupy the whole screen and if you have, for example, 12 accounts, you won’t see all passwords at a glance. Google two-factor authentication app could be the most known one, but let’s be honest – there are many other analogs on the market today. | Read also: Will Google’s Authentication without Passwords Be Safe? Authy 2-Factor...

read more

The Pros and Cons of Different Two-Factor Authentication Types and Methods

Posted by on 19:21 in Engineering, R&D | 1 comment

The Pros and Cons of Different Two-Factor Authentication Types and Methods

Along with the first digital devices rose a need to ensure the security of stored data and to differentiate access to various functions. A variety of methods for unambiguous authentication of users on which security is based are called authentication factors. These include codes, logins, passwords, certificates, hardware keys, and so on. The whole set of authentication factors can be divided into three groups: Factors of knowledge (something known to the user); Ownership factors (something that the user owns – documents or items characterized by some unique information (usually these factors boil down to “devices”, although this narrowing is not always justified)); Biometric factors (physical characteristics of the user). There is a huge variety of authentication factors, not all of which are equally convenient and safe. In order to raise the security level of the authentication process, multifactor authentication is used, in which several authentication factors of different types are used to verify access. The disadvantages of some factors can and should overlap by the merits of others. Despite the greater security, the more authentication stages are used, the more effort and time it takes to authorize. According to the combination of characteristics, two-factor authentication is considered the most optimal today by the combined security, convenience and applied effort characteristics. Two-Factor Authentication What is two-factor authentication? Two-factor authentication (2FA) is one of the most reliable types of the user authentication nowadays, used to obtain the rights to access any resource or data (from mailboxes to bank card payments). Two-step authentication is a much more reliable alternative to the traditional one-factor authentication (1FA) with the help of a login-password pair, the security of which is quite low currently. There are a huge number of methods for hacking and circumventing password authentication, from social engineering to distributed bruteforcing, based on pre-organized botnets. In addition, some users use the same password to log into all their accounts, which in turn further simplifies the access of scammers to protected information and transactions. The main advantage of two-factor authentication is the increased login security. As for the shortcomings, the main two being the increase in the time of entry into the system and the risk of losing the physical media serving to pass one of the authentication steps (mobile phone, U2F key, OTP-token). In this article, we reviewed several of the most convenient and secure second authentication factors for use in 2FA. | Read also: Social Engineering Against 2FA: New Tricks 1. SMS Codes SMS codes generated by special services are the most common kind of factors used in the mobile two-factor authentication. It is quite convenient (most modern users always keep their smartphones on them) and does not take much time. In addition, this check is in most cases effective, for example, to protect against automated attacks, phishing, password bruteforcing, viruses, and the like. But in case someone is intent on hacking you, bypassing SMS authentication is possible. After all, usually the phone number tied to the account is not a secret (as a rule, it is the same contact number that can be found from your friends, social network or business card). Having received personal information of the owner of the number, scammers make a fake identity card and use it at the nearest office of the mobile operator. Despite the fact...

read more

How to Backup Google Authenticator or Transfer It to a New Phone

Posted by on 15:06 in Engineering, R&D | 8 comments

How to Backup Google Authenticator or Transfer It to a New Phone

Our regular readers know that we strongly recommend applying two-step verification wherever it’s possible. In the contemporary world, where database leaks are a standing affair, two-step authentication is not an option, it is, in fact, a must. If you use two-factor verification, an intruder would need to get both the unique password you came up with, and the gadget, which produces the verification codes, to break into your account. Thus, two-factor authentication protects from brute force, keyloggers, most cases of phishing and social engineering. It also complicates man-in-the-middle and man-in-the-browser attacks. So why two-factor verification is still unpopular? Sure, it creates an extra step to take to log in, but most users omit it not because of this extra time and effort, but because they are afraid of losing access to their credentials if something goes wrong with their authentication devices. “As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.” – Newton Lee, Counterterrorism and Cybersecurity: Total Information Awareness From all available options of one-time passwords generation or delivery (SMS, emails, hardware and software tokens) most people choose Google Authenticator or other similar applications like Authy, Protectimus Smart etc. Operating principle is pretty much the same for all the software OTP tokens – they generate authentication codes for logging into your account right on your smartphone. It’s very convenient to use the smartphone for two-factor verification, but there are always these nagging questions: What do you do if you lose the smartphone which generates your one-time passwords? What occurs if you switch smartphones, do you lose the entire account? How do you transfer Google Authenticator to a new phone? In this article, we will answer these nagging questions and help you protect your invaluable personal data. | Read also: How does 2-factor authentication work? 3 ways to backup Google Authenticator Backup codes Google, as well as some of the other websites where you can protect your user account with two-step authentication, provides backup codes. These are the one-use codes that allow you to login into your account if you lose access to your OTP token. After you use a backup code once it’s gone for good. Most people print out these Google Authenticator backup codes and keep them at hand. It is imperative to understand that Google Authenticator is a multi-token, thus you can enroll many tokens for various websites using one app. Some of these websites provide backup codes, and a user can gain access to these websites if his/her smartphone is lost. But what do you do with the websites which do not support backup codes? Another point against Google Authenticator backup codes is – they are as secure as a password written down on a paper. An intruder can easily copy them if they are in physical vicinity and use them to gain access to your account. Granted, the intruder will have to be among your peers and know the user password, but you know… things happen. Other things that you might want to keep in mind when it comes to printed out backup codes: You do not have them at hand at all times You can lose the paper or destroy it by mistake Only a few services provide them Google Authenticator backup codes have their perks, but you have to...

read more

10 Steps to Eliminate Digital Security Risks in Fintech Project

Posted by on 16:11 in Engineering, R&D | 0 comments

10 Steps to Eliminate Digital Security Risks in Fintech Project

Any kind of project can be of potential interest to attackers, since the information stolen in an attack can be turned into cash. In the case of financial projects, though, an attack usually results in attackers transferring user or system funds to an unknown location. This eliminates the extra steps it would otherwise take them to reach their ultimate goal. Regardless of what stage your fintech project is at, it’s never a bad idea to make sure that everything has been done that can be to eliminate all possible digital security risks to ensure that clients and the business itself are adequately protected. “There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III, Director FBI In this article, we’ll go over the key financial cyber security concerns, as well as a list of ten components for putting together an effective system to protect the financial information of both users and the company itself. Note: In early 2018, PSD2, the amended Payment Services Directive for the European Union, enters into force. Later in this article, we’ll describe the main IT security requirements of this directive. If your company operates in or plans to operate in Europe, we recommend that you familiarize yourself with it and download our checklist. The main financial cyber security concerns We’ll begin by looking over the main traditional digital security risks facing personal data protection in IT systems for fintech companies. SQL injection SQL injection is the kind of digital security threat that involves the introduction of altered SQL queries. Using vulnerabilities in the system’s software implementation, an attacker can execute arbitrary database queries. Brute-force attacks Brute-force attacks attempt to recover a password by automatically guessing from a pool of possible passwords. Using a database of likely passwords (like a dictionary), this process becomes much more efficient. Zero-day vulnerabilities Zero-days are unknown vulnerabilities used by hackers before software developers have fixed them. In addition, system administrators don’t always update software in a timely manner causing additional digital security risks. Man-in-the-middle (MITM) attacks In an MITM attack, messages being exchanged between the ends of a communication channel are intercepted and spoofed using an unauthorized connection. Phishing Phishing is a kind of the greatest financial cyber security concerns nowadays that involves the theft of a user’s information with the help of fake websites and web applications that mimic legitimate resources. Through nefarious means (often a link in an email or other message), users end up at these fake resources and voluntarily enter their login details into forms that look identical to the real ones. Banking Trojans This type of malware is aimed at compromising specifically banking cyber security. It gathers account details, collecting stored information about users’ accounts and sending this data to an admin panel. The admin panel, either by automatic rules or manual intervention, chooses a target and displays a fake page to the user. Ransomware Ransomware is typically spread through phishing messages. When run, the user is locked out of the system by the malware, which demands a ransom payment. For 2017, the Open Web Application Security Project (OWASP) identified the following as the most critical web application security risks: SQL injection Cross-site scripting Broken authentication Broken access control Sensitive data exposure...

read more

Top 7 Tips How to Protect Yourself from Phishing Scams

Posted by on 11:14 in R&D | 0 comments

Top 7 Tips How to Protect Yourself from Phishing Scams

What phishing is has been well-known for some time now. The first phishing attacks were noted shortly after the World Wide Web appeared. But despite the efforts of IT security specialists to create more effective ways of anti phishing protection, new phishing sites continue to appear every day. According to the data from several studies, there were about 5000 new phishing sites created every day in 2016. In 2017, this figure will be even greater. The secret to the resilience of this type of fraud lies in how it is based not on “holes” in software, but on a vulnerability in human beings themselves, particularly those with access to important data. That’s why we’re going to remind you once more what phishing is, what the most common phishing attacks examples are, and what you can do to counter them. “Phishing is a real threat, which is relatively easy to implement and difficult to identify and counteract.” ― Max Oliinyk, Chief Executive Officer, Protectimus Solutions LLP Basic phishing examples 2017 Phishing is a kind of internet fraud that’s based on social engineering principles. The main purpose of phishing scams is to gain access to critically important data (passport data, for example), accounts, banking details, secret company information, and so on; so that it can be used to steal funds at a later date. Phishing works by redirecting users to fake network resources that function as complete imitations of a real site. | Read also: Social Engineering Against 2FA: New Tricks Deceptive phishing examples The majority of phishing attacks fall under this category. Attackers send out emails pretending to be from a real company, in order to receive users’ account data and thus gain control over their personal or official accounts. You could receive a phishing email claiming to be from a payment processor, a bank, a courier service, an online store, a social network, a revenue service, and so on. Phishing emails are created very exactingly. They can be practically indistinguishable from the emails a user would normally receive from the company. The only difference may be in the request to follow a link in order to perform some kind of action. This transition, however, leads to the scammers’ site, which acts as a doppelgänger of the entity’s real website. To get you to click on these links, the emails may dangle a proverbial carrot in front of you: “Take 70% off our services if you sign up within 24 hours!” They may also try to scare you: “Your account has been locked due to suspicious activity. To confirm that you are the account owner, click on the link.” Here’s a list of some of the scammers’ favorite phishing examples: “Your account has been/is going to be locked/disabled.” Scare tactics can be quite effective. The threat of having your account locked if you don’t immediately log in can cause users to let their guard down, follow the link in the email, and enter their username and password. “Suspicious/fraudulent activity has been detected on your account. You must update your security settings.” These kinds of emails urgently ask you to log into your account and update your security settings. They work on the same principle as the previous attack. The user panics and lets their guard down. “You have received an...

read more

How to Program Protectimus Slim NFC Token

Posted by on 18:51 in Setup Guides | 0 comments

How to Program Protectimus Slim NFC Token

If you have an NFC-enabled smartphone running Android, download and run the Protectimus TOTP Burner app. Initiate the software token setup on the system where you require enhanced security. Program Protectimus Slim NFC OTP token: Run the Protectimus TOTP Burner application and tap the button “Burn the seed”. Tap the button “Scan the QR code” and scan the QR with the secret key you see on your account. You can also input the secret key manually, but we recommend the automatic method. If you enter the seed manually, set the required OTP password lifetime. Activate the Protectimus Slim NFC OTP token and place it near your phone’s NFC antenna. While holding it near the NFC antenna, tap “Burn the seed” -> “Scan the QR code” -> “Continue”, and wait for a message confirming that the 2FA token was programmed successfully....

read more

How to Connect Protectimus Slim NFC to Dropbox

Posted by on 19:53 in Setup Guides | 0 comments

How to Connect Protectimus Slim NFC to Dropbox

How to enable Dropbox two-factor authentication with hardware OTP token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your Dropbox account and initiate the enrolment of the software token: Go to the “Setting” section through the navigation menu ->   Choose “Security” section ->   Enable two-step verification by turning on the trigger ->   Consider important information regarding two-factor authentication before getting started and click the “Get starter” button->   Choose the “Use a mobile app” option and click “Next”->   You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token.   Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. To finish the token enrollment click the button “Next”   Enter the one-time password from Protectimus Slim NFC token in the...

read more

How to Add Protectimus Slim NFC to Kickstarter

Posted by on 19:14 in Setup Guides | 0 comments

How to Add Protectimus Slim NFC to Kickstarter

How to enable Kickstarter two-factor authentication with programmable hardware OTP token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your Kickstarter account and initiate the enrolment of the software token: Go to the “Account” section in navigation menu ->   Turn on two-factor authentication ->   Consider important information regarding two-factor authentication before getting started ->   Choose “Generate codes with a mobile app” and click “Continue”->   You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. To finish the token enrollment enter the one-time password from Protectimus Slim NFC token in the field “Enter the verification code generated by the...

read more

How to Add Protectimus Slim NFC to MailChimp

Posted by on 17:50 in Setup Guides | 0 comments

How to Add Protectimus Slim NFC to MailChimp

How to enable MailChimp 2-factor authentication with programmable hardware token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your MailChimp account and initiate the enrolment of the software token: Go to the “Account” section in the navigation menu ->   Click “Settings” and Choose the “Security” section from the settings list ->   Enable two-factor authentication using an authenticator app ->   You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token.   Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. Save the backup code in a secret place.   To finish the token enrollment enter the one-time password from Protectimus Slim NFC token in the field “Authentication...

read more

How to Connect Protectimus Slim NFC to Facebook

Posted by on 17:18 in Setup Guides | 0 comments

How to Connect Protectimus Slim NFC to Facebook

How to enable the Facebook two-factor authentication with Protectimus Slim NFC hardware OTP token. Make sure that your Android smartphone supports NFC and download the Protectimus TOTP Burner application. Log in your Facebook account and initiate the enrolment of the software token: Go to the Facebook Settings ->   Choose the “Security and Login” section ->   Choose “Use two-factor authentication” ->   In the “Code generator” section, click the “third party app” button ->   You’ll see the QR code with the secret key (seed).   Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. Enter the one-time password generated with the help of Protectimus Slim NFC token in the field “Security code”.   Enjoy reliable and convenient protection for your Facebook account — make hackers’ lives...

read more
Share This