Some people say “Many who do use two-factor authentication rely on an SMS version of it, where a PIN code is texted to their phones. But it's not as safe as using a physical security key for two-factor authentication, because text messages can still be intercepted” (*1).
Physical tokens would be fine if we have no more than a couple of accounts. But what could we do when we have dozens of accounts to protect with 2F authentications? Carrying around dozens of physical tokens or reusing the same token for all the accounts?
We propose a third scenario – using a mobile phone but not using SMS - Onetime Mnemonic Guard outlined here, which is an extended application of Expanded Password System (*2)
*1 https://www.cnet.com/news/why-more-people-dont-use-simple-two-factor-authentication/?ftag=CAD2e9d5b9&bhid=24953034523773280878026946514381#
*2
https://www.informationsecuritybuzz.com/articles/identity-assurance-by-our-own-volition-and-memory/
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
2-Channel Authentication with No Physical Tokens and No SMS
1. Characters are randomly superimposed on each picture displayed on a mobile phone
What onetime password systems hitherto available on the
market protect against theft is the device identification data.
2-track 2-device Mnemonic Guard enables the user to
produce a disposable personal verification data, say, a
real onetime password.
What onetime password systems hitherto available on the
market protect against theft is the device identification data.
2-track 2-device Mnemonic Guard enables the user to
produce a disposable personal verification data, say, a
real onetime password.
ServerServer
● Only a browser is needed for both a mobile phone and a PC
The onetime password fed on a PC reflect the user's memory = real personal
identity
PassSymbols are represented by different characters every time
Input verification symbols
Select Pass-symbols from below and input them
Input Reset Return
Check when using a keyboard
AB 1Z H7 OS 4L QY
8P W2 SS IK U9 6J
FE 5X NT M1 R0 33
MJ KE C8 DD 72 PW
V6 KA AT TU N6 7E
KJ 80 SS SM TO R5
2. Onetime MnemonicGuard
<Product Description>
Two-factor onetime-password authentication by which the onetime-passwords are
reproduced from autobiographical pictorial memories.
<Product features and benefits>
Features
The user recognizes textual data which are randomly allocated to a matrix of pictures
that are sent from the authentication server to the user’s mobile-phone. The pictures
registered as the password(PassSymbols) are preferably associated with the user’s
episodic (autobiographical) memories while others (decoy pictures) are not although
looking similar to other people.
The onetime textual data fed to the authentication server by the user through the other
communications channel proves both that the user’s mobile-phone is genuine and that
the user’s memory is genuine.
Benefits
No need to install any application on either the mobile-phone or PC/tablet.
(Many of the other two-factor onetime-password systems require applications to be
3. installed on the mobile-phone.)
The user’s burden is just to recognize several pictures long-remembered.
(With the other 2F OTP systems, users are required to remember and recall a
difficult-to-remember password as one of the two factors)
No conventional password is used that could be abused if stolen.
(With the other 2F OTP systems, the conventional password used as one of the two
factors could be abused if stolen.)
One mobile-phone copes with ever increasing numbers of accounts.
(With some of the other 2F OTP systems, users would have to carry ever more
hardware tokens as the numbers of accounts increase.)
A new mobile-phone can be used right away for all accounts.
(With many of the other 2F OTP systems, users would have to install the applications
on a new mobile-phone or wait for the arrival of hardware tokens for all the accounts.)
THE UPSHOT IS THE EXCELLENT SECURITY, AVAILABILITY AND
COST-EFFECTIVENESS THANKS TO THE ABOVE BENEFITS.