Firefox 60 world’s first browser to go for password-free logins

Mozilla has released its new browser, Firefox 60, which supports password-free logins to websites using Web Authentication API.

The browser comes with the Web Authentication or WebAuthn enabled by default. With the WebAuthn API, users will be able to use authentication keys such as YubiKey, fingerprint readers or facial-recognition features on smartphones, and such for logging into websites rather than passwords.

For now, WebAuthn supports security keys like Yubico but in future will also support mobile authentication using notifications from supporting websites.

“This resolves significant security problems related to phishing, data breaches, and attacks against SMS texts or other second-factor authentication methods while at the same time significantly increasing ease of use (since users don't have to manage dozens of increasingly complicated passwords),” Mozilla wrote.

Some are saying that this will replace passwords entirely, but for now it is being used as an extra layer of protection for users. In support of the same, Dropbox this week introduced WebAuthn login support as well.

“Your credentials could be stored on a device like your phone, laptop, or security key, and services could use WebAuthn to sign in to your account after you scan your fingerprint or input a PIN on the device,” wrote Dropbox programmer Brad Girardeau in a blogpost. “There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now.”

WebAuthn is also expected to be seen in Chrome 67 and Microsoft Edge.

Less Than 10% Gmail Users Enable Two-Factor Authentication

At the Usenix Enigma 2018 security conference this week, a Google software engineer revealed that only about 10% of Gmail users actually have Two-Factor Authentication enabled.

He further said that even this 10% has had trouble figuring out how SMS authentication codes work.

Two-Factor Authentication, or 2FA, is an additional layer of security that prompts users to enter an additional bit of information before they’re allowed to log in, usually codes sent via SMS or through an app like Google Authenticator.

At the question of why Google doesn’t make 2FA default, Grzegorz Milka, the above-mentioned software engineer, answered, “It’s about how many people would we drive out if we force them to use additional security,” saying that it’s about the “usability.”

According to research, people don’t use two-factor authentication because they don’t trust it and fear that their privacy will be compromised.

Experts have agreed that these fears aren’t entirely baseless as SMS authentication has a risk of interception by attackers who spoof phone numbers. However, things have become safer since Google rolled out “Google Prompt,” which offers built-in verification in Google Play services for Android and the Google app on iOS.

The company also launched a new service called “Advanced Protection Plan” for high-profile accounts which enables them to use hardware-based USB 2FA security keys instead.

Soft Tokens : Low cost mass market 2-Factor Authentication for e-banking, e-commerce and e-governance

Many banks in India use SMS OTP system for customer authentication. However, a recent incidence of a fraud in a bank showed that the SMS OTP token was not fully effective. In this incidence, hackers modified the customer’s mobile number in the bank’s database and redirected the OTP to the modified mobile number that they controlled.

Problems arising due to misdirected creativity of Black Hat hackers apart, most bank officials also privately complain about high costs of the SMS method of authentication. Banks apart, the customer also incurs monthly SMS charges.

Sometime back, in a customized Zeus MITM malware attack, a researcher showed how such customized malware could easily intercept communication between a net banking portal and a desktop.

The demo clearly demonstrated money ending up in a hacker’s account after a customer concluded a transaction. This vulnerability was exposed in a MNC bank’s Indian operation. Checking further, the researcher discovered that this particular vulnerability could be exploited in other bank's net banking systems as well.

It is widely accepted that the only real security is offered by use of a hardware token. Such a token generates time based token numbers on the customer side and net banking /e-commerce/payment wallets can undertake token verification on the server side. However, while effective, the hardware token method is accompanied by significant costs.

An elegant solution to the cost conundrum is to use the ubiquitous mobile phone as a soft token dispenser, and completely do away with the costs and hassles of using a separate hardware token.

But the soft token model is only being offered by some major MNC security technology firms and comes accompanied by MNC prices and price structure that Banks find discomforting. These vendors insist on levying a fee on the bank on a per customer basis and the sum adds up to a significant amount when a bank or an enterprise deals with many millions of customers.

One possible solution for a Bank or other enterprises is to implement a 2 factor soft token authentication program by developing their own system. They could develop a system on their own with a 6 month R&D effort. It took us, Cyber Security and Privacy Foundation (CSPF), less than 3 months R&D to develop a 2FA system which can be implemented in banks and other enterprises and institutions.

Our research suggests that it can be both practical and economical to implement net banking with soft tokens given to all customers and thus prevent a lot of frauds.

The authentication server can be placed in a bank’s premise and soft tokens can be integrated with net banking. On an indicative basis, we envisage a first year license fee US $ 50,000 for up to 100000 customers (something like half a dollar per customer for the first year).

We further envisage an annual recurring license fee of US $ 10,000 per 100000 customers to be levied Year 2 onwards. The price per customer could be reduced further to just 25 cents for a 500000 user base.

Convenience, cost, comfort and security all suggest that it is now time to look beyond the SMS OTP and the hardware token and adopt an in-sourced soft tokens 2 Factor authentication model. Banks, e-ecommerce players and wallet providers should all seriously evaluate this option.

Twitter finally introduces Two-step authentication to prevent account hacks

Here we go, Twitter finally introduced the most anticipated security feature "Two-Step authentication" that prevents hackers getting access to your twitter accounts.

The recent cyberattacks from Syrian Electronic army(SEA) forced the twitter to enable the 2-step verification feature.

The SEA is the syrian hacker group who recently hijacked the high profile twitter accounts including accounts of Guardian , Telegraph, FT, AP and more via Social engineering attack(Phishing).

Once i said, the only feature that can stop the Syrian Electronic army is 2-step verification :

Thank you twitter for enabling this feature.

What is exactly 2-step Authentication?
 Though i have already explained about this in my previous articles, i would like to explain one more time in this article.

"2-step authentication is a security feature that prompts you to enter a temporary password sent to your phone whenever you log into your account."

So how to enable this security feature?

  • Go to page
  • Scroll to the bottom of the page , there you can find the "Account security" option.  
  • Select the option and follow the instructions