This is a question I posted on stackoverflow.
We are creating an android application which requires multiple ways to secure authentications.
- username/password authentication
- sms 2nd factor authentication
- local passcode
My attempt is to use only local passcode to achieve all 3 functions.
My draft solution:
During first time use, the user is required to setup his default username/password as well as passcode.
- the username/password is encrypted using a key generated by passcode and the cipher text is stored on device
- create a hash of the passcode and store the hash on device
- generate an device id and send it to the authentication server
next time when user login, user will be only prompted for passcode. The passcode is used to re-generated the encryption key, thus decrypt the username/password. The username/password will log user in. At the meantime, the client will send the deviceID to server to check the user-device association (this acts as 2nd factor authentication).
the user session will be timeout if it's inactive for 1 hour. anything non-encrypted will be deleted. after user session timeout, he must key in passcode again.
So my question is, during this process is it appropriate to replace 2 factor authentication with just deviceID comparison?
I am aware of that 2 factor should identify something user has. Sending SMS is to identify the device is the one registered at server. So using a deviceID should function the same. I am not very sure how secure is this?
I ask this question because I feel it's stupid to authenticate 3 times in different ways. We have this requirement because the apps hosted within our app store has these requirements. We just try to do it for them so they don't need to do it again.
However, in my opinion, it can be simplified in to just one passcode authentication.
I have no doubt on the username/password encryption part. It's secure and resonable.
It's just the 2FA, which I am not sure whether is industry standard. It appears to me as an extra step for mobile devices. The purpose of 2FA is to prove the ownership of the device of the user. Appearently, this can be easily done without SMS.
Since the folks on stackoverflow rejected my question again. I have to try my own luck and google around. Luckily I found this white paper created by a swiss university post-grad. The paper proposes an equivalent 2FA method on mobile devices which is more user-friendly. As an analysis, it also compares other possible ways of 2FA which include authenticating using just device ID. Though the device ID authentication is the most error-prone, but from the analysis I know it can easily be improved.
So my idea is actually feasible.