Yandex launched an application that allows you not to remember complex passwords, and joined the race for security
To bookmarks
Yandex has launched a two-factor authentication mechanism and a new Yandex.Key application that generates an access code to a Yandex account on a mobile device. This will prevent you from remembering a complicated password for security purposes. TJ was informed about this by representatives of the company.
Updated: two hours after the announcement from Yandex, the introduction of two-factor authentication was reported in the Mail.Ru Group.
"Yandex.Key" allows you not to remember complex passwords
In order to use Yandex.Key, you still have to come up with and remember a four-digit PIN code. Temporary passwords that will be used to log into your Yandex account will be sent to your mobile device and will be valid for 30 seconds.
However, you can log in without entering a one-time password. QR codes appeared in the authorization form on Yandex: they can be read using a smartphone camera through Yandex.Key. Users of Apple mobile devices do not need to remember their PIN code: for them, access to the application is possible through a fingerprint read using the Touch ID sensor.
The two authentication factors in this case are the PIN code (or fingerprint), which only the user has, and knowledge of the connection between the Yandex account and the mobile device with Yandex.Key - it is stored on the company's servers. Secret codes are generated simultaneously using both the PIN and the “secret” from Yandex servers. The company also explained that the authentication procedure is one-step: login requires only one action (entering a one-time code or scanning a QR code).
Need more security
This is not the first appearance of two-factor authentication in Yandex. Prior to that, it was used in Yandex.Money and in the company's internal services, Yandex told TJ.
Representatives of the company say that their two-factor authentication procedure is more reliable, because temporary passwords are generated from letters, and not from numbers, as is the case with competitors. In addition, the user does not need to first enter his login and password: he is authorized using only the login and a QR code or a temporary password.
Usually, with two-factor authentication, the user is asked to log into the account using their username and password, and then confirm their identity - say, using SMS. It's even easier for us. It is enough to enable two-factor authentication in the "Passport" and install the Yandex.Key application. QR codes appeared in the authorization form on the main page of Yandex, in Mail and Passport. To enter the account, the user needs to read the QR code through the application - and that's it.
Vladimir Ivanov, Deputy Head of the Yandex Operations Department
If the user simultaneously forgets his PIN and loses access to the SIM card linked to the account, he will still have the opportunity to restore his account. To do this, he will have to go through a standard procedure: fill out a questionnaire and talk with the support service, Yandex explained.
Users who have two-factor authentication enabled are usually more careful about such things - for example, they indicate their real first and last name, by which access can be restored using an identity document. And from the Yandex.Key application, you can open a special access recovery form - in case the smartphone was stolen in order to gain access, there is a secret level of protection.
press service of "Yandex"
The two-factor authentication procedure has been launched as a beta version. The company said that it is participating in the bug bounty program - you can get a cash prize for finding vulnerabilities: judging by the ad, it ranges from 5.5 to 170 thousand rubles.
Mass "murder" of passwords
Users don't want to remember complex passwords and generally don't use two-factor authentication, considering it too complicated. Statistics show that the most popular passwords of 2014 are still "123456", "password" and "qwerty".
Yandex decided to use QR codes and Touch ID after analyzing various studies that showed that from 0.02% to 1% of the audience of various services use the standard two-factor authentication procedure.
Yandex is not the first company to join the race to improve user security and at the same time refuse to remember complex passwords. In October, Twitter similar to "Yandex.Key" platform called Digits, positioning it as a "password killer".
With the help of Digits, users will be able to log in to several services at once: at the start, Twitter announced a partnership with the FitStar fitness tracker, the Resy restaurant reservation service, and the OneFootball app for sports fans. The Digits platform is also integrated into the new Twitter Fabric Developer Suite.
Yandex told TJ that they were going to open the ability to log in to other applications using Yandex.Key - its appearance is planned in the next updates of the program
Like most services, Digits uses a mobile phone for registration and verification, sending a code via SMS or through a contact inside the messenger. This method is used, for example, in WhatsApp and Telegram messengers.
The Facebook mobile application has long had its own Code Generator service, which allows you to log in using temporary codes. With Google, you can enable two-factor authentication for your account and use the Google Authentificator app, which gives access by QR code or by entering a security code. After the scandal with the leak of personal photos of celebrities in Apple, too, the security of iCloud users.
Similar functionality to Google in June and in VKontakte, however, the social network said that such security measures for most users are unnecessary. There is no two-step authentication in the Mail.Ru mail service.
Updated at 15:34: A few hours after the announcement from Yandex, the Mail.Ru portal launched two-factor authentication for Mail, Cloud, Calendar, Game Center and other projects, company representatives told TJ. To enter, the user needs to use his password and the code received via SMS to his mobile phone.
The company emphasized that closed beta testing of two-factor authentication began at the end of December with the support of the Habrahabra community.
Internet services can increase the level of security indefinitely, however, the "weak link" is often the safety of the user's password. If the second protection factor is enabled, then in order to enter the account, the attacker will have to take possession of not only the password, but also the victim’s mobile phone, which is much more difficult.
We have been asked to implement this feature mainly by advanced users, but I really hope that it will become popular with a wider audience.
Anna Artamonova, Vice President of Mail.Ru Group
Yandex launched a two-factor authorization system and released the Yandex.Key application for logging into an account without having to remember and enter a complex password. The app is already available on Android and iOS and can be secured with a fingerprint scanner on newer iPhone models.
There are several ways to log in to your account through Yandex.Key, but first you need to go to the settings page yandex.ru/promo/2fa and enable two-factor authentication.
Confirm your phone number with the code received via SMS.
Install the Yandex.Key application on your smartphone or tablet.
Launch the application and scan the QR code on the Yandex website. If the mobile device does not have a camera, click "Show secret key" and enter the displayed characters in the application.
Think of a PIN and enter it on the website or app.
Enter the one-time password generated by the application on the site. This password is only valid for 30 seconds and then a new one appears. At the end of the setup, you will need to enter the permanent password for the account again.
These steps only need to be performed once. After activating two-factor authorization, you will need to re-authorize in Yandex sites on all devices. You can create separate passwords to access applications.
Now a button with a QR code icon will appear on the Yandex account login page.
I will show you how to set up two-factor authentication in Yandex, this will help you secure your Yandex account from hacking.
Go to password management at passport.yandex.ru/profile/access. Here you can change your password or enable additional protection for your account - two-factor authentication. Click on the slider for Two-Factor Authentication to enable it.
Two-factor authentication is connected in several steps. You will need to open Yandex.Passport and the Yandex.Key mobile app in parallel. After completing the setup, you need to log in again on all devices.
Click start setup.
Here is your phone number to which the codes for setup will be sent. Here you can also change the phone number associated with your Yandex account.
Setting up two-factor authentication. Step 1 of 5.
Verify your phone number. This is your main number on Yandex. You will need it if you lose access to your account. Click get code.
An SMS code from Yandex will be sent to your number.
Enter the SMS code from Yandex here and click confirm.
Setting up two-factor authentication. Step 2 of 5.
Download the Yandex.Key app. Now we go to the AppStore on your iPhone or iPad or the Play Store on your Android smartphone or tablet and look for the Yandex.Key app. Or click to get a link to the phone.
The App Store or Play Market will open, click download to download the Yandex.Key app and install it on your smartphone or tablet.
If you need to enter your Apple ID password, then enter your Apple ID password.
After 30 seconds, the application will be downloaded to your smartphone, launch it by clicking on it.
Setting up two-factor authentication. Step 3 of 5.
Point your phone's camera at the QR code and your account will be automatically added to the app. If the code read fails, try again or enter the secret key.
Let's go back to the smartphone.
The Yandex.Key application creates one-time passwords for logging in to Yandex. if you have already started setting up two-factor authentication on your computer, then click the "add an account to the application" button.
Click to add an account to the application.
The "Key" program requests access to the "camera". Click Allow to give the app access to the camera on your smartphone to scan the QR code from the computer monitor screen.
Point the camera at the QR code displayed on your computer monitor and wait for the account to be added or add it manually.
Ready. QR code scanned. The Yandex.Key application is ready to go.
Now let's move on to the computer monitor.
Click on Create PIN.
A PIN code is needed each time you receive a one-time password in Yandex.Key, as well as to restore access to your account. Keep your PIN private. Yandex service employees never ask him.
We come up with a four-digit pin code and click continue.
Setting up two-factor authentication. Step 4 of 5.
PIN code verification. Be sure to remember the pin code. Once the setting is completed, it cannot be changed. If you enter the wrong pin code in the application, then it will generate incorrect one-time passwords.
Enter the PIN code you created earlier and click Verify.
We return to the smartphone and the Yandex.Key application. Enter your PIN to receive a one-time password.
After entering the pin code, you will receive a one-time password that will be valid for 20 seconds, during these 20 seconds you must enter it on the computer in the two-factor authentication setting. If you do not have time to enter the password in 20 seconds, it will change to another one and so on. Enter the password that will be displayed on the screen of your smartphone.
Last step. Enter the password from Yandex.Key.
Use the pin code to get a one-time password in the app. Make sure you remember the pin code, after the setup is completed you will not be able to change it.
What will change after enabling two-factor authentication:
- The old password will no longer work.
- You will need to log in to Yandex again on all devices (web services and mobile apps).
- It will be possible to access Yandex web services using a QR code without entering a password. If you can't read the code, use the one-time password from Yandex.Key.
- You will access Yandex mobile applications using a one-time password. It can be copied from Yandex.Key by long pressing.
- For other programs associated with your account (for example, email clients or mail collectors), obtain application passwords in Passport.
Enter the one-time password that is displayed on the screen of your smartphone and click complete setup.
Now, after entering the one-time password, you must enter the old account password. Yandex needs to make sure that it is the owner of the account who makes such a major change in security settings.
Enter the old password from Yandex account and click OK.
Ready. Two-factor authentication completed. You have protected your account with one-time passwords. Now you need to log in to Yandex again on all devices. If you use e-mail programs, for example, don't forget to get application passwords for them.
Click close.
Now, if you use your Yandex account mailbox on your smartphone, you need to create a password for it.
Select application type > Mail program.
And choose the operating system of your mail program. I use an iPhone, so I choose iOS.
And click create password to create a password for the email program on your smartphone.
Your iOS mailer password has been generated.
How to use password:
- To give the application access to your data, specify this password in its settings.
- You do not need to remember the password: you will only need it once. When changing your password on Yandex, you will need to obtain a new application password.
- The application password is shown only once. If you close the page and don't have time to use it, just get a new one.
We enter the password that is displayed on your computer monitor into the Yandex mail mobile application on your smartphone.
Ready. Yandex two-factor authentication works, you can live on.
Now, if you log out of your Yandex account and enter your username and password again, they will write to you:
Wrong login-password pair! Failed to login. You may have a different keyboard layout selected or the Caps Lock key pressed. If you are using two-factor authentication, make sure that you are entering a one-time password from the Yandex.Key application instead of the usual one. Try to log in again.
Now you need to open the Yandex.Key application, enter your pin code and point your smartphone camera at the QR code. You will automatically log into your Yandex account after the smartphone reads the QR code from the monitor screen.
Other entries on security and 2-Step Verification:
Hello dear friends. Today I will tell you how to set up two-factor authentication for your Yandex account and set a password for Yandex.Disk. This will protect the main account and improve the security of individual Yandex applications.
Protecting personal data is the biggest problem on the Internet. Users often neglect security rules. They create simple and identical passwords for different Internet resources, store them in electronic boxes, passwords from which are also used on other resources. These are just a few of the common mistakes.
If an attacker gains access to one of the accounts, other user resources will also be at risk. And if we take into account the fact that viruses are able to remember passwords entered from the keyboard, then the situation will seem even sadder. That is why every Internet user must follow elementary security rules:
- Create complex passwords.
- Do not use the same passwords for different Internet resources.
- Change passwords regularly.
And also use additional methods of protection. One of these methods is two-factor authentication of a Yandex account.
How does two-factor authentication work?
As you know, access to a restricted area, such as email, the site's admin panel, social network accounts, requires a username and password. But, this is only one level of protection. In order to enhance protection, many services introduce additional authentication methods, such as sms confirmation, usb keys, mobile applications.
I already told you about. Where, in addition to the login and password, the mobile application generates a security code. So Yandex two-factor authentication works in much the same way.
That is, an additional level of protection is the Yandex.Key mobile application, which cancels the old Yandex account password and generates a new, one-time password every 30 seconds.
With this level of protection, access to the account is possible only with a one-time password or a QR code.
It's just enough to make certain settings and in the future you point your smartphone's camera at the QR code and get access to your Yandex account.
And if you can't use your smartphone's camera or you don't have access to the Internet, you can always use the one-time password that is generated in the mobile application even without the Internet.
The security of the Yandex.Key mobile application itself is ensured by the PIN code that you create when you connect your account to the application.
Well, if you have an Apple smartphone or tablet, you can use Touch ID instead of a pin code.
Thus, access to your data will be more securely closed.
Setting up two-factor authentication.
To get started, on the Yandex main page, log into your account in the traditional way. Then click on your account name (mailbox name) and select "Passport".
On the newly opened page, click on the graphic switch, opposite "Two Factor Authentication", and then on the button "Start setup".
The setup procedure itself consists of 4 steps that will need to be completed on a computer and mobile device.
Step 1: Verify your phone number.
If you previously linked a phone number to your Yandex account, you can immediately receive a confirmation code. If not, then enter the phone number and press the button "To get the code".
The code will be sent to the specified number. You need to enter it in a special field and click the button "Confirm".
Step 2. Pin code for the mobile application.
At this step, you need to come up with and enter a pin code for the mobile application twice. It is this code that will open access to the application on a smartphone or tablet.
Enter the code and click on the button "Create".
Step 3. Installing the Yandex.Key mobile application and adding an account.
So, from your smartphone or tablet, you go to Google Play (for Android) and the App Store (for apple gadgets). Next, download and install the Yandex.Key app.
Open the app and click on the button "Add Account to App".
Adding an account to the Yandex.Key mobile app
After that, you will need to point the camera of the mobile device at the monitor screen, where at that moment you will have a QR code displayed. Point to this code.
So, go back to the computer, and click on the button "Next step".
Step 4. Entering the password for the Yandex.Key mobile application.
After waiting for a new key update in the mobile application, enter it on the computer and press the button "Turn on".
After that, you will need to enter the old password for your Yandex account and click the button "Confirm".
Completing the two-factor authentication connection
Everything is ready. You've secured your account with two-factor authentication. Now you need to re-login to your account on all devices using a one-time password or a QR code.
How to log in to your account using Yandex.Key.
Everything is extremely simple. On the main page of Yandex, in the login and registration panel, click on the ellipsis icon (...), and select Ya.Klyuch in the menu.
Or, you can use the traditional login method, using a login (mailbox address) and a password (one-time password for the Yandex.Key mobile application).
How to set a password for Yandex.Disk.
By enabling two-factor authentication, you can create separate passwords for third-party applications that connect to your account. This mechanism turns on automatically after connection.
This way you will use a password that is only suitable for the drive.
By using different passwords for applications, you strengthen the frontier of protecting your data.
To create a password, you need to go to the access control page, select an application, enter a name and click the button "Create a password".
The password will be generated automatically and displayed only once. Therefore, copy this password to a safe place. Otherwise, this password will need to be deleted and a new one created.
Now, when you connect Yandex.Disk via the WebDAV protocol, you will use this password.
Note: App passwords should be used even if you disable two-factor authentication. This will protect you from revealing the main password to your Yandex account.
How to disable two-factor authentication.
In order to disable two-factor authentication, you need to go to the access control page and click the switch (On / Off).
Then enter a one-time password from the Yandex.Key mobile application and press the button "Confirm".
Creating a new password for Yandex account
Now you will use your username and password to log into your account, as you did before.
Important: when authentication is disabled, passwords created for applications are reset. They must be recreated.
And now I propose to watch the video tutorial, where I clearly show the whole procedure.
That's all for today, friends. If you have any questions, I will be happy to answer them in the comments.
I wish you success, see you in new video tutorials and articles.
Sincerely, Maxim Zaitsev.
A rare post on the Yandex blog, and especially one related to security, did without authentication. We thought for a long time how to properly strengthen the protection of user accounts, and even so that they could use it without all the inconveniences that include the most common implementations today. And, alas, they are uncomfortable. According to some reports, on many large sites, the proportion of users who have enabled additional authentication tools does not exceed 0.1%.
This seems to be because the common two-factor authentication scheme is too complicated and inconvenient. We tried to come up with a method that would be more convenient without losing the level of protection, and today we present its beta version.
We hope it gets more widespread. For our part, we are ready to work on its improvement and subsequent standardization.
After enabling two-factor authentication in Passport, you will need to install the Yandex.Key application in the App Store or Google Play. QR codes appeared in the authorization form on the main page of Yandex, in Mail and Passport. To enter the account, you need to read the QR code through the application - and that's it. If the QR code cannot be read, for example, the smartphone camera does not work or there is no access to the Internet, the application will create a one-time password that will be valid for only 30 seconds.
I'll tell you why we decided not to use such "standard" mechanisms as RFC 6238 or RFC 4226. How do common two-factor authentication schemes work? They are two-stage. The first stage is the usual authentication with a username and password. If it was successful, the site checks whether it "likes" this user session or not. And, if you “do not like it”, asks the user to “re-authenticate”. There are two common methods of “do-authentication”: sending an SMS to the phone number associated with the account and generating a second password on the smartphone. Basically, TOTP according to RFC 6238 is used to generate the second password. If the user entered the second password correctly, the session is considered fully authenticated, and if not, then the session also loses the “preliminary” authentication.
Both methods ─ sending an SMS and generating a password ─ are proof of possession of the phone and therefore are a factor in availability. The password entered at the first stage is the knowledge factor. Therefore, this authentication scheme is not only two-stage, but also two-factor.
What did we find problematic in this scheme?
Let's start with the fact that the computer of an average user cannot always be called a model of security: turning off Windows updates, a pirated copy of an antivirus without modern signatures, and software of dubious origin ─ all this does not increase the level of protection. According to our assessment, compromising a user's computer is the most widespread way of “hijacking” accounts (and it happened recently), and you want to protect yourself from it in the first place. In the case of two-step authentication, assuming that the user's computer is compromised, entering a password on it compromises the password itself, which is the first factor. This means that the attacker only needs to choose the second factor. In the case of common RFC 6238 implementations, the second factor is 6 decimal digits (and the specification maximum is 8 digits). According to the bruteforce calculator for OTP, in three days an attacker is able to pick up the second factor if he somehow became aware of the first one. It is not clear what the service can counter this attack without disrupting the normal user experience. The only possible proof of work is captcha, which, in our opinion, is the last resort.The second problem is the opacity of the service's judgment about the quality of the user session and the decision on the need for "up-authentication". Even worse, the service is not interested in making this process transparent, because security by obscurity actually works here. If an attacker knows what the service decides on the legitimacy of the session, he can try to fake this data. From general considerations, we can conclude that the judgment is made based on the user's authentication history, taking into account the IP address (and derived from it the autonomous system number that identifies the provider, and the location based on the geobase) and browser data, such as the User Agent header and a set of cookies, flash lso and html local storage. This means that if an attacker controls the user's computer, then he has the opportunity not only to steal all the necessary data, but also to use the victim's IP address. Moreover, if the decision is made on the basis of ASN, then any authentication from public Wi-Fi in a coffee shop can lead to "poisoning" in terms of security (and whitewashing in terms of service) the provider of this coffee shop and, for example, whitewashing all coffee shops in the city . We talked about the work, and it could be applied, but the time between the first and second stages of authentication may not be enough for a confident judgment about the anomaly. In addition, this same argument undermines the idea of "trusted" computers: an attacker can steal any information that affects the judgment of trust.
Finally, two-step verification is simply inconvenient: our usability studies show that nothing irritates users more than an intermediate screen, extra button presses, and other “unimportant” actions, from his point of view.
Based on this, we decided that authentication should be one-step and the password space should be much larger than what is possible under the "pure" RFC 6238.
At the same time, we wanted to keep two-factor authentication as possible.
Multifactoriality in authentication is determined by assigning authentication elements (in fact, they are called factors) to one of three categories:
- Knowledge factors (these are traditional passwords, pin codes and everything that looks like them);
- Ownership factors (in the OTP schemes used, this is usually a smartphone, but it can also be a hardware token);
- Biometric factors (fingerprint ─ the most common now, although someone will remember the episode with the hero of Wesley Snipes in the film Demolition Man).
Development of our system
When we started to deal with the problem of two-factor authentication (the first pages of the corporate wiki on this issue date back to 2012, but it was discussed behind the scenes before), the first idea was to take standard authentication methods and apply them here. We understood that we could not count on millions of our users to buy a hardware token, so this option was postponed for some exotic cases (although we do not completely abandon it, we may be able to come up with something interesting). The SMS method could not be mass-produced either: this is a very unreliable delivery method (at the most crucial moment, SMS may be delayed or not delivered at all), and sending SMS costs money (and operators began to increase their price). We decided that the use of SMS is the lot of banks and other non-technological companies, and we want to offer our users something more convenient. In general, the choice was small: to use a smartphone and the program in it as a second factor.This form of one-step authentication is widespread: the user remembers the pin code (first factor), has a hardware or software (on a smartphone) token that generates OTP (second factor). In the password entry field, he enters the pin code and the current OTP value.
In our opinion, the main drawback of this scheme is the same as that of two-step authentication: if we assume that the user's desktop is compromised, then a single entry of the pin code leads to its disclosure, and the attacker only has to choose the second factor.
We decided to go the other way: the password is entirely generated from the secret, but only part of the secret is stored in the smartphone, and the part is entered by the user each time the password is generated. Thus, the smartphone itself is a factor of ownership, while the password remains in the user's head and is a factor of knowledge.
The Nonce can be either a counter or the current time. We decided to choose the current time, this allows us not to be afraid of desynchronization in case someone generates too many passwords and increases the counter.
So, we have a program for a smartphone, where the user enters his part of the secret, it is mixed with the stored part, the result is used as the HMAC key, which signs the current time, rounded up to 30 seconds. The HMAC output is rendered in readable form, and voila - here's the one-time password!
As already mentioned, RFC 4226 suggests truncating the HMAC result to a maximum of 8 decimal digits. We decided that a password of this size is not suitable for one-step authentication and should be increased. At the same time, we wanted to maintain ease of use (because, remember, we want to make such a system that ordinary people will use, and not just security geeks), so as a compromise in the current version of the system, we chose truncation to 8 characters of the Latin alphabet. It seems that 26 ^ 8 passwords valid for 30 seconds is quite acceptable, but if the security margin does not suit us (or valuable tips appear on Habré on how to improve this scheme), we will expand, for example, to 10 characters.
Learn more about the strength of such passwords
Indeed, for case-insensitive Latin letters, the number of options per character is 26, for large and small Latin letters plus numbers, the number of options is 26+26+10=62. Then log 62 (26 10) ≈ 7.9 i.e. a password of 10 random small Latin letters is almost as strong as a password of 8 random upper and lowercase Latin letters or numbers. This is definitely enough for 30 seconds. If we talk about an 8-character password from Latin letters, then its strength is log 62 (26 8) ≈ 6.3, that is, a little more than a 6-character password from large, small letters and numbers. We think this is still acceptable for a 30 second window.Magic, passwordlessness, applications and next steps
In general, we could stop there, but we wanted to make the system even more convenient. When a person has a smartphone in his hand, he does not want to enter the password from the keyboard!
Therefore, we began work on the "magic login". With this authentication method, the user launches the application on the smartphone, enters their pin code into it, and scans the QR code on the screen of their computer. If the pin code is entered correctly, the page in the browser is reloaded and the user is authenticated. Magic!
How does it work?
The session number is sewn into the QR code, and when the application scans it, this number is transmitted to the server along with the password and username generated in the usual way. This is not difficult, because the smartphone is almost always online. In the layout of the page showing the QR code, JavaScript is running, waiting for a response from the server to check the password with this session. If the server responds that the password is correct, a session cookie is set with the response and the user is considered authenticated.It got better, but here we decided not to stop. Starting with the iPhone 5S, TouchID fingerprint scanner appeared in Apple phones and tablets, and in iOS version 8, it is also available to third-party applications. In fact, the application does not get access to the fingerprint, but if the fingerprint is correct, then the additional Keychain section becomes available to the application. This is what we took advantage of. The second part of the secret is placed in the TouchID-protected Keychain entry, the one that the user entered from the keyboard in the previous scenario. When unlocking the Keychain, the two parts of the secret are mixed, and then the process works as described above.
But it has become incredibly convenient for the user: he opens the application, puts his finger, scans the QR code on the screen and is authenticated in the browser on the computer! So we replaced the knowledge factor with a biometric one and, from the user's point of view, completely abandoned passwords. We are sure that ordinary people will find this scheme much more convenient than manually entering two passwords.
It's debatable how technically two-factor authentication is, but in reality, you still need to have a phone and have a valid fingerprint to pass it successfully, so we think we've been pretty good at getting rid of the knowledge factor, replacing it with biometrics. We understand that we rely on the ARM TrustZone security that underpins the iOS Secure Enclave and believe that this subsystem can be considered trusted within our threat model for the time being. Of course, we are aware of the problems of biometric authentication: a fingerprint is not a password and cannot be replaced if compromised. But, on the other hand, everyone knows that security is inversely proportional to convenience, and the user himself has the right to choose the ratio of one and the other that is acceptable to him.
Let me remind you that this is still beta. Now, when you enable two-factor authentication, we temporarily disable password synchronization in Yandex.Browser. This is due to how the encryption of the password database is arranged. We are already coming up with a convenient way to authenticate the Browser in the case of 2FA. All other Yandex functionality works as before.
Here's what we got. It looks like it turned out well, but you be the judge. We will be glad to hear feedback and recommendations, and we ourselves will continue to work on improving the security of our services: now, along with, and everything else, we have two-factor authentication. Keep in mind that authentication services and OTP generation applications are critical, and therefore, bugs found in them are double bounty paid under the Bug Bounty program.
Tags:
- security
- authentication
- 2FA
