Securing our users has always been a challenge on the web. For years, we’ve found that the traditional usernames and passwords provided a secure method for authenticating users. They enter their credentials, submit the form, and in no time, they gain access to the providers services. Better known as a Single Factor of Authentication, SFA is still used across majority of the sites and has been a reliable security method. But, over time, attackers have been able to expose user credentials applying certain techniques. As a way of protection our users, we started to implement password checks and used well known hashing and salting techniques at the database level. But in most cases, not all password checks are equal and not all hashing techniques are reliable enough to prevent attacks.This is where Two Factor Authentication comes in.
So what is Two Factor Authentication? TFA a method that is based on users providing two factors of information rather than a single credential. Now, why is this a better option? For one, it adds an extra layer of security over the traditional username and password by removing the need to create highly secure password checks and two, introducing a second factor such as a device the user owns, increases the difficultly for hackers to obtain a successful attack. Here at Osprey, TFA was one of the strategies we wanted to integrate for our login portal. With multiple 2F strategies available, we found a new strategy created by the Facebook team called Account kit.
Introducing Facebook’s Account Kit
Introduced at the F8 conference this April, Account kit was a new product that Facebook launched for all developers to secure their mobile and web applications. In short, Account kit is a TFA and Single Sign On method that allows users to login and register using their phone number or email. With Account kit, developers don’t have to create a separate workflow to handle new registrations because their infrastructure handles authentication and managing user accounts. To get a better picture on how it works, let’s take a look at what happens during a simple login using Account kit: (more…)