We often hear regarding security issues on the internet, something like “users accounts were hacked and assets or data were stolen”. But rarely we go into details to find out the root cause of the issue to use this information for our accounts protection.
We get considering some solutions as secure, but in fact is not secure anymore.
For instance, the second factor which uses code from SMS is not secure, there are a lot of examples when sim card was ported and an account was hacked, if we talk about issues which happened with cryptocurrency exchanges, funds were stolen.
One more example says that famous solution such as TOTP (Time-based One-Time Password) is not secure as it shares mater key over the internet during setup, btw this approach was used in Google Authenticator.
So, examples say that we could use with high probability something unsecured for our cryptocurrency exchange or ICO crowdsale platform account.
What is the solution? Nowadays the most promising and secure solution for users authorization is U2F (Universal 2nd Factor) open authentication standard. U2F has been successfully introduced to large-scale services, including Facebook, Gmail, Dropbox, GitHub, Salesforce.com, the UK government, and many more.
The technical specification of the standard is hosted on FIDO Alliance. This approach does not transmit sensitive information over the internet, it just sends public key during setup and holds a private key in a secure way on a user side. It uses the principle of a digital signature, a user signs a message by a private key and sends it to a server for authentication, a server uses a public key for verification.
Verify whether your favorite services use such standard.