NanoToolkit Blog

The Way to Keep in Touch.

When it comes to Security, should we be Web First or Mobile First

You might have used Mobile apps like WhatsApp, Instagram, WeChat, Telegram. Many of them started as Mobile-Only Apps and thus their means of security was single factor authentication. The phone number which serves as the username and the password which is dynamic and it would be sent via text message to the user.

The Problem is that that text message is not all that secure in the first place. But the more important problem with this kind of simple authentication via a SMS message is that this type of security cannot easily be extended to other platforms such as PCs or even Tablets which typically do not have access to the telephony network to receive an SMS. Think about it for a moment. platforms such as Facebook or Gmail were started on the PC era's hey-day. That’s why they went with the typical solution of a username and a password combination. and throughout the years they have added multi-factor authentication such as asking people about their grandmother birth place or RSA Security Token or perhaps a simple SMS message to augment the single factor authentication. That's why when you try to use your google Voice or Skype Account on your phone you are still kind of required to provide your username/password combination which is a bit inconvenient. That's because services like skype were conceived on a PC-era when username/password combination was the norm.

Although, it may appear convenient to just have your Phone number as your username and a SMS message as password, it is not exactly secure.  Relying on the telephony network also does not lend itself to be transportable across other modalities of communication. Let me explain by starting with security. virtually everyone's phone number is widely known. People should provide their Phone Numbers in Doctor's offices, when they park their car, when they want a discount .... But The lesser obvious point is that Text message sent over Mobile networks are also not secure and can easily be eavesdropped on. There are platforms such as Instagram and Facebook that have successfully incorporated the ability to login with either username/password combination or PhoneNumber/password combination. There are though other platforms which have an odd approach to authentication. For instance, WhatsApp is a Mobile First Platform. WhatsApp’s PC Software has an odd approach to authentication. Basically, WhatsApp displays QR looking code on the PC and you must scan that QR code on the mobile device to be able to login to PC software. This approach is quite noble and innovative; but it is a problematic as well because it requires concurrent access to both devices. That Said this approach is not always that painful. WhatsApp stores the login session for a number of days so that the user does not have to login repeatedly all the time with their Mobile Phone.

 

WhatsApp Screen Requiring Login from Mobile Phone:

WhatsApp login in screen on Windows
Comments are closed