One of the biggest leaps in account security was the standardization of second factor, or multi factor, authentication. It’s the process of verifying a time-based code or a device physically in your presence. After you enter your username and password, the service provider like your bank or Twitter, will ask you to enter a code or press a button. Once verified, you’re successfully logged in!
As a leader in information security, I have always found it challenging when an employee or customer loses their device and is locked out of their account. An account is most vulnerable when the password and security controls are reset. How can an organization make sure that employee needing a password reset or MFA (multi-factor authentication) is who they say they are? I have written policies requiring 1 on 1 video calls and proof of identification before help desks reset passwords and account secrets.
What happens when you lose your device? All those codes that you scanned are stored on your phone are lost as well. For security purposes, you can rerender that QR code to scan. What a lot of people don’t realize is that underneath that QR code is just a small URL that says what the account name is, who is issuing the token (optional) and the secret used to generate the token. You might have seen the secret if you were ever curious and hit “enter manually” on some sites when they show the code. That secret is run through and algorithm based on a time window and is used to generate a (normally) 6-digit token.
Surprisingly, there are no good solutions out there which prioritize consumer account security. Apps like Google Authenticator don’t backup your token secrets meaning they are lost forever if you lose your phone. Other tools like Authy make you create a 3rd-party account and store your token secrets in their cloud. Yes they use encryption, but that doesn’t mean there is no risk to you storing your codes in someone else’s cloud.
Enter Amber, named after the fossilized tree resin seen in Jurassic Park that kept organisms safely intact for millions of years. If you are on iPhone, you already have an iCloud account and your username and passwords are already in the keychain. Amber uses the iCloud Keychain to save your tokens, so any device you log into has access to them. This means if you break or lose your device, you can recover all your accounts as long as you have your iCloud login. Amber is simply “A Better Way to Save Your Security Codes on iPhone.”
Coming up with a cool headline for this article was really difficult. When you think about it, it’s not easy to create an eye catching way to spin the most painful workflow in consumer security. Even though there are industry standards on account security terminology, customers and professionals alike use 2-factor, multi factor, TOTP and security codes interchangeably. It makes it hard for us to educate and protect end-users on the correct steps to take to secure their account because it creates confusion. When it comes to saving your account security codes, if you save them to a device which you break or lose, you’re locked out of your account.
Disclosure: I am the developer of this app
Member discussion