What Is TextKey™ (TextPower's Two-Factor Authentication - 2FA)
After you successfully register your phone number the registration system will ask for your email address (TextKey™6). Once you enter it on the registration page an email will be sent to that address within about a minute. The email (TextKey™7) will contain a key that you must also text from your phone into the short code shown in the email.Requiring the user to text the key to validate the email address assures that we are getting the code from the same recipient who registered the phone number, so the two are inextricably linked in our system. When the correct code is received you'll get a confirmation message on that login page and it will immediately log you into the portal. But why do we need an email address at all? Simple: we send a "registration complete" email (TextKey™8) with instructions and a one-time backup key that can be entered on the login page if the user can't send a text (in flight, dead battery, etc.).So if a user ever cannot send a text to authenticate their login they can use that backup key - they'll simply click the link in "If you are unable to send a text CLICK HERE" (TextKey™9). Users will simply click that link and enter the code in the appropriate field on the next screen (TextKey™10). Once that backup key is used an email is automatically sent to that same email address with a new backup code. That process repeats for as many times as the user uses the backup code.I have been convinced for a long time that TextKey™ is more secure than any other SMS-based 2FA process. When you test it I think you'll understand why:
- Every cell phone ever made has its own "fingerprint," known as the IMEI (International Mobile Equipment Identity) number.
- Every cell phone number is definitively and exclusively linked with one IMEI, meaning only one phone can have that number.
- Using short codes means that the number sending the text message cannot be faked ("spoofed") because the carrier checks the phone number against the IMEI that sent it to see if they match in their registration system.
- We piggyback on the extreme security that carriers use to insure that there is only one phone assigned to every phone number.
- Anyone who attempts to send the key from a phone number that is masquerading as another number (that's what "spoofing" is) will cause that phone's service to be blocked, rendering it virtually useless.
- There is no possibility of a "shoulder surfer" who steals your login info and then watches to see the preview of the incoming text message on your phone to steal the 2FA code. There is no preview because the message is sent from, not to, the phone.
- You must be able to unlock the phone in order to send a text message. This is yet another layer of security even if you lose your phone or it is stolen.
Comments
0 comments
Please sign in to leave a comment.