Webinar: How an App Can Be Used for Two-Factor Authentication

We officially launched our more powerful two-factor authentication API for online services and mobile app, Verigator. View this webinar to learn more about the impact of 2FA on cybersecurity and hear from the creators of this platform. Transcription is added below the video.


Yuriy Mikitchenko:  All right. Good Morning, or actually Good Afternoon everybody. Thanks for joining us at this ‘‘Two-Factor Authentication’’ webinar. I've got quite a few things to go through today. But before we get to the agenda item, as we’ll go through a couple of housekeeping items. There is a questions and answers section up in the Go to Webinar panel. You'll see down the rows there's an option to ask questions. You can go ahead and ask questions during the webinar if you'd like. If it's something that we think we can answer at away, we will. If not, we'll hold the questions until the end of the presentation and the live demo.

This likely won't be an hour, we'll get straight to the point in getting you guys the facts information and the demo itself. So, alright let's get started. Our agenda items, so we'll do a quick overview of ‘Messente’. I'll introduce the presenters; we'll discuss why we built a ‘Two-Factor Authentication’ platform in the first place. Our CTO Jaanus will provide a live demo, and give you additional details on the API documentation in aVerigator’ app. We'll give you more information about our 2FA mobile app as well, which is free on the iTunes, or the Apple App Store, in the Google Play Store as well.

So, quick intros, first and foremost Lauri Kinkar is our CEO. He has been in the technology industry in Estonia for about 16 years as a mobile solutions partner, and he's the CEO of ‘Messente’. The brains of the outfit is Jaanus, he is our CTO. We will go through all the technical information as well as the live demo. I am the head of marketing at ‘Messente’. I joined the organization a few months ago in building the next generation communications platform within the center. So, Lauri, if you are ready, I will hand this off to you.

Lauri Kinkar: Hello everyone. I'm Laurie and starting with a quick overview of what is ‘Messente’, what have we been doing. So, ‘Messente’ essentially is a global messaging service provider, and we also provide the ‘Two-Factor Authentication’ services for user authentication. This means that the companies from very different industries, financial services to logistics to online marketplaces use us to firstly verify their users, and secondly send them time critical notifications. So, that is to any operator network, any mobile phone in the world.

In messaging, we focus on what we call ‘Transactional Messaging’, and that means personal reminders, alerts, notifications that are based on some business transaction. That are meant personally for the consumers they are sent to. Well, for example your bank notifies you about receiving money on your account, a courier is giving you a pre notice, a delivery, and etc. In this ‘Transactional Messaging’, a major use case for us has always been delivering pin codes for authentication, and via SMS. Mainly because pin codes are one of the most time and business-critical notifications. About a year ago, we set out to build better tools for this use case, you want to provide more than just SMS, a messaging connection for pin code delivery.

We did. So, the current toolset involves three components; ‘The Verification API’, and this is something for companies who wish to add two FA to their site, and protect user accounts. Using this API, you can initiate user verification at any point, and what ‘Messente’ will do is generate pin codes and deliver them to any network, and handle retries if need be. The second component in this toolset is a prebuilt user interface. Again, for companies who either don't want to spend a lot of resources or want to get going fast because one side of verification is issuing and delivering pin codes, and another part of it is the user interface that people interact with, when they go through the process.

Pretty much a forum where users submit their phone number, if the service owner doesn't have it, and also later submit the pin code they received. In case, there's a company who doesn't want to build this user interface themselves, we've built one for them and it's free of charge to use. The third component is the ‘Verigator’ app, which we are going to talk about a little bit more as well. This is available both for Android, and iOS. This is for consumers. So, it's an app you can use with Facebook, Twitter, Gmail, GitHub, almost any major service, and it makes 2FA for consumers, really seamless and convenient.

So, pretty much using this app, consumers will get all of their one-time passwords, and the Pins for authentication right from this app. For companies, in case their users are using the ‘Verigator’ app, it's a very convenient way for delivering pin codes directly to the app instead using an SMS. By the end of the day, it cuts costs and you don't depend on delivery quality and speed at all anymore. So, this is what we have built, what we have to offer for companies. I'm at this point, I'm also glad to say that companies trust us to handle their user authentication. We're currently handling about 5 million authentications every month; this number is growing.

Yuriy Mikitchenko:  Great. Thanks Lauri. So, a topic of discussion I wanted to bring forward to the audience, and I think, we talked about internally as well as the reasons behind us building a ‘Two-Factor Authentication’ platform in the first place. Currently businesses spend a lot of money every year on security products, whether it's for Malware protection, Antivirus, protecting their servers, you name it. They spend thousands to tens of thousands of Euros a year depending on size of the business.

However, it's not likely that a lot of businesses use simple tools like 2FA to stop attacks, In the first place. When it comes down to these types of attacks, not only are the accounts that are hacked infiltrated, but also accounts that, or also it gives attackers the opportunity to get into accounts beyond the one user account. It gives people access to business over all, right. So, today's reality is that usernames and passwords are reused, in a recent survey by ‘Keeper Security’ showed us that 80% of people reuse your passwords across multiple online services.

Now, with over four billion passwords floating around the internet, hackers can get through the front door of nearly any business without anyone knowing. 80% of all hacking related breaches are due to weaker stolen passwords, and it's absurd that even two-thirds of credentials are stolen through email-based malware, which means that hackers are getting through spam filters and firewalls. These malicious emails that hackers send to business users to get access to their credentials, which gives them access to the entire company database. To be frank the main reason hackers are doing this, and spending all the time trying to get access to credentials, and user accounts is to make money.

The financial fallout of hacks is quite painful. So, first of all it takes 200 days for most businesses to know they have been hacked in the first, which is like someone's sitting in your living room for more than half a year watching and recording your entire life. Then one day, you turn around, and you notice a stranger sitting on your couch, and they just walk out the front door with all this information. Now imagine the data someone can walk out with knowing that the average cost of a breach is 137 years per reached record. Multiply that by that by thousands or tens of thousands of Records, and there's two points here as well you got to know.

Storing your data in the cloud like EWS, or Asher. If you put your databases in the cloud, does not mean you're protected. For example, there was a company that was recently hacked because it's called ‘8-tracks’, they're socially based radio music provider. They lost 18 million credentials because one of their employees, enable ‘Two-Factor Authentication’ for their GitHub account, and that GitHub account gave them access to a hacker to get to a database with user information. Also, smaller businesses are also at risk, smaller businesses assume that they're immune because hackers won't go after the small businesses or small data user sets.

That actually makes it more likely for smaller organizations to be breached, and then when they get breached one time, they're breached multiple times. Because they don't make the necessary investments to protect their own data. Overall nearly every business has a 25% chance to get hacked in in the next two years, which seems like a small number, that's a quarter of all businesses that you may know of. So, let's connect the dots here. If 80% of hacking related breaches are due to weak usernames and passwords, and we know that users, customers or employees tend to reuse their passwords or make it easy to guess passwords.

What is the least costly method to motivate better user behavior, and it's easy to enforce. Our answer to that is ‘Two-Factor Authentication’. Now 2FA isn't the holy grail of security, but it's a piece of the pie. It's a low-cost, high-impact piece of the pie. Now, I like to hand off to Lauri to give you guys more details on ‘Messente and ‘Two-Factor Authentication’. How we get it done.

Lauri Kinkar: Yeah, I agree that the statistic, that all those statistics and metrics actually look like pretty bad news to companies who don't have the budgets for security. I agree with the fact that ‘Two-Factor Authentication’ today is one of the smallest steps you can take towards securing your user accounts. On the other hand, it exponentially reduces the probability of accounts getting hijacked. So, as I said about a year ago, when we set out to build our own 2FA solutions, then we wanted to create something which was definitely secure, but also simple to integrate, sort of plug and play.

I think that the three things that I would want to point out before Jaanus shows you how it all looks like. Firstly Messente’s core focus is enterprise messaging, has been for the past ten years. The cornerstone of any 2FA tool which delivers pin code via SMS is the ability to deliver those messages to any network globally. We're in a very good position to do that, our 2FA tools use the best messaging channels out there. We've been building this global messaging network for the past ten years, and it's all the disposal of the big or small organizations using those tools.

Then secondly, these tool set includes all the components needed for a smooth authentication. I said verification API, and the pre-built user interface if needed for companies, and ‘Verigator’ app on the consumer side. So, there's something for everyone involved in this process. Thirdly is the fact that we wanted to build something which was available for all companies, regardless of size, regardless of budgets. Current 2FA tool set is available, and powerful enough for large organizations, and the same enterprise level tools are affordable for small companies as well. These maybe would be the three things that I would stress before going onto the demo.

Yuriy Mikitchenko:  Great, thanks Lauri. Now onto the demo, and we're gonna go over a few things in the demo. First and foremost, we'll discuss a bit about how you can get the API information, where to sign up, and get things installed on your online service or app. Will show you what it would look like if a user whether use the API from a user perspective to login, to any online service or app that has 2FA enabled. Then we'll show you as a ‘Two-Factor Authentication’ app very good, and how it looks like from the consumer end, and we'll pass over to Jaanus to give us the details.

Jaanus Roomus: Hey everybody. So, I will first show you how it would look if your service had integrated with ‘Verigator’ verification API. How you could log into the service, how you could enable the ‘Two-Factor Authentication’, and authenticate. How it works with SMS with a very good rep. How all the pay overs, and everything looks. I hope you can see my screen now. I would give just a few seconds, so that you can sync it. On the left of my screen, you can see an Android device, currently looks like it's low coverage. So, there might be some problems with SMS delivery.

But let's see. Let's start with a verification API. We have all the documentation on our website, you can see how to authenticate to the API, how to create service, how to sync all your existing users, how to start authentication. How to verify the pin code, it's all fully documented, and we also have a library for Python, Java and PHP in the very beginning. Let's start with the demo series. So, this is a web service that probably can be just one of your services that you have, and this is like just a demo how it would actually look like. I have created already an existing account here that I can log in to. Currently the 2FA for this account is disabled. Let's just try to enable it. I will type in my number, and enable 2FA.

We should see a SMS arriving on the device soon, and here it is. Let's open it up, so it's 571549. So, in case there was some kind of a delivery issue with the SMS. ‘Verigator’ what it does, is that it automatically detects that there was no successful verification, and it tries to resend an SMS using our backup routes after like it currently it's defined to 30 seconds. If we wait a bit more, yeah, so you can see that second SMS arrived as well. So, now let's try to verify the pin code, and you can see that 2FA was successful enabled. What next? Let's go to the ‘Verigator’ app. You can download it from App Store or Google Play Store or you can also go to verigator.com and found the links there.

This is a fresh setup. So, let's first go and set it up. I will enter my number 56704409. Next now, I will have to verify my phone number with the pin code. Let's send with SMS, 856887, and we're good. I will also have to enter my email address, so in case of any troubles, you can restore your account, and verify that it's actually you. I just use my demo account. As you can see, I previously signed up ‘Two-factor authentication’ with demo site. Now it's automatically available in that. So, you didn't have to do anything to get to ‘Verigator’ app.

So, it will sync automatically. What next? Let's also try enabling ‘Two-Factor Authentication’ on my Gmail account for example. You can get this, if you check your account from Google. Go to ‘Sign in and Security’, then if you scroll down, you can see 2-step verification. You have to verify your password again, and down here is authentication app that you can set up. Currently I have an Android device, and now Google shows me a QR code that I can scan. Now if I click ‘Add account’ on the device. It will allow me to scan the QR code. Now if I scan it, it is all also added to ‘Verigator’ app.

Now, I have to verify it. So, it's 775 880. Verify. Next time you log into Google from another device or from another country, Google will probably ask you for a TOTP, or time-based one-time password that you can easily get from the ‘Verigator’ app. As you see the finding the correct place was pretty complicated. What we did is that we added a quick tutorial to that. If you can check tutorials straight from the app, how to actually find the correct place to scan the QR code. I guess, that's pretty much it. Thank you for watching.

Yuriy Mikitchenko:  All right, thanks Jaanus.  A couple things to note, once it's setup, once the API is set up on your website or your mobile app service. From the users perspective, it's pretty easy to change their online behavior, which will protect the user and it will protect your business. Again it's 80% of all access are due to weak usernames and passwords, and this type of setup actually adds a layer of security, a different authentication method to make sure the right person is logging into those accounts.

You could try it yourselves, go to the Apple App Store, to the Google Play Store, download ‘Varigator’, try it on any major online service that has ‘Two-Factor Authentication’, and nearly all of them at this point have ‘Two-Factor Authentication’ options. Whether it's Google, Facebook, Twitter has as it I believe, even Pinterest has ‘Two-factor Authentication’ enabled. All of these major services are, they are establishing ‘Two-Factor Authentication’ as a best practice. We're encouraging businesses to do the same to protect themselves and users.

At this point, I'd like to open it up for questions. I will unmute all of our attendees, and if you guys want to ask questions, go ahead, and speak up. We already have a few questions from our chat-based question. But one sec, let me get everybody unmuted, and you guys can go ahead and ask your questions. All right, anyone have questions? All right, so one question is from the chat is, what are the actual integration costs, and how long does it take?

Lauri Kinkar: Yeah. Depending on what does your end look like? Integrating the API is possible in a few hours.

Yuriy Mikitchenko:  Jaanus.

Jaanus Roomus: I guess, you can use the libraries, and it's a lot easier you set it up depending if you have already have a ‘Two-Factor Authentication’. If you want to set up the verification code or use our pre-built user interface. It slightly depends, but usually if it's a straightforward, and you can do it in a few hours.

Yuriy Mikitchenko:  Another question that we got, are there any libraries available for developers? One sec. Let me get, so Jaanus and meet yourselves and get that work checked.

Jaanus Roomus: First, we will have libraries for Python, Java and PHP. They will be available on our Verigator’s documentation page at the end of this week latest.

Yuriy Mikitchenko: Okay, perfect. Then lastly, I wanted to mention that if you go to messente.com, you'll see a dashboard link at the top right corner of the website. You click on that link, and it will give you the opportunity to create your own accounts with Messente, which should give you access to your own API key for 2FA verification API, and you can get things started. If you have any questions, go ahead and just reach out to us in the contact page, or sales@messente.com. Where we can help out moving forward, so if there aren't any other questions, we'll go ahead, and wrap up.

We wanted to make this quick, and straight to the points. We'll send out the slide deck to everyone after the webinar. Also, the recording of this will be available on messente.com, and also attached you will have the link, we’ll email it to all the attendees. So, awesome, thanks all for showing up to the webinar. We're looking forward to having much more of these. Right Lauri? I'll take that as a Yes. So, all right, thanks everyone. Have a great rest of your day. 

Taavi Rebane
2017-09-14 00:00:00 UTC