[AndrewDucker]

How is it easier than TOTP, which is an IETF standard, and implemented by Google Authenticator (amongst others)?

[markkum]

It's easier because you only need to tap the app to verify. No need for OTP codes, though OTP is a fallback if your device is offline.

[sweis]

So, users are locked into MePIN's proprietary app and depend on MePIN's website to log in, rather than using a open standard that can run offline. If you use HOTP/TOTP, you can use open source Google Authenticator, DuoSecurity, libpam, or any number of clients.

It's pretty easy to implement your own TOTP client if you don't like any of those. Here's a JS reference in 250 lines of code and HTML: https://code.google.com/p/google-authenticator/source/browse...

In MePIN's defense, DuoSecurity also has their own push notification for a single-tap login, so users are willing to trade interoperability for convenience.

[davis_m]

Are you concerned that it is a lot easier to trick users into clicking a button to authorize the login?

[markkum]

Of course user behavior has to be considered. The MePIN app does allow the user to set up a personal PIN code, so an authorization would then require the PIN code and a tap.

[davis_m]

A PIN would do nothing to keep a user from being tricked into authorizing an attacker's login.

[markkum]

Don't want to argue, but yes it would. It would stop the user for a second, giving time to the brain to process for a while what's going on.

[davis_m]

If a user is willing to press the button, a PIN isn't going to stop them. Your app is decreasing security in favor of usability, which is not something look for when they are looking to implement two factor auth.

I think anyone who would blindly use your proprietary two factor solution that makes it easier for end users to authorize other people to log in would be silly.