In addition to regular user name and password, Gyroscope supports 4 additional alternative authentication methods. Through an extensible structure, any or all of these secondary methods can be activated at the same time.
As of version 16.3, the supported authentication methods are:
Now let's look at each one:
SMS Text
Gyroscope has a unified interface for sending SMS messages. Developers can use one of the two bundled gateways, or roll their own. If no gateway credentials are give, the SMS authentication option is greyed out in user settings. The cellphone number and SMS option can be set by either individual users or an administrator.
Key Files
When the key file option is selected, the user is asked to click on a randomly positioned block 3 to 5 times. The randomness from the mouse gesture, combined with a server-side random number, generates a unique file that's split in two parts. One part is directly downloaded by the user, and the counterpart is stored with the server. The key pair is validated when the additional key file is uploaded.
Authenticator Code
Many authenticator apps support OTP tokens. The setup is as simple as scanning a QR code. A 6-digit token is displayed on the authenticator app for a limited period of time, typically 30 seconds, before it is replaced with another. Although Gyroscope calls it Google Authenticator, it works just as well with the Microsoft Authenticator app as well as Authy.
Smart Cards
If the Estonian EID software is installed on the operating system, the user will see the option of using the national ID card of Estonia, Latvia and Lithuania. The login screen will extract the certificate that is stored on the physical smart card. The certificate is used as if it is a key file. This is different from the typical Estonian card authentication flow. In fact, even expired ID cards can be used as digital fingerprint carriers. As the underlying browser plugins move on to Phase 2 of eID support, Gyroscope's smart card's component may extend to Yubikey devices.
Recovery Considerations
For the super paranoid users, all 4 methods can be used at the same time. Furthermore, Gyroscope ensures the password strength. In the extreme case, we are looking at a user name and a strong password, strengthened by a one-time SMS code that's sent to a mobile phone, protected by a cryptographically sound key file, validated by a physical smart card and a 6-digit code that's based on synchronized clocks and a shared secret.
On the flip side, losing any one of these physical tokens can block the user out. Our recommendation is to keep a recovery account that's backed by a key file that is stored on a moveable storage such as an SD card or USB key. The more frequently used accounts can be secured by SMS and/or an authenticator app. If a phone is ever lost, the locked account can be bailed by the recovery account. Note that some authenticator apps also offer cloud-based credential storage.
Developer Notes
Although the authenticator app module (internally known as "GA" for Google Authenticator) was introduced in 16.3, the component can be retrofitted to 15.2, the first version that supports a pluggable 2FA system.