Nova Spatial, the developer of a map-based authentication method called MapLogin, says their tool is unbreakable after a round of vulnerability testing with HackerOne. A bold claim, one that just isn't true based on the evidence.
Shortly after word of the LastPass breach started to spread across the Internet on Monday, Salted Hash received an interesting email with the following subject: "MapLogin proves unbreakable as alternative password method"
The email was a press pitch announcing the completion of vulnerability testing on HackerOne, along with a brief overview of what the product does.
"This important milestone ensures that the core concept can withstand the probing of some of the best hackers," said Roland Hansson, Inventor, Nova Spatial LLC. and author of the email.
The pitch explained that MapLogin is an alternative to normal text-based passwords. MapLogin aims to solve typical password problems "by providing an easy to use, yet secure, way of verifying something (the password) that only you (the username) should know."
The user will navigate to a precise location (that's the password) on the map, which the company said creates an "unguessable and unbreakable question & answer challenge."
"It is our belief that most people can pick out a unique place, for example where they went to school, on a map, and remember it, thereby offering a much better paradigm for authentication on the internet," added Hansson.
Salted Hash used a demo of the tool, registering under a throwaway account and picking a location in Asia. It broke during the first login attempt, as the map wouldn't navigate properly, and on the second test it worked as expected.
Overall, it wasn't impressive and has the feel of a program in the beta stages of development. At this point, if you doubt the company's unbreakable claims, you're right to do so.
The idea that this process is unbreakable because a user controls the location secret is problematic. How hard would it be to social engineer the secret location out of a user?
How hard would it be to use open source intelligence to guess the location, given that users will be sure to focus on personal locations such as where they live, lived, or as Hansson stated, where they went to school?
The LastPass breach generated a number of pitches related to multifactor authentication and password replacement stories, but Nova Spatial takes the cake for bold statements that are misleading, especially once you check the source data.
On the HackerOne page, eight hackers have been thanked by the company and so far there have been 11 bugs closed. This alone proves that the software didn't withstand much, especially since one of the closed bugs was for an issue that allowed account takeovers.
Another interesting item that throws this pitch and the company's claims for a curve, is that the MapLogin HackerOne program has only been active for less than 30 days. In fact, Hansson joined HackerOne 28-days ago (as of the date of this article).
That isn't enough time for something to be proven unbreakable, but 11 bugs (including the critical one) is proof that MapLogin was broken form the start.
Now, let's look at what the bounty program doesn't allow. First up, physical and social engineering attacks are off the table, as are denial of service attacks, and "third-party bugs" that would lead to a problem in MapLogin.
So while this program allegedly withstood "the probing of some of the best hackers" – and clearly it didn't – those hackers were not allowed to test the attack surfaces that would normally be targeted by someone going after a Web-based product.
Ironically, they found problems outside of the norm, which is just as bad, if not a bit worse.
Passwords have created problems within the security world for years, so vendors and developers are working overtime to find alternatives. Yesterday's news about LastPass has generated a good deal of FUD over the topic, and MapLogin is just one example of that.
"All software contains vulnerabilities. Security is an ongoing process and we commend organizations that leverage the worldwide hacker community to find and resolve vulnerabilities as part of their evolving security strategy. No amount of security testing can guarantee that any software is secure," Katie Moussouris, Chief Policy Officer at HackerOne, said in a statement when asked about the Nova Spatial claims.
The bottom line?
MapLogin is far from unbreakable; it was broken days after Nova Spatial published their program on HackerOne. It should also be noted that only one bug has been openly disclosed, the others remain unavailable to the public.