So firstly, I agree about how it's only as secure as the recovery process, in which case we give each website/app the freedom to decide for themselves, what level of security they want, compared to user experience.
Regarding Android's storage not being very secure: we are improving security mostly in the scope of social engineering. The type of users we are catering to are mostly people in developing countries who have a phone, no email, no laptop, and their problem is:
1) They either make bad passwords, or they don't remember passwords
2) If they don't remember the password, it will fall back to SMS OTP (because they don't use emails)
3) They are not going to download Authy/Google Auth or Duo.
Because of this, most apps in these countries have made the authentication method to be super simple: Phone Number + SMS OTP, no passwords. Unfortunately, this type of user is also easily scammed to share their SMS OTP. So the biggest problem that we see here is social engineering and SIM swapping, and not as much on technical security concerns.
Knowing this problem, our aim is to provide what Authy/DUO does from within the client's app, so users don't have to download a separate app. Also, we are not really providing 2FA. We are trying to make the first factor of phone number login more secure (by not using SMS OTP).
I'm not sure if I cover all of the concerns you pointed out, but this is definitely a great discussion.
Fair. The related developing country stuff I did involved a major credit card's competitor for mPesa and other sms minutes payment schemes in Africa, with tokenization for payments. These are not unsophisticated markets.
The people who pay for this will be the people who are protected by it, so the main use case could be around reducing support costs of password resets or something similar. End users don't reliably care enough as a group, and Relying Parties only see costs. The developing country angle invites scrutiny, as it's not a source of unsophisticated users, in fact if you want amazing hackers, go somewhere small hacks pay off massively because of currency differences.
So the user story needs fleshing out. A good example might be, an app for women in developing countries to prevent their husbands from stealing their phone minutes and/or wages, which has some horrific failure modes, but this is what we're into. The developing'ness piece needs a deeper story than "the poor."
So who steals the SMS OTP in these countries? Arguably if it's social engineering (or just threats) a duress key that mitigated the harm someone could do with the stolen OTP would be a better solution. What is the SMS OTP protecting? Is it bank accounts, what else?
For a security product, you need a) something worth protecting, b) a specific person who cares about it because they literally risk starvation without it, c) an adversary who wants it for a specific reason, and d) a set of controls that make that adversary find a cheaper thing to want.
What's your a-d? Is it compelling? (If your a. is a password, it's not.)
I'm asking because this is really interesting, and I also have a tool for generating these a-d models because they are called threat/risk assessments, which are basically inverted/sad-path business models where things go wrong, but it also generates criteria for security solutions. Nothing the a-d questions don't answer though.
Enterprise customers will ask you dumb versions of these questions that will waste a lot of time. You don't need to answer these here, but consider the exercise.
This is a very interesting way of thinking about this. I guess this would be our biggest concern if we are specifically a security product.
I think I was too focused on answering your question regarding security :). Basically, yes we do offer security, and the security we offer prevents social engineering. But that is not the only point of the product.
SMS OTP is used in general as a way to authenticate, on any kind of app, because it's the only seamless option to reach these types of users. And since SMS OTP is more expensive than our pricing and requires integration with several local providers for a good delivery rate, these developers can simply use Cotter because it's easier to integrate, it works across apps so it reduces friction and SMS cost, and it provides security from day one.
So the value is not only about the threat/risk assessments but it's just a better alternative to SMS OTP logins. Our goal is to make our product faster, cheaper, and better than their current options to authenticate users.
Let me know what you think about this! And thanks for talking about this, it really got us thinking.
As something whose value is focused solely on reducing the cost of SMS OTP, without a net increase in security assurance, which shifts the compromise risk into another threat (from sim swap to malware), aimed at developers who aren't equipped to reason about security and people who are sensitive to SMS fees, it's a narrow solution that could be one of those, "it shouldn't work but it does," things (like mPesa).
Your risk will come from security people in enterprises who know this stuff and will hamper and derail your sales. The opportunity will be in small app developers who get sudden traction, and relying parties will accept the risks of the authn method in exchange for access to that user channel.
I can see why someone would take the chance on investing in someone building rope bridges in developing countries, where engineers would say it's wrong for every conceivable reason, but someone is going to own those routes whether the bridges are rope or steel suspension and there is first mover advantage.
As you can see, security people will likely not be your allies in this, which is fine, but that's the heads up. Presuming you have a channel to those developers in 3rd world markets, I could see how YC might want exposure.
If nothing else, it's a case study and a useful example of how VCs see risk vs. how engineers see risk.:)
When I was overseas I worked with prepaid phone cards. The locals would share the same phone, plug in their card code, make their calls, then pass the phone on. As I understood it, the phone owner reaped the benefits of acquiring the unused minutes.
Not sure if this is still an issue. But even a "budget" Android phone (sub $100) is a luxury in developing countries. So I'm sure device sharing is still something to consider.
So firstly, I agree about how it's only as secure as the recovery process, in which case we give each website/app the freedom to decide for themselves, what level of security they want, compared to user experience.
Regarding Android's storage not being very secure: we are improving security mostly in the scope of social engineering. The type of users we are catering to are mostly people in developing countries who have a phone, no email, no laptop, and their problem is: 1) They either make bad passwords, or they don't remember passwords 2) If they don't remember the password, it will fall back to SMS OTP (because they don't use emails) 3) They are not going to download Authy/Google Auth or Duo. Because of this, most apps in these countries have made the authentication method to be super simple: Phone Number + SMS OTP, no passwords. Unfortunately, this type of user is also easily scammed to share their SMS OTP. So the biggest problem that we see here is social engineering and SIM swapping, and not as much on technical security concerns.
Knowing this problem, our aim is to provide what Authy/DUO does from within the client's app, so users don't have to download a separate app. Also, we are not really providing 2FA. We are trying to make the first factor of phone number login more secure (by not using SMS OTP).
I'm not sure if I cover all of the concerns you pointed out, but this is definitely a great discussion.