Nowadays, people rely more than ever on mobile phones for personal communication, entertainment, banking and various other applications such as strong authentication. In many cases, losing your phone is like losing your wallet. So, the question remains: How to access accounts protected by Afrilas if you lose your phone?
Allow us to answer this with another question. Would you jeopardize your security by implementing a less secure authentication method for exceptional cases? While it is technically possible to add account verification mechanisms to our platform, such as SMS or email verification, we chose not to do so in order not to weaken the overall security.
However, this does not mean there is no solution, but it relies on human interaction and verification rather than on automated identity verification methods:
A user calls the IT service desk to report a lost, stolen or damaged phone.
A system administrator temporarily adds his/her phone to the user’s Afrilas profile.
The user navigates to the secured application which prompts the user to scan a QR code.
The user then sends a screenshot of this QR code to the system administrator. This can be done by email, by setting up a video conference or by using any other messaging application, e.g. Slack.
The system administrator then scans the QR code with his/her own phone to securely log in the user.
The system administrator then removes his/her phone from the Afrilas profile of the user, who will be automatically notified of this and any subsequent removals.
This procedure has the following advantages:
The identity of the user is always verified in person by a trusted source (system administrator).
The identity of the user can be verified in multiple ways (video conference).
There is no compromise in security.
We feel that it is much safer to have these procedures in place instead of implementing additional account verification methods, which could potentially be exploited.