FAQ

MIRACL Trust® ID is a highly secure and user friendly Multi-Factor Authentication service allowing any user to log into a mobile or web application in two seconds using “strong authentication” (providing two or more of the following: something a user has; something only the user knows; something the user is).
Your customers and employees can now save time while logging on to your portals rather than waste time with password failure and dealing with multiple devices, all while leaving your company more secure since there is no need for passwords.

MIRACL saves our customers costs both directly and indirectly.

First, the fees for authentication traffic are typically 1/10th to 1/100th of the direct cost of competing multi-factor authentication systems since we only charge a fraction of the cost of an SMS text message per use. So with no infrastructure to maintain, no systems to manage, no license to pay, direct savings are substantial.

Yet the savings in indirect cost can often be even greater. Why? Because no other authentication system results in such a low level of account resets because they’re unable to authenticate. With MIRACL, less than 0.1% of incoming traffic fails to authenticate and requires an account reset.

With conventional password authentication, between 3 and 10% of users require an account reset (depending on the use-case). Systems that provide multi-factor authentication, as MIRACL does, typically have a significantly higher proportion of incoming traffic that ultimately fails to authenticate and needs an account reset (5 to 12%) because MFA users are also usually dependent on receiving a one-time code.

Reduced account reset results in lower customer churn (some customers just leave and never bother resetting) and saved expense in customer support - according to Cisco, 50% of customer support cost is due to password resets.

Yes, absolutely! Customer fall-out in protracted authentication journeys can result in 10 or even 20% loss in potential revenue through cart abandonment and user attrition.

With MIRACL, on average over 99% of incoming traffic authenticates correctly the first time - over 99.9% does so within 3 attempts (only taking 2 seconds per attempt).

No other authentication system comes close to this. No other Multi-Factor Authentication system comes remotely close.

With conventional password systems, failure rates are between 3 and 10% of incoming traffic, depending on the use-case. With MFA systems, 5 to 15%. This results in many of your users being stuck at the front gates of your app unable to log in and frustrated with higher potential for cart abandonment and your company losing sales.

The statistics are not surprising. Consumers get distracted during a 30 to 50 second process of logging in; not receiving a text message because they don’t have reception, not having their mobile with them, not having reception, not having a required authenticator app - the list goes on.

MIRACL addresses all of these potential hindrances to your customer completing their transaction. [to be added once calculator is made] Curious to see how much revenue you could increase with MIRACL Trust? Check out our sales calculator here.

Yes! With MIRACL, users log in with a multi-factor authentication in just 2 seconds and in over 99% of instances on the first attempt and in over 99.9% of instances, within 3 attempts.

With all competing systems that are either dependent on a mobile app or an SMS text message, the time taken is between 20 and 50 seconds. In a world in which consumers have an 8 second attention span, it is not hard to see how a faster authentication results in reduced failed customer journeys.

Reducing friction and failure has a direct impact on user conversion, cart abandonment and churn.

Yes! MIRACL Trust ID meets the European Banking Authority’s PSD2 specification for Strong Customer Authentication and Dynamic Linking.

MIRACL users have 1/10th the failure rate of password users. Not surprising when you consider the password is 1,900,000,000,000,000,000 times more complex!

This means your website or app will receive more traffic from happier users.

MIRACL is the world’s only MFA that works in one single user-step on any device. There’s no need for additional hardware, an authenticator app or a one-time code. With MIRACL, a user can log in with MFA in 2 seconds, which is a fraction of the time required for any alternative MFA.

A hardware token or dongle is essentially a device that stores a private key which is typically used as the second factor in two factor authentication. The token needs to be protected and stored securely, since it actually contains the complete second factor used during authentication. The physical token that needs to be present wherever and whenever you need access.

If for any reason you don’t have it with you, you cannot gain access. Software tokens are more flexible, especially as they are used very often with mobile applications. Still, software tokens store your whole private key, so are highly vulnerable to key compromise or theft. Mobile Apps that are enabled with MIRACL Trust® never store a whole private key and never store a PIN, which means, nobody can steal the “something you have” from your MIRACL-enabled mobile app, because they’re simply not there.

When you type a password to gain access to a resource, what you type is compared to a constant value stored in a database. If the database is compromised and your password stolen, the first action hackers will take is to try that same username and password combination on the most popular websites. This way they can get access to sensitive functions, like online shopping with your credit card.

In spite of this fact and users’ relatively high awareness of it, surveys show that approximately 60% of users re-use the same password because they believe that the operator will be responsible for any losses. This means conventional password authentication simply cannot be relied upon.

No. PINs used in MIRACL Trust® are never stored anywhere, so no hacker can steal them from a database in the first place. Plus, knowing your username and your PIN is not enough to gain access to anything, because they need the second factor, “something you have”.

Two-factor authentication requires users to have two separate elements to log into a website or application. Typically these are “something you know”, in this case a PIN and “something you have”, in this case your mobile device and MIRACL Trust® enabled application.

Reliance on a single factor leaves a website vulnerable to attack. According to Microsoft, there are about 18 billion password attacks annually, which translates to 579 password attacks every second. Moreover, the rate of these attacks is growing fast. During 2020 there was an unprecedented 450% surge in breaches from password attacks.

In many competing systems a cryptographic key is one of the factors. By contrast, our cryptography destroys the key and only the Key Shard (the ‘broken’ key) is used as the possession factor. Unlike other systems this means the key shard is of no cryptographic value and cannot be misused. Only the end user who enrolled the device (and broke the key) can rebuild the key using the PIN (Knowledge Factor). At no point is the PIN or the Key shard copied, transmitted or in any other way accessed except on the local device. The PIN itself (or reference to the PIN) is not stored on the device and is not discoverable in any way. It only ever resides in the user’s head.

Yes! In 2018, the Baymard Institute, which performs UX research, estimated that users fail to solve text-based CAPTCHAs roughly 8% of the time. That bumps up to 29% if the CAPTCHA is case-sensitive.

If MIRACL Trust is deployed, a CAPTCHA is unnecessary and always creates a bad user experience. CAPTCHA is typically used to mitigate a brute force attack, however those attacks do not have the opportunity to operate in the first place when confronted with MIRACL Trust. MIRACL will also protect websites and apps from large scale high frequency DDoS attacks.

MIRACL Trust® is two-factor authentication (something you have and something you know). So in order for someone to login to a web application as you, that someone would need both of the two factors – your mobile device that you used to register and your PIN. Unless they have your PIN too, they cannot login as you.

Just like bank ATMs, if the thief tries to guess your PIN unsuccessfully your account is locked after three (or fewer) failed attempts. This means that unlike conventional password protection, it is completely resistant to brute force attacks.

No! Your PIN is not saved anywhere, not even as encrypted information. Your PIN is saved only in your memory. Not even MIRACL knows your PIN!

You can register as many devices as you like to access the same website or application. During a simple registration process each creates a unique “something you have” and “something you know” pair so the PIN can be the same or different – it doesn’t matter.

If you use your mobile browser to access a website that utilises MIRACL Trust® for authentication, you’ll be able to use your mobile app to login seamlessly. You just need to navigate to the right URL: your mobile app will be launched automatically and you’ll be redirected to your account when the authentication is complete.

Yes. The current requirement of PSD2 related to providing customer security identifies that a solution delivers “strong authentication” which is defined as something a user has (software token in a web browser / mobile app) and something only a user knows (4 digit PIN memorised). MIRACL Trust® meets both of those definitions.

In addition, using MIRACL’s cryptographic signing, customers can exceed the requirements of dynamic linking by obtaining a cryptographic proof of any action or transaction that a specific identity signs using exactly the same 4 digit PIN or biometric in an app.

Please see our PSD2 solutions overview here.

Since MIRACL Trust® does not sync, send or store relevant information in whole form to deliver its multi-factor authentication as a service for web and mobile apps, we do not need to be compliant with information/ data security guidelines for businesses in regulated industries.

MIRACL is not independently certified at GPG44/ 45: LoA 2 and LoA 3, but the identity and authentication products we empower have been approved for use in the UK.Gov/Verify programs and approved under European Banking Authority requirements. This includes all aspects of the offering (including MIRACL’s M-Pin protocol).

MIRACL specialises in identity-based encryption utilising mathematics called bi-linear pairings. MIRACL’s products are based on its protocol M-Pin. While some of the methodologies used to exploit MIRACL’s cryptography are subject to internationally awarded patents, the cryptography itself has been completely open-source and freely available to the academic community for over 15 years. During this time, it has been extensively reviewed and referenced in academic research over 8,000 times. To date, no known practical or theoretical attacks exist against our technology.

Academic white papers reviewing the protocol and its secure function in a deployment are freely available on request.

MIRACL is a UK based company, currently independent of US government guidelines, and uses a similar but separate set of measurements (GPG44/ 45 in the UK instead of SP 800-63 in the US).

MIRACL is ISO 27001 certified, ensuring superior information security management and data protection standards.

MIRACL Trust® utilises the Open ID Connect protocol and has been reviewed by third party certification bodies as a secure and compliant implementation of that standard.

We assert that there are no known practical or theoretical attacks against our cryptography and protocols. This is not hype, it is mathematically provable and born of 20 years of publicly disclosed technology. It has been licensed to many of the world’s largest and most security conscious organisations like the US Military, Intel and Google.

MIRACL is a secure authentication service that is completely independent of how you manage your identities. MIRACL only handles the user enrolment or authorisation request then passes it back to your service. All identity, access and enrolment management takes place on your system. There’s no replication of databases and no increase in GDPR footprint.

A MIRACL Trust PIN is of zero value without another possession factor (the incomplete security key or ‘shard’ held on the local device). This means MIRACL can only be used on enrolled devices or browsers because they hold the required shard. It is not transmitted or stored locally or remotely and there is no central database of PINs or users locally or remotely.

MIRACL is a cybersecurity software company specialised in secure authentication. MIRACL Trust provides secure, frictionless authentication for any user-centric company by replacing passwords, expensive SMS and complex 2FA - helping them enhance and secure their online experience.

At MIRACL, we prioritise the usability of our products first. Security solutions are only effective if they can be deployed to all users, devices, browsers and networks, otherwise hackers will simply refocus their efforts on the forgotten few. Equally, any security solution needs to also provide users with a better experience, otherwise it is unlikely to be adopted.

MIRACL understands the fine details of our customers’ needs and has deep expertise in all elements of their security challenge; from cutting-edge cryptography that safeguards users’ security and their absolute privacy, to optimising user-flows where we have experience in eliminating harmful friction in both authentication and verification.

Whatever your authentication challenge, MIRACL offers the most innovative and versatile products backed up plain-speaking clarity and integrity.

A Zero Knowledge Proof is a protocol (or process) that allows an individual to prove they know a secret without actually revealing that secret to a verifying party. No information about the secret or indeed any information about the authenticating user is exchanged between the two parties, eliminating the risk of theft while in transit or in storage. This means that MIRACL Trust® is both stronger and safer authentication.

With MIRACL, a multi-factor authentication takes a user 2 seconds. With all competing systems that are either dependent on a mobile app or an SMS text message, the time taken is between 20 and 50 seconds. In a world in which consumers have an 8 second attention span, it is not hard to see how a faster authentication results in reduced failed customer journeys.

Reducing friction and failure has a direct impact on user conversion, cart abandonment and churn.

At the simplest level the local device requests a PIN, the knowledge factor, from the user. The PIN is used to destroy a cryptographic key, the possession factor, and then during authentication, to rebuild that key. Without both the PIN (or biometric on mobiles) AND the destroyed key, a user cannot authenticate.

Depending on the requirement, integration can be completed in as little as minutes to compliant platforms such as OKTA, Forgerock or OneLogin or hours if AD or AFDS is required. Integration to a web service portal or native app can be done in a day depending on the level of customisation you require.

Feel free to book a call and we can talk through your integration requirement.

Yes, MIRACL Trust is a great replacement for clumsy second steps like SMS Text One Time Passcodes and it is not subject to all of the security vulnerabilities of SMS message (SIM swap etc).

Sign up at https://miracl.com/get-started/ and get started immediately with a free account. Free accounts offer 1,000 authentications per month and email support so there is no reason to worry about invoices or contracts. Contact MIRACL https://miracl.com/contact-miracl/ if you would like live support or have any other questions.

Both are “knowledge factors” and while a 4 digit pin only has 10,000 combinations, a 12 digit complex (upper+lower+alphanumeric+symbols) password has 19,408,409,961,765,342,806,016 combinations. So why should the PIN be so much more secure?

The difference is that a MIRACL PIN will only work on the device or browser that was originally enrolled with that PIN and corresponding key. In practice, that means that only your device, where you selected your PIN, can be used to log-in. MIRACL offers Multi-Factor Authentication for which you need both your PIN and your device in order to log in. Without both, a login is impossible.

So there’s no comparison between MIRACL’s single device PIN and a password which can be guessed by any one of the world’s 25 billion connected devices anonymously and at any time - see the difference?

This is very similar to your credit card’s Chip-N-PIN. You can walk into a showroom and buy a car just by presenting your credit card and your 4 digit PIN. Go in there with the Card by itself, or no card and just quoting a PIN number, and they will stare at you in disbelief!