Raw Duck Incubator Logo
Two factor authentication is all the rage. Many banks have sent their customers tiny plastic devices, that look like calculators, to put their cards into when doing online banking, and Git has recently introduced it. Usually supplying a username and password is a single factor as these are things you know. By adding in a second factor, something you have, systems can be made much more secure. Recently I worked on a system that turns your mobile phone into the second factor, the thing you have. Great idea, you probably already have it with you.


Rawduck is an Incubator in Shoreditch, London. They help their clients get products to market by offering technical and business support. This project as the owners of the authentication patent had employed a software company in India to produce two factor authentication iOS and Android libraries, an ASP.NET backend system and native mobile apps for Apple's and Google's platforms.

The eco-system was intended to demonstrate how a PIN number entered into a mobile phone has uses such as securing both e-commerce and m-commerce transactions, identifying people whether they would be logging onto a VPN, calling into a contact centre, accessing a building, or providing authorisation mechanisms for distributed workflows.

The only problem was the off shore company employed to develop the suit of applications failed to deliver software to the standard expected. This is not un-common and is probably worth a post of its own but simply put outsourcing developing to companies in a different time zone is risky and often, as this client discovered, often good money has to be spent recovering the situation.

The first task was a quality audit :
  • Had the iOS library and native application been built to specification?
  • Had mistakes been made to compromise the system?
  • Had the patent specification been honoured?
The core security aspects were audited by a specialist firm however the process, while dense, could be interrogated by me and I produced a set of documents which described the logic of the iPhone application and architecture of the iOS library. These were used to check against the patent specification document, provided a starting point for the backend audit, and collateral for the final recommendation report.

Additionally I created a working iPhone prototype which described the architectural changes needed to realise a more sophisticated approach. The essential change was separating the application correctly, fundamental stuff really. For example removing business logic from XML parsers and data manipulation from ViewControllers in line with Apple recommendations.

The prototype also demonstrated the benefit of an iOS third party library OHHTTPStubs. This great library makes working off line, independently from API development, very straight forward. Injecting this ability into your development process can reap great rewards as dependancies on other teams can be postponed until later in the process once system entities are more stable.