🎉 Use coupon MYXERO to enjoy 20% recurring discount on any plan. View Pricing
XeroWP
Meveto

Meveto

5/5 (1 ratings) — active installs Updated May 10, 2021
access managementauthenticationmevetopassword-less
Download v3.0.2 Plugin Website
The Meveto configuration settings

The Meveto configuration settings

Meveto is a cyber-security company based in California, US. We aim to provide strong, decentralized and simple authentication system that can easily replace the current outdated and obsolete passwords based or 2FA and MFA based authentication systems that can be compromised easily. With Meveto, The need for passwords and other weak measures is completely eliminated. Meveto empowers your personal mobile devices such as your phone, to always be able to authenticate you everywhere over the internet (of course you can only use Meveto with services that have adopted it) and we hope that soon we will be revolutionizing the way not only people, but workstations, devices and IoT authenticate.

How it works?

Meveto uses PKI (Public Key Infrastructure) to authenticate an entity. It uses curve X25519 of the strong elliptic curves cryptography with a key size of 384 bytes. When a device is paired with a Meveto account, a public private key pair is generated on the device itself and the public key is sent to the Meveto servers. This way, the private key, which is the most important piece in the puzzle, never ever leaves the original device thus ensuring maximum security. Each device generates a new pair through Meveto app (Android or iOS) when it’s being paired (even if the app is re-installed on the same device) and this way the entire security control is full decentralized. Here are the steps that briefly explains the way Meveto works even further.

The Registration

  • A user registers with Meveto. Meveto associates sends the user a “device ID” and a short, one time “Pairing Key”.
  • The user downloads Meveto app on their device. They use the Device ID and Pairing Password to pair the device with their Meveto account.
  • Meveto app before sending the “pairing request”, generates a public and private key pair. It also then sends the public key along with the device ID and pairing key to the Meveto servers.
  • Meveto servers verifies device ID and pairing key and stores the public key of the device.

The Authentication

  • From Meveto’s website, user enters their username or email address and requests login.
  • Meveto generates up to 6 pseudo random digits and displays it to the user on their screen. We call this a session ID, however, it has absolutely no significant role to play and does not need to be unique or something. Additionally, Meveto also sends a “LoginSessionToken” to the browser that the browser can then exchange for an authentication token when the process is complete.
  • Users enter the session ID digits they see on the screen into their paired Meveto app and presses the “Authenticate” button.
  • Meveto app sends its ID (which was stored at the time of initial pairing), the session digits that the user just entered and then signs the request with its private key.
  • Meveto servers first validates the input data of course, then uses the “Device ID” to fetch the “Public key” of the device that was stored during the pairing process. Then Meveto servers uses the public key to verify the signature of the request. If the signature is successfully verified, then Meveto checks the Session digits and verifies those as well (Note that here the verification of those session digits is only needed to confirm that the user has actually requested a login) otherwise, the authentication is done through the verification of the signature.
  • If all goes well, Meveto servers broadcasts an event that the authentication has been successful. The user’s browsers listens to the broadcast and then requests an Authentication token from the servers against the “LoginSessionToken” which was received by the browser when the user requested login.