You Can’t Fix Stupid – I continue to be amazing at the combination of ignorance and laziness that pervades the internet, even among professionals. Here a lovely story about “two-factor” authentication and one Jeremy Kiecker who very well
could be a competent tax practitioner who stuck his nose where it didn’t belong and yammered about something he was clueless about.
What is two-factor authentication?
Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that’s considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:
- Something you know, such as a personal identification number (PIN), password or a pattern
- Something you have, such as an ATM card, phone, or fob
- Something you are, such as a biometric like a fingerprint or voice print
How old is two-factor authentication?
Older than life itself.
OK, not really. But 2FA is nothing new. When you use your credit card and you must enter in your ZIP code to confirm a charge, that’s an example of 2FA in action. You must provide a physical factor, the card, and a knowledge factor, the ZIP code.
But just because it’s been around for a long time doesn’t mean that it’s easy to set up and use.
Wait, it’s hard to use?
It definitely adds an extra step to your log-in process, and depending on how the account vendor, such as Twitter, has implemented it, it can be a minor inconvenience or a major pain. Much also depends on your patience and your willingness to spend the extra time to ensure a higher level of security.
Fenton said that while two-factor authentication makes it harder to log in, it’s not “hugely” more so.
“An attacker might be able to collect a cookie or an OAuth token from a website and essentially take over their session,” he said. “So, 2FA is a good thing, but it does make the user experience more complicated…It’s done when you’re logging into an account on your device for the first time, for example.”
Will two-factor authentication protect me?
Well, that’s a loaded question when it comes to security.
It’s true that two-factor authentication is not impervious to hackers. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company had been hacked.
Fenton explained both sides of the effectiveness problem. “The thing that concerns me as a security guy is that people don’t look at what the cause of the threats might be. 2FA mitigates the problems, but a lot of awful attacks can run on 2FA.”
At the same time, he said, two-factor offered more protection than logging in without it. “When you make an attack harder, you’re disabling a certain subset of the hacker community,” he said.
How is 2FA vulnerable to hackers?
To hack two-factor authentication, the bad guys must acquire either the physical component of the log-in, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. This can happen in several ways, including a phishing attack, malware or credit-card-reader skimming. There is a another way, however: account recovery.
If you remember what happened to journalist Mat Honan, his accounts were compromised by leveraging the “account recovery” feature. Account recovery resets your current password and emails you a temporary one so that you can log in again.
“One of the biggest problems that’s not adequately solved is recovery,” said Duo Security’s Oberheide.
Account recovery works as a tool for breaking two-factor authentication because it “bypasses” 2FA entirely, Fenton explained. “Just after [the Honan story was published], I created a Google account, created 2FA on it, then pretended to lose my data.”
Fenton continued: “Account recovery took some extra time, but three days later I got an email helpfully explaining that 2FA had been disabled on my account.” After that, he was able to log back in to the account without 2FA.
Account recovery is not a problem without a solution, though. Or, at least, solutions are being worked on.
“I see biometrics as an interesting way to solve the recovery problem,” Oberheide said. “If I lost my phone, it would take forever to go through each account and recover them. If there’s a very strong biometric recovery method, a passcode of my choosing, and a voice challenge or something like that, it becomes a very reasonable and usable recovery mechanism.”
Basically, he’s suggesting using one form of two-factor for logging in, and a second, different two-factor combo for recovery.
What’s next for 2FA?
As two-factor authentication becomes more commonplace, it’s more likely that attacks will be more successful against it. That’s the nature of computer security. But by virtue of being more commonplace, it will become easier to use, too.
Oberheide said that many of his customers start off thinking that implementing 2FA will be expensive or hard to use, but often find that their experience with it is the opposite.
“I think that will come faster in the consumer space because they’re not dealing with all this cruft from the legacy of 2FA from the ’80s,” he said. But he noted that older systems can have a hard time getting 2FA going. “A few months ago, we published the bypass of Google’s two-factor scheme,” he explained. “It’s not a ding against two-factor in general, but against Google’s complicated legacy system.”
Fenton noted that increased adoption could create opportunities to refine the technology. “Should we be planning now on designing something that can scale to large numbers of sites? It seems that 2FA is really exploding right now,” he said.
Despite its problems, Oberheide sounded an optimistic tone for two-factor authentication. “If we can increase the security and usability of 2FA at the same time, that’s a holy grail that’s often difficult to achieve,” he said.
3+ Factor Security:
A typical uncompromised biometric, such as a voiceprint, when analyzed automatically has about one chance in 10,000 to discriminate between different individuals (authenticate their identity).
If the biometric is combined with a token and a secret, as above, the relative strength to reliably prove identity is: 10,000 X 1,000,000 X 10,000 or 1 chance in 100,000,000,000,000 (100 trillion).
However, when used alone …
… a PIN (secret) can be observed, guessed, or attacked by brute force.
… a mobile phone (token) can be lost or stolen or reverse engineered.
… and a voiceprint (biometric) can be recorded or mimicked.
Three factor security technology does not have the traditional limitations associated with using any of the three security factors on their own—as is common. By conveniently combining all three factors USR technology eliminates the vulnerability associated with a compromise of any one or two factors resulting in superior security and reliability.
Additionally with Three Factor
The secret (PIN) is not stored in the mobile phone and therefore cannot be compromised by reverse engineering; threat of a brute force attack is eliminated with proprietary software.
The token (mobile phone with an app) is protected by software which will zeroize with tampering. Automatic lockout based on passage of time, number of transactions, and/or size and total value of transactions, and remote shut down if lost or stolen, are controlled by the authorized user.
The biometric (voiceprint) is automatically analyzed digit-by-digit, but the mobile phone displays a different number to be spoken with each use, thus foiling attacks by recording. Also, when using the mobile phone for a credit/debit card purchase, a digital picture of the authorized user, a second biometric , is displayed on the point of sale terminal.
This financial transaction is protected by 3+ Factor Security™.
Note : In 1984 Kenneth Weiss coined the term “two-factor” security for the SecurID token. Some ID technology uses three-factor security and with the addition of a second biometric (digital picture) sent to the individual to whom one is being identified he has coined the term 3+ factor security.