This article covers the major aspects of two-factor authentication, including what it is, how it works and where you can use it.
Over and over we hear of stolen password databases, phishing attacks, malware that collects all of our keystrokes and even credit card skimmers installed in our local ATMs or at our favourite retailers.
The days of being able to rely on an eight-character password have passed and we need a more robust and reliable way to authenticate ourselves.
What is two-factor authentication?
Two-factor authentication, commonly abbreviated to 2FA or referred to as multi-factor or two-step verification, is the process of verifying someone's identity with two out of three possible identifiers:
- Something you know
- Something you have
- Something you are
Traditional online authentication has relied on something you know, a password. There are several problems with this approach:
- A password is a secret that you must share with the organization identifying you. More often than not you have no way to verify that your password has been transmitted or stored safely.
- Anyone observing you, whether they're using a keylogger or just standing behind you, can obtain your secret.
- We are bad at memorizing strong passphrases, which leads people to reuse passwords and choose passwords that aren't complex enough.
By requiring an additional factor, such as secret code taken from an RSA token or sent by SMS to your phone, we can dramatically reduce the risk of being impersonated.
Let's take a closer look at the three factors.
Something you know
Seems obvious: 'something you know' refers to password, right? Often it is, but other knowledge factors are quite common too.
For example; Windows 8 and Android devices offer pattern-based authentication and ATMs typically use a form of two-factor authentication that requires users to memorize a PIN.
When it comes to passwords, length matters and so I prefer to use the term passphrase, with the hope that people will take it to heart and choose something more like "JustThe2ofus,youandi.JusttheTWOofus." and less like "Princess123".
Something you have
Two-factor authentication is typically a combination of something you know and something you have. The second factor, the thing you have, is most often a token generated by a device in your possession.
There are two primary types of token generating device:
- Tokens that are used online (challenge/response based)
- Tokens that can be used offline (time, sequence or OTP based)
Online tokens most often offer the ability to participate in a challenge/response from the server and digitally sign the response making the transaction tamper-proof.
Imagine a smartcard, like a Chip & PIN EMV credit card that contains a chip. Instead of transmitting a static number like a traditional credit card, the chip is able to cryptographically sign a transaction saying "Allow $41.23 to be transferred from me to Sophos".
This prevents a thief from then charging $500 to another merchant as they are unable to obtain my keys to sign the transaction.
Most smartcards use X.509 certificates to sign transactions, similar to the way you might digitally sign an email or a publisher might sign their software.
Online tokens are still susceptible to man-in-the-middle (MitM) attacks and require a live connection to the entity trying to authenticate the possessor.
Offline tokens work out-of-band, meaning they have no direct connection to the entity requesting authentication, usually by sharing a secret key.
There are three primary types of offline token - time based, sequence based and one-time pads.
If you have ever used Google Authenticator, an RSA token or Symantec VIP token you have seen a time-based token.
Time-based tokens are battery powered and hash the current number of seconds since Jan 1, 1969 and display a portion of the result on the screen, typically six digits.
The hashing uses a shared secret between the entity doing the authentication and the token. This allows the authenticator to compute the value on the screen and ensure it matches the input.
This is one of the reasons customers of RSA were so concerned when it was rumored that hackers had compromised their cryptographic seeds.
This could allow the person in possession of these stolen secrets to predict what was on the screen of corresponding tokens.
Another type is a sequence-based token. The idea is you have a list of pre-agreed upon numbers, like a one-time pad.
Even if attackers were to spy on your communication, they would not know the next valid number in the sequence. They could phish your current number, but this would not allow them to continue to compromise you into the future.
Another popular method is basically an on-demand, one-time pad. One-time pads are unbreakable if used properly and their modern implementation involves an authentication token being delivered to a user via an SMS or automated call.
Similar to the other offline tokens, they can still be phished, but have a lower barrier to entry. The user doesn't need to possess a purpose built device nor do they have to possess a smartphone.
Something you are
The third factor to consider is you.
Something you are can be captured by things like facial recognition, your fingerprints, the vein pattern in your hand, your iris print or your retinal pattern.
The problems here run deep. Vein patterns and retina scans, like fingerprint reading, can be very accurate, but are expensive.
Facial recognition and iris prints have proven too easy to spoof. They are interesting to play with (some Android devices offer facial unlock) but are too unreliable to depend on to bolster authentication.
That leaves fingerprints. They've been spoofed, but there are mitigations.
As a second factor, I think they can be good enough. The likelihood of having your password or token stolen in addition to someone lifting a suitable fingerprint is vanishingly small. As with most things, it depends upon the security of the application.
The other question when using biometric scanners is, How accurate is too accurate? If you configure a fingerprint scanner to its maximum resolution, you may not be able to authenticate when your hands are cold or if you get a blister.
You also have to convince the people who are being authenticated to surrender their biometric data in the first place.
Furthermore, unlike a password, if your retina scan or fingerprint is stolen, it cannot be changed.
Pros and cons of two-factor authentication
Two-factor authentication is not a panacea, but it does dramatically improve security for reasonably little effort.
There are a few central issues. The first that comes to mind, as with most things, is the cost. Here we have an 80-20 (Pareto principle) situation.
Whenever you add a second factor you get about 80% of the benefit simply by implementing any additional factor.
If you want to worry about capturing the other 20%, you will spend ever increasing sums of money and inconvenience to get there.
Offline hardware tokens like RSA, Symantec, Yubikey and others are reasonably secure, but have a moderate per-user cost ($20-$100/user).
Many users will forget to bring them along or lose them, increasing both the labour and per-user cost over time.
Lots of people like using their cell phone as a token.
This is convenient but if you're using your phone to both enter a password and receive a token it becomes a single point of failure. Compromise of your phone leads to total compromise.
Most two-factor solutions are vulnerable to man-in-the-middle or man-in-the-browser attacks. However, even in the worst case scenario you are only vulnerable for a single transaction.
Increasing the difficulty for attackers by a significant factor is always worth it.
Often you won't have a choice as to what type of two-factor authentication you are offered, but I would advise you to take advantage of whatever is offered.
Where 2FA is available
Hopefully you are convinced that two-factor authentication is worth your while - so where can you take advantage of it?
Here are some major email and social media providers who offer you the choice to better secure your online identity.
Facebook is very flexible in how it offers two-factor authentication. To review your options click the gear icon in the upper-right corner and select Settings | Security.
Your options are under Login Approvals or Code Generators.
You can choose whether you want to use: SMS authentication, telephone, a one-time password list, the Google Authenticator app or the Facebook smartphone app for your second factor.
Google services offer two-factor authentication through: the Google Authenticator application for smartphones, SMS, telephone and one-time password. To alter your settings go to https://accounts.google.com/b/0/SmsAuthSettings and adjust your security preferences.
Twitter offers either SMS authentication or an application that prompts you for logins from unknown computers. While SMS is easiest, it does not accommodate organizations that require multiple people to access a Twitter account.
Twitter's Android and iOS application allow multiple people to use two-factor authentication while still sharing an account.
Users of LinkedIn are somewhat limited. They can only use two-factor authentication via SMS. To enable the option choose Privacy and Settings | Review | Account | Manage Security Settings.
Microsoft supports the Google Authenticator application, SMS, and email authentication.
I don't think that email really counts as a second factor, but it is one of the options available if you are a Microsoft user.
None of these solutions solves the problem of people impersonating you online, but they all make it a lot harder. Take advantage of them wherever you can and make it that much harder for criminals to spend your social capital.
If you want to know more about two-factor authentication listen to our 2FA Techknow podcast:
Image of fob courtesy of Shutterstock. Image of smartcards Creative Commons 3.0-SA by Diego Suoto from Wikimedia Commons.