Sophos Cloud Optix
This article covers the major aspects of two-factor authentication, including what it is, how it works and where you can use it.
Over and over we hear of stolen password databases, phishing attacks, malware that collects all of our keystrokes and even credit card skimmers installed in our local ATMs or at our favourite retailers.
The days of being able to rely on an eight-character password have passed and we need a more robust and reliable way to authenticate ourselves.
What is two-factor authentication?
Two-factor authentication, commonly abbreviated to 2FA or referred to as multi-factor or two-step verification, is the process of verifying someone’s identity with two out of three possible identifiers:
- Something you know
- Something you have
- Something you are
Traditional online authentication has relied on something you know, a password. There are several problems with this approach:
- A password is a secret that you must share with the organization identifying you. More often than not you have no way to verify that your password has been transmitted or stored safely.
- Anyone observing you, whether they’re using a keylogger or just standing behind you, can obtain your secret.
- We are bad at memorizing strong passphrases, which leads people to reuse passwords and choose passwords that aren’t complex enough.
By requiring an additional factor, such as secret code taken from an RSA token or sent by SMS to your phone, we can dramatically reduce the risk of being impersonated.
Let’s take a closer look at the three factors.
Something you know
Seems obvious: ‘something you know’ refers to password, right? Often it is, but other knowledge factors are quite common too.
For example; Windows 8 and Android devices offer pattern-based authentication and ATMs typically use a form of two-factor authentication that requires users to memorize a PIN.
When it comes to passwords, length matters and so I prefer to use the term passphrase, with the hope that people will take it to heart and choose something more like “JustThe2ofus,youandi.JusttheTWOofus.” and less like “Princess123“.
Something you have
Two-factor authentication is typically a combination of something you know and something you have. The second factor, the thing you have, is most often a token generated by a device in your possession.
There are two primary types of token generating device:
- Tokens that are used online (challenge/response based)
- Tokens that can be used offline (time, sequence or OTP based)
Online tokens
Online tokens most often offer the ability to participate in a challenge/response from the server and digitally sign the response making the transaction tamper-proof.
Imagine a smartcard, like a Chip & PIN EMV credit card that contains a chip. Instead of transmitting a static number like a traditional credit card, the chip is able to cryptographically sign a transaction saying “Allow $41.23 to be transferred from me to Sophos”.
This prevents a thief from then charging $500 to another merchant as they are unable to obtain my keys to sign the transaction.
Most smartcards use X.509 certificates to sign transactions, similar to the way you might digitally sign an email or a publisher might sign their software.
Online tokens are still susceptible to man-in-the-middle (MitM) attacks and require a live connection to the entity trying to authenticate the possessor.
Offline tokens
Offline tokens work out-of-band, meaning they have no direct connection to the entity requesting authentication, usually by sharing a secret key.
There are three primary types of offline token – time based, sequence based and one-time passwords.
If you have ever used Google Authenticator, an RSA token or Symantec VIP token you have seen a time-based token.
Time-based tokens are battery powered and hash the current number of seconds since Jan 1, 1970 and display a portion of the result on the screen, typically six digits.
The hashing uses a shared secret between the entity doing the authentication and the token. This allows the authenticator to compute the value on the screen and ensure it matches the input.
This is one of the reasons customers of RSA were so concerned when it was rumored that hackers had compromised their cryptographic seeds.
This could allow the person in possession of these stolen secrets to predict what was on the screen of corresponding tokens.
Another type is a sequence-based token. The idea is you have a list of pre-agreed upon numbers, like a one-time password.
Even if attackers were to spy on your communication, they would not know the next valid number in the sequence. They could phish your current number, but this would not allow them to continue to compromise you into the future.
Another popular method is basically an on-demand, one-time password. One-time passwords are unbreakable if used properly and their modern implementation involves an authentication token being delivered to a user via an SMS or automated call.
Similar to the other offline tokens, they can still be phished, but have a lower barrier to entry. The user doesn’t need to possess a purpose built device nor do they have to possess a smartphone.
Something you are
The third factor to consider is you.
Something you are can be captured by things like facial recognition, your fingerprints, the vein pattern in your hand, your iris print or your retinal pattern.
The problems here run deep. Vein patterns and retina scans, like fingerprint reading, can be very accurate, but are expensive.
Facial recognition and iris prints have proven too easy to spoof. They are interesting to play with (some Android devices offer facial unlock) but are too unreliable to depend on to bolster authentication.
That leaves fingerprints. They’ve been spoofed, but there are mitigations.
As a second factor, I think they can be good enough. The likelihood of having your password or token stolen in addition to someone lifting a suitable fingerprint is vanishingly small. As with most things, it depends upon the security of the application.
The other question when using biometric scanners is, How accurate is too accurate? If you configure a fingerprint scanner to its maximum resolution, you may not be able to authenticate when your hands are cold or if you get a blister.
You also have to convince the people who are being authenticated to surrender their biometric data in the first place.
Furthermore, unlike a password, if your retina scan or fingerprint is stolen, it cannot be changed.
Pros and cons of two-factor authentication
Two-factor authentication is not a panacea, but it does dramatically improve security for reasonably little effort.
There are a few central issues. The first that comes to mind, as with most things, is the cost. Here we have an 80-20 (Pareto principle) situation.
Whenever you add a second factor you get about 80% of the benefit simply by implementing any additional factor.
If you want to worry about capturing the other 20%, you will spend ever increasing sums of money and inconvenience to get there.
Offline hardware tokens like RSA, Symantec, Yubikey and others are reasonably secure, but have a moderate per-user cost ($20-$100/user).
Many users will forget to bring them along or lose them, increasing both the labour and per-user cost over time.
Lots of people like using their cell phone as a token.
This is convenient but if you’re using your phone to both enter a password and receive a token it becomes a single point of failure. Compromise of your phone leads to total compromise.
Most two-factor solutions are vulnerable to man-in-the-middle or man-in-the-browser attacks. However, even in the worst case scenario you are only vulnerable for a single transaction.
Increasing the difficulty for attackers by a significant factor is always worth it.
Often you won’t have a choice as to what type of two-factor authentication you are offered, but I would advise you to take advantage of whatever is offered.
Where 2FA is available
Hopefully you are convinced that two-factor authentication is worth your while – so where can you take advantage of it?
Here are some major email and social media providers who offer you the choice to better secure your online identity.
Facebook is very flexible in how it offers two-factor authentication. To review your options click the gear icon in the upper-right corner and select Settings | Security.
Your options are under Login Approvals or Code Generators.
You can choose whether you want to use: SMS authentication, telephone, a one-time password list, the Google Authenticator app or the Facebook smartphone app for your second factor.
Gmail
Google services offer two-factor authentication through: the Google Authenticator application for smartphones, SMS, telephone and one-time password. To alter your settings go to https://accounts.google.com/b/0/SmsAuthSettings and adjust your security preferences.
Twitter offers either SMS authentication or an application that prompts you for logins from unknown computers. While SMS is easiest, it does not accommodate organizations that require multiple people to access a Twitter account.
Twitter’s Android and iOS application allow multiple people to use two-factor authentication while still sharing an account.
Users of LinkedIn are somewhat limited. They can only use two-factor authentication via SMS. To enable the option choose Privacy and Settings | Review | Account | Manage Security Settings.
Microsoft Hotmail/Outlook.com
Microsoft supports the Google Authenticator application, SMS, and email authentication.
I don’t think that email really counts as a second factor, but it is one of the options available if you are a Microsoft user.
Conclusion
None of these solutions solves the problem of people impersonating you online, but they all make it a lot harder. Take advantage of them wherever you can and make it that much harder for criminals to spend your social capital.
If you want to know more about two-factor authentication listen to our 2FA Techknow podcast:
(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)
Image of fob courtesy of Shutterstock. Image of smartcards Creative Commons 3.0-SA by Diego Suoto from Wikimedia Commons.
I really like Blizzard’s 2FA. It’s slightly different than say, Google’s because I need an app on my phone. I’d signed up for Google’s 2FA and heaved a big, annoying sigh. I live in an area were cell reception is basically nil. If – IF – I get the text, it’s several minutes later. However, Blizzard just generates a time-limit-based random number system that I use whenever I sign into battle.net or world of warcraft. I could have chosen the keychain version too but that cost $.
I believe the battle.net authenticator is using RSA’s technology re-branded as Blizzard, but I agree, it’s quite handy. You should take a look back into Google Authenticator, because it does offer a similar experience and the app can be caused for many sites these days – as an example, I have Google Authenticator set up for 2 Google accounts, LastPass, DropBox, GitHub, and my web host account.
Blizzard tokens are made by VASCO
Google offers you a set of one-time backup codes that you can print out and put in your wallet or keep as a text file on your computer; you can use them when you’re w/o your phone or cell reception is bad.
https://support.google.com/accounts/answer/1187538?hl=en
Google’s Authenticator (as opposed to Google SMS 2FA) uses HMAC TOTP and HOTP (open standards, you can find the RFCs) and is an app that runs on your phone without need for network access (correct time in the case of TOTP).
I’m surprised TOTP and HOTP aren’t mentioned directly in the article as they are the most popular forms of 2FA these days.
Side note, since it’s an open standard, one could drop the Authy app in place for slightly more security (Think I read that Google didn’t encrypt the shared secrets stored on the device, sigh) since Authy encrypts the secrets.
I don’t know the details about Blizzard’s authenticator, but I’m hesitant to trust standalone authenticators when Google Authenticator and Authy are so easy to use.
One important advantage of a standalone authenticator (especially the sort with a keypad that are themselves PIN-protected) is, errrrr, that they are standalone, so there’s never a chance that the authenticator app and the app in which you are plugging the code are on the same device (which gives you a sort-of 1.5-factor authentication π
And there’s probably a lower chance (I think you can assume, RSA’s “stolen seeds” fiasco of a year or three ago notwithstanding) of the shared secret behind a standalone token getting stolen than something stored on your Android device…
We have a system making a phone call to a pre-defined number that I cannot change. The call comes to my mobile. I then have to put in my PIN and the voice of my PIN is sent to our AD and it’s accepted there. Before having that call I have to give my username.
So there are two things I know: Username and PIN. Two things our admin knows: Phone number and username. Three things our AD knows: Phone number, username and PIN (actually what my PIN sounds like). And still one thing I have: my phone.
We use this in our VPN authentication. That may sound complex, but is really easy to use. And safe.