Sophos Cloud Optix
We’ve written and talked about two-factor authentication (2FA), also known as two-step verification (2SV), before.
Most of us have a good general idea of what 2FA is all about: it means you need to prove yourself in two different ways before you can log in or use a service.
When you withdraw money from an ATM, for example, just inserting your card isn’t enough. You need to enter a PIN (personal identification number) as well.
But there are numerous other sorts of 2FA, and many of them don’t rely only on a static secret PIN like your bank card. They have a one-time code that changes every time you want to log in.
Theoretically, that makes it much harder for a crook to get enough information to take over your account, because any login codes he steals today are useless tomorrow.
Problem is, these 2FA systems all work a bit differently, and they all have different strengths and weaknesses.
This article helps you understand these differences.
→ For more information on 2FA before you start reading, you might like to look at Chester Wisniewski’s “The Power of Two” article, or listen to our Teckhnow podcast on the topic.
One-time passwords via SMS
This is where you are prompted to enter an additional numeric code after authenticating with your username and password.
The code is sent to your mobile device as a text message (SMS).
Once the code is received you enter it in the field provided and the login proceeds.
It’s important to point out, specifically for this type of two-factor authentication, that SMS codes do not always work for everyone.
The server might not have your country on its list of supported regions; your mobile provider might not be able to deliver the messages; or you might have unreliable mobile coverage.
For obvious reasons this won’t work with landlines either, but there is a slightly different version that will call you and read out the code.
SMS 2FA: Pros.
| + | The code is different every time, so if your regular password is breached or stolen, it’s not enough for a crook. |
| + | The code is tied to your phone number, which can’t be changed by malware on your computer. |
SMS 2FA: Cons.
| – | If your mobile network is down or you are out of the coverage area, you can’t receive the code. |
| – | Crooks may be able to port your phone number (also known as a SIM swap) through an accomplice in a mobile phone shop, and receive your calls and messages until you notice your own phone is dead. |
| – | If you are logging in and receiving the SMS on the same device (e.g. a tablet or smartphone), your login codes are as much at risk as your password. |
Authenticator Apps
Authenticator apps perform the same type of service as SMS 2FA but instead of the login codes being sent to you, they are generated locally on your smartphone or tablet.
This type of authentication relies on cryptographic algorithms for time-based one-time passwords (TOTP).
The basic functionality is that a secret starting key or seed is generated and stored by the server, and then scrambled up cryptographically with the current time and date whenever you login. This produces a time-specific code, usually valid for 30 or 60 seconds.
When you set up your account, this seed is sent to you (for example using a QR code) and imported into the authenticator app you are using.
As long as the date and time on your device is accurate to within 30 or 60 seconds, and the seed was imported correctly, the app will generate login codes that match the ones calculated on the server.
Even if crooks record your last 10, 50 or 10,000 passwords, there’s no way to reconstruct the sequence and work out what comes next unless they get hold of the seed.
There are many implementations of this type of service but Google Authenticator is probably one of the best known versions.
Microsoft has also released a version that works with Windows Phone.
Authenticator app: Pros.
| + | Doesn’t rely on an SMS every time you login – you only need to be online when you set up an account so you can receive the seed. |
| + | One authenticator app can work for multiple accounts. |
Authenticator app: Cons.
| – | If a crook gets hold of the seed (either from your device or by hacking into the server), he can calculate any future login codes. |
| – | If you are logging in and running the authenticator app on the same device, your authenticator codes are as much at risk as your password. |
Login verification
Login verification is another variation on the above themes.
Now, instead of being asked to enter a code, a login notification will be sent to your mobile device. Once this has been approved you will be signed into the site.
This process doesn’t use a secret key, or seed, that has to be shared between your device and the server.
Instead, it uses public-key cryptography to verify your identity.
A private key is generated and kept in the app on your device. The public key is sent to the server and stored there for your future logins.
At login, a challenge will be generated by the site and a notification will be sent to your device.
If approved, your device will sign the challenge, send it back to the site to be validated (because only your device should be able to sign the challenge with your private key), and login will proceed in your browser.
Twitter implemented this type of system last year.
Login verification: Pros.
| + | Doesn’t rely on an SMS every time you login. |
| + | One login verification app can works for multiple accounts. |
Login verification: Cons.
| – | If a crook gets hold of your private key, he can masquerade as you. |
| – | If you are logging in and running the verification app on the same device, your private key is as much at risk as your password. |
True two-factor authentication
Earlier, we talked about 2FA and 2SV.
They are nearly the same, but note that the name 2SV carefully avoids stating that there are two separate factors in the system.
A proper “two factor” system, as the name suggests, needs two distinct authentication factors, not merely two steps.
So a web-based account that boosts security with one-time SMS codes is no longer strictly “two factor” if you run your browser and receive the SMS on the same computer or mobile device.
For something to be considered a true 2FA system, it needs two components that operate independently and avoid a common point of compromise.
Common implementations of this are smart cards, login tokens such as the RSA SecurID, and Yubikeys.
Smartcards require a special reader to communicate with the chip on the card, but that chip acts as a tiny standalone computer with its own CPU, secure memory and cryptographic capability.
Yubikeys have their own cryptographic CPU, but communicate over USB by pretending to be a keyboard. When you plug in a Yubikey, it effectively “types in” a one-time login code that was calculated inside the key.
Tokens also have their own independent CPU, and generally don’t connect to your computer at all. Instead, they have a tiny LCD screen that displays your current login code.
True 2FA: Pros.
| + | Doesn’t rely on SMS. |
| + | Doesn’t need a phone or tablet. |
| + | Is an independent security device that is always separate from your computer, phone or tablet. |
True 2FA: Cons.
| – | You may end up with a keyring full of tokens, one for each account. |
| – | May not be available from the service provider for free. |
What next?
To find out whether the online service you use supports two-factor authentication you can visit twofactorauth.org.
It has a comprehensive (albeit not exhaustive) list of many of the top online services that support 2FA or 2SV.
Turn it on and be more secure.
Image of person using two factor authentication courtesy of Shutterstock.
Thanks John,
How would you class the types of PIN Sentry readers that the likes of Barclays Bank give to customers here in the UK for online banking?
Are there a different set of Pros and Cons that I should be aware of for using one of these?
Thanks.
PIN Sentry is pretty much the same sort of solution I said I was keen on in a paper I wrote back in 2006…check at the very end of this one…
http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/phishing-and-fraud.aspx
🙂
IMO it’s a good idea – if I understand correctly (you don’t get them in my part of the world, or at least not from my bank), PIN Sentry is a sort of combination of a smart-card and a token system. Your payment card provides the cryptography; the PIN Sentry has the card reader, plus a tiny keyboard and screen where you type in the PIN and read off your login code. So it’s what I’d call a “True 2FA,” with similar pros and cons as listed above.
Problem is that a PIN Sentry is bigger than a Yubikey or a SecureID-type token, so the extra security comes with less convenience. So I notice that Barclays is now offering Mobile PIN Sentry – so you can use your mobile phone instead of carrying the PIN Sentry reader everywhere. The web site says “[Mobile PINsentry…] gives you the same security as your PINsentry card reader, and does all the same things.” But clearly, IMO, it *doesn’t* give you the same security for the simple reason that it is *different* 🙂
What next? Tired of carrying your PIN Sentry around? Switch to Mobile PIN Sentry! Tired of carrying your mobile phone around? Switch to Imaginary PIN Sentry! Tired of using your brain? Switch to our unique SuperSNAFU Zero Factor Authentication for a Truly Frictionless Experience!
In short: I like the sound of PIN Sentry; I’d class it as True 2FA. But I don’t see how the Mobile PIN Sentry version can be considered “the same,” and I’d pitch it in with the Authenticator apps.
In the best of all worlds one method would work for all accounts! My first experience with a token, SecureID, was corporate remote e-mail in the 90s, which had a downside if you always had the token with you — I trashed one doing lawn work with the key ring in my pocket.
An interesting round-up of the options available – thanks, John.
I’ve used the Paypal fob for several years now. It cost $5, which I regard as a small price to pay for a higher level of security (by contrast, Bank of America wanted $35 for their equivalent).
Recently I bought Plug-up International’s FIDO U2F Security Key (mailed from France to the US in just five days; total cost $7.99) to add a higher level of security to my Google interactions (and hopefully to others in the near future).
Again, a small price to pay, especially as I don’t have a cellphone and my home landline is only accessible through a PBX (and so far no provider has mastered the art of adding an extension to a phone number – something that used to be commonplace twenty years ago for calling some fax machines).
I have a question how safe are landline phone to my house for my gmail account
Not foolproof, of course. Landlines can be tapped, can go out of service, can be redirected to a crook’s number, only work at home, and so on.
But if nothing else, that landline call at least means a crook can’t keylog your password from the other side of the world, and then log on as you over and over to drain your account. Every time he tries to login as you, your phone will ring. So he will get nowhere, and you will get an alert 🙂
So as long as you don’t make landline 2SV or SMS-based 2SV into an excuse for having a bad password, using the landline callback for 2SV will at worst have no effect on your security, and will at best make you more secure.
My 2c.
Don’t worry about using bad password I use Lastpass to generate secure passwords. And I use a Yubikey as 2FA to Lastpass and of course a secure password
I think the biggest bottleneck in making use of 2FA is that the vast majority of companies still insist on sticking with SMS text codes sent to mobile devices. While it’s nice to learn that I’m not the last person in the universe with no such device, that demographic info is taking its sweet time filtering out to the business world.
Paypal does offer a landline equivalent as an alternative option, which helps. I’ve discussed this several times with my bank, whose Visa card I use frequently, and so far the closest approximation they’ve managed is the secret-question approach which I don’t consider proper 2FA since it’s obviously just another part of their ID database and (normally) unchanging.
I hear you, but calling this “the biggest bottleneck” seems a bit of a stretch. In most countries, the vast majority of people do have mobile phones, or at least some sort of device capable of receiving SMSes, and many if not most of those keep them to hand all the time. You could even consider getting yourself a £5 pre-paid mobile phone and using it *only* as a 2FA token. (If you turn it off except when needed, the battery should last for weeks; if you set a decent PIN on the SIM, it’s pretty safe against misuse if lost or stolen.)