Towards Secure Two Factor Authentication

Authenticity Required

Image from Dev Arka, Flickr: http://flic.kr/p/2eqb6f

Yesterday I looked at passwords, and why they are long past their sell by date and thoroughly inadequate.  Two factor authentication and password managers provide a far better approach than the usual tired advice of choosing a long, complex but memorable password you change often (Impossible, much?)

Two fifths (40%) of UK adults now own a smartphone (Source: Ofcom’s Communications Market Report July 2012). Of course that leaves three fifths who don’t. Smartphone take-up in the USA is still somewhat lower currently.

That leaves a big section of your audience who don’t, yet, have access to a smartphone, yet UK Mobile ownership is currently 93%. So whilst mobiles are pretty much guaranteed amongst people using the web, smartphones are not, yet.

Of course this means that simply producing an app to emulate a secure token generator is not going to reach even half your audience (unless you’re running an Android or iPhone developer site of course!).

Secure smartphone apps will have their day, but for now even if you produce one, you’d better be thinking of a fallback for those who are not yet smartphone owners, as that’s most people!

Which is where using SMS for two factor authentication comes in – it’s universal across every mobile out there.

Third Party AuthenticationGoogle and Facebook Logos

Essentially this means outsource the problem. Rely on Facebook, Google or some other third party to handle the login authentication for you. Both Facebook and Google (and others) have made it relatively simple to use their authentication to provide third party logins.

There’s undoubtedly convenience for both the site, and the user going this route. But of course security and convenience are mostly mutually exclusive. A single login now opens many doors. If a hack or moment of carelessness can lose a Facebook login, it now risks losing access to every connected site and service.

Connectivity is great, but in the event of a problem it massively increases the chances of what should be just an inconvenience utterly destroying your digital life. Which could go as far as erasing all your machines/phones/photos and losing access to dozens of accounts and potentially tarnishing your name across half the Internet.

Surely that’s a far too doom laden scenario? No, it’s happened, in a rather well known case from Wired Reporter Mat Honan.

Ignoring the catastrophic and the security issues of third party authentication there’s another reason many users are not comfortable with this.

To a significant minority of people out there, Facebook and Google already know far too much. Giving them additional data of third party sites they log into, and with the like/+1 buttons that are appearing all over the place, also knowing when and how often they visit is a privacy step too far.

Many will simply not join a site that only offers third party sign up.

Which of course means you need a local means of signing up – which had better have good security too. So you still get to implement security, and authentication. So it better be half decent, no?

As far as the security goes to my mind it’s doubtful the benefits outweigh the disadvantages. The convenience is higher, but the implementing site had better have a secure native login route as well, so the convenience is only to the user.

Two Factor Authentication via SMS – Perfection?

Alright this is all very rosy, but what are the limitations of two factor authentication
via SMS?

The web site or app has to generate a suitably secure code, and implement whatever session timeouts, and locking-out on failure etc.

As mentioned yesterday, you’d better not be providing easy fallback routes to a user (hacker) that claims not to have the device to hand. This of course applies to every security method via another channel.

Of course you need some fallback route, but you need to ensure that any user who has opted in to the additional security of two factor authentication is validated adequately.

Hence if someone is claiming the device isn’t to hand, you should be issuing confirmations by email / phone, and locking out if not valid.

If I can simply call up, claim I’ve lost my phone, and blag authentication out of a site, all that additional security is pointless, no?

The other attack vector is via a phishing or social engineering route to get someone to install an app (on a smartphone) claiming it is a security “upgrade” or certificate. The app then sits there listening to incoming texts and if it’s a security token sends it off to Mr Hacker’s website.

There has been a case or two of this, but as far as I can see only directed at banks using SMS tokens. If your security need is that high you’re far better looking at individual tokens or smart card readers for your users anyway.

Of course if your SMS code only has a life of a minute, or five, the period a user is susceptible to this becomes very limited, and restricting the ability to be logged on in two sessions simultaneously would further limit scope of such routes.

Do It Right, Or Else…

In conclusion it’s about all that can be said of security – do it right. That means don’t be giving away logins to anyone who’s calling up and knows a home address for example. Validate by whatever means you can, and for now use two factor authentication to go beyond passwords, as passwords have become borderline useless.