Two Factor Authentication

Two factor or multi-factor authentication makes computing more secure. You’ve probably seen it already and you will see more of it. I highly recommend it, with some caveats. I remain skeptical of biometric authentication. Facial, fingerprint, and retina recognition are all convenient, but they also have issues that are not ironed out yet. No matter how optimistic the sensor makers’ marketing, faces, prints, and retinas can’t be replaced when they are compromised, and there are reports of gruesome compromisations. Multi-factor authentication adds extra steps to authentication, but there is no question that additional factors increase security.

What is multi-factor authentication?

As the name suggests, multi-factor authentication requires the authenticity to be established in multiple ways. The user name and password authentication that has been used for decades uses a single piece of evidence to prove you are who you claim to be: knowledge of the correct password. Two-factor authentication adds another piece of evidence. The second piece of evidence could be a second password, but all passwords are vulnerable in the same ways, so it is better to use more than one kind of evidence.

Security specialists often talk about three types of evidence of authenticity: what you know, what you have, and what you are. A password is something you know that no one else does. A physical key is an object that only you have. Your fingerprints, your facial appearance, your retinal pattern, and your DNA are examples of something you are.

An example

Physical safes commonly use single factor authentication, sometimes multi-factor authentication. Most single factor safes have combination locks. To enter a single factor safe, you simply enter the correct sequence of numbers. If you write the sequence down, someone could find the paper; or someone could look over your shoulder and watch you dial the combination. Whoever finds the paper or watches you has access to the safe. Sneaking in is a challenge, but by no means impossible.

Bank vaults frequently have two combinations each known to a single bank officer. To open the vault, both officers must dial in their combination. One officer may be incautious or a fraudster, but the double combination prevents a single officer from getting in without a witness.

We have a safe in our home that requires both a combination and a key. I know the combination, but without the key, I can’t get in. If thieves were to successfully snatch the combination, they would still have to find the key. Often, even I can’t find the key, so they’ll have a job to get into our safe. In this way, our two-factor, key and combination safe is an annoyance, but more secure than a single-factor combination-only safe.

Multi-factor user authentication

Typical two-factor authentication uses a password and something else. One common method uses a text message sent to your phone containing a four to eight-character token. After correctly entering your password you must enter the token that is automatically sent to your phone when you enter the correct password. In other words, you must both know your password and have your phone to get into the account. Another variation is to email a token. In that case, you must both know your password and have access to your email account. These methods are harder for criminals to deal with than a simple password.

Flaws in message-based authentication

These methods are good, as long as access to your email account or phone is secure. However, email is just another account to secure, which would be better done with multi-factor authentication. To do that, you would have to have another secure email account. At a certain point, the complexity becomes unbearable.

Cellphone issues

The cellphone method also has problems with phone numbers and SIM cards. Phone numbers are assigned to SIM cards. Usually, when you buy a new phone, the you move your SIM card and your phone number, contacts, and other information moves with you. However, the service providers can reassign phone numbers to a new SIM, say when your phone is lost or destroyed, or you get a new phone that is not compatible with your old SIM.

The ever considerate and conciliating providers can easily transfer your phone number to a new SIM. They hesitate to hassle a customer too much when numbers are reassigned and they do not press a requesting customer for too much identification and verification, which means that criminals with a handful of information can get your phone number transferred to their own phone. To make matters worse, cell carrier employees are not guaranteed to be honest: they might be bribed or they may be criminals themselves. As a result, criminals have found it fairly easy to get phone numbers reassigned without the owner’s consent.

Once your phone number has been transferred, the criminal can use it to gain access to your accounts, change passwords, run up bills, and drain your bank.

The cellular providers have not been forthcoming on how often this happens, but anecdotal evidence says the practice is on the rise. There are a few things to do to protect yourself. If your provider offers a PIN for changes to your account, take it. Most important, when your number changes, you will get a notification on your phone and it will no longer work. Call your provider as quick as you can when you get a notice. Criminals can wreak havoc in minutes with a stolen phone number.

A stronger method

A better alternative is to use another authentication factor that does not depend on sending a token to you. This can take several forms, but they all involve a small application that runs on a device in your possession that produces tokens. When the application is set up, your authenticator and the application exchange information that syncs the application with the authenticator. One method provides tokens that change with the date and time. If you can’t supply the unique time-based token from the app that corresponds to your account, access is denied. Another implementation relies on a private key held on the device. An elegant implementation places the token generator in a USB device similar to a thumb drive. Plug the “key” in, authenticate, and the USB device supplies the correct token. These methods do not rely on communication after the initial setup. Neither WiFi or a cellular connection to the key device is necessary.

I noted with approval in this article in the Washington Post, that the federal government will soon require two-factor authentication for administrators of all government web sites. The method chosen by the feds is better than relying upon calling or messaging the phone. They are using Google Authenticator, which runs on an Android or Apple phone.

These methods are more secure, but not all multi-factor sites accept tokens from all authenticator apps, so you may not be able to use your choice on all accounts.

There’s a podcast on Lawfare explaining Google’s approach to advanced security that is informative.