Friday, December 14, 2012

The Two Step Verification Dance

Practicing good security habits is not too unlike learning to dance. The steps can be a bit clumsy at first, but once you get in the habit of it you'll be able to handle security with the grace of Fred Astaire and Ginger Rogers on the dance floor.

Though two factor authentication has been around for years in corporate and high level government settings it is fast becoming more common for everyday computers users to see it as a security option. Two step verification, also known as two factor authentication, or multi-factor authentication is a dance more and more of us can learn to further protect ourselves. It offers better security than single factor verification because it requires two separate pieces of information to validate identity, increasing the difficulty for a hacker to gain access to your accounts. So, what is single factor verification, and how does it differ from two factor authentication?

The single method of authentication is simply entering your username and password to gain access to your online account. This has been the de facto method of logging into online accounts. Up to a point it has been fine, however, the strength of our security needs to keep pace as hackers become more sophisticated. Strong passwords are still incredibly important, but that alone may no longer be the best practice. So, what if we were to add a layer of protection to our login credentials? That added layer is where two factor authentication comes in.

The two parts of two factor authentication are generally thought of as "something you know", and "something you have". Two factor authentication requires you to enter your password along with that second piece of information, typically a six digit number (your token). The token is generated by a source outside of the account you are accessing. The token can be sent as a text message to your phone, be generated by an app on your smartphone, it could be a USB drive, smartcard, or even a keyring device. When you attempt to login to a two factor aware site you will first enter your password (something you know), and second, you will provide the token (something you have) before login completes.

What makes two step verification more secure than single step verification?
  1. The risk is lower that your account will be compromised by a hacker because they would not only need your password, but also, have access to the device providing your token.

  2. Unlike your password, which changes infrequently, tokens are one time use only and expire typically after 30 seconds. Each time you login to the service you need to provide a new token. There are some caveats to this which are discussed below.

  3. The online service to which you are connecting does not permanently store the token. If a hacker steals your login and password from the service they will not have the token needed to access your account.

  4. Tokens increase security even if you have weak passwords because it is used in addition to your password to confirm your identity. The token merely assists you in keeping hackers out of your accounts, it is not a supplement or replacement for strong passwords. Strong passwords are still an essential part of a good security strategy.

What is the downside of two step verification?
  1. Two factor authentication can be clumsy to setup. Setup consists of enabling it for your account with a site that supports it. You indicate in your site preferences how you want to receive the token. Then setup any third party apps used on tablets and phones that you want accessing your account. The downside is that currently there are few phone and tablet apps that are two factor aware. These legacy apps end up using a permanent token to authenticate and log you in, which in effect renders the two factors moot. You are no longer using the randomly generated "something you have" in addition to your password to authenticate because you allowed the app to keep the same token, and unlike browser token cookies these don't expire.

  2. As I alluded to above, your web browser can store a token in a cookie on your computer if you don't want to have to enter a new token each time you login. Sounds great, and simplifies access to the site. The downside to this is that your browser could be susceptible to a man-in-the-browser attack potentially allowing a cyber criminal to infect your computer with malware that sends the token back to them. In attempts to mitigate problems with discovery of the token the cookie will have an expiration date, generally 30 days from the time it was established, after which you will be asked if you want to save a new token in your browser.

  3. It can be inconvenient to use two factor authentication particularly if you don't have the device with you that provides the token. Also, the "something you have" can be lost, stolen, or damaged. Some sites will allow you to generate a series of one time backup or emergency tokens that you can print on paper and carry with you in the event that you don't have the token device with you. The downside is that these codes can be lost, or stolen too. Imagine if you were carrying them in your wallet, then had your wallet stolen along with your identification. It's a cyber crook's dream.

  4. Entropy of the generated tokens is critical, that is, the randomness of generated tokens. Systems that do a poor job of randomizing tokens can give criminals an opportunity to determine the sequence by which codes will be generated, and allow them to generate fake tokens.

Of course, there is three factor authentication which relies on the "something we have", the "something we know", and adds the biometric layer; the "something we are" such as a fingerprint, or retinal scan. Alas, there is no perfect security. It's an evolutionary process. But, instead of waiting for something better to come along, this holiday give yourself the gift of two factor authentication.