Businessman holding cyber security icons screen. Digital information technology and cyber security concept.

Two Factor Authentication

by

Chris Johnson
in , ,

What we are talking about is “authentication.” Authentication is the method of confirming that you are who you say you are.

There are three methods to determine authentication:

  1. Something only you know
  2. Something only you have
  3. Something unique about you

In the old days, when people carried checkbooks with them and wrote checks for things, you would be asked to prove your identity before you could use a check. Proving your identity was a process where a person would first authenticate your identification card, and then they would verify that the identification card matched you.

A state issued identification card will have different aspects about it that should make identifying fakes easier for the trained person. In the those olden days, they would often have your Driver’s License number be a SoundEx of your last name. SoundEx was a simple encoding method that could be generated from a name.

If the SoundEx didn’t match the DL number, it was a fake.

For the most part, people trusted DLs. They were relatively difficult to fake, and it was often easy to spot fakes.

This is an example of something you have, your DL, and something unique about you. Your picture and description.

Computer Authentication

Computers authenticate you with the use of two pieces of information, the first is your “name”. The second is your password.

Your name can be an email address or a username. While the pair, username and password, are required, only the password is a secret. Or should be a secret.

In a perfect world, this would be good enough. In this imperfect world, see Password Security/Password Managers

We will assume that your password is strong and will not be cracked in this century.

What we want to protect against is people stealing your username and password. Be that by phishing or by tricking you, or by lifting your keyboard to read your password on a PostIt note.

We need to improve our overall security posture by adding something besides “something only you know” to the equation.

Biometrics

This is just a fancy word for something unique about you. What you look like. What you sound like. What the patterns of ridges on your fingers look like. What the blood vessels in your eye look like. These are things that are unique about you.

The super fancy eye scanner in NCIS is a myth. While it might actually work in practice, it will be expensive and is only part of the equation.

Fingerprint scanners are a joke. Facial recognition has more downsides than positives. And don’t have a sore throat if you are using vocal recognition.

Most low-cost fingerprint scanners don’t do a good job. They scan something they think is a fingerprint on a finger. That scan is processed and turned into a series of identified markers. That is turned into some sort of “value”. That value is what is actually compared and authenticates.

To reduce false negatives, these scanners often do a poor job of discriminating. They are also fairly weak at detecting live vs. Memorex.

Finally, if you have a fingerprint scanner or some other sort of biometric authenticator, bad actors can forcibly use your body to unlock your stuff.

It is far too common of an occurrence to have customs or law enforcement hold your finger to your phone’s scanner to unlock your phone. Don’t use biometrics to secure your devices. Oh, currently the courts find this to be legal and not a violation of your civil rights.

This takes use too:

Security Devices

A security device is a device that only you have that can communicate with other devices to help authenticate you.

Notice it is a helper, it is not the be all, end all.

The most common security device in use today is a mobile or cell phone.

The assumption is that you are the person holding your phone and that your phone can only be unlocked by you. This means that they can send you a text message, and you will have to unlock your phone to get the code they sent.

Except… Often the code is visible even when the phone is locked. The phone might be unlocked for other reasons. Or somebody cloned your phone and is getting the same SMS messages that you are.

In addition to that, some people have their devices configured to read messages to them. Or worse, they have configured their phones to read messages on command.

My favorite example of this was when I was working on a female friend’s car. She had a new boy and they were texting hot and heavy. Every time she received a new message, her phone would announce “To hear the message say “read message”.

At one point her phone announced, and I spoke up, “read message”.

She ran when her phone started to read the message out loud. It was just as spicy as I expected.

While the phone is very convent, it isn’t very secure.

Still, phones can be used as an authenticator.

This is a magic pseudo random number generator. The authenticator reads a seed from the remote device and attaches it to a particular site or device.

The two can generate the same pseudo random number at any point in time, based on the shared seed.

The site requests you provide the code from the authenticator. You unlock your phone, run the authenticator, find the correct device, copy the code from your phone to your computer to log in.

It is a fairly cheap and easy method and requires very little extra.

A number of my clients use this type of authenticator, and WordPress/WordFence does as well. It is an acceptable option if your phone is kept locked.

Better still, turn on extra security. The authenticator I use allows me to set a PIN for the application. Without the PIN, something only I know, the authenticator will not run.

Security Tokens

These supply a different form of security. They are designed to prove to a remote system, or local, that you have something that is unique.

A key.

One type of security token generates is a physical rendition of the phone authenticator. The one that I used required me to enter a PIN. It did not matter what PIN you entered, it generated numbers. If you entered the numbers from a correct PIN, you were logged in. If you entered the numbers from an incorrect PIN, the system would alert administrators or security, depending on how it was configured.

In other words, the system administrators and security personal could set them up to provide “panic” or “distress” codes.

Mine didn’t have that feature. If I put the wrong code in I couldn’t log in. Guess I wasn’t that important in the grand scheme of things.

Which takes me to my favorite authentication key, the YubiKey.

This is a small device, about the size of a thumb drive, but much thinner.

They have USB-A or USB-C connectors and some have NFC capabilities. They are small enough and light enough that I carry one of them attached to my key ring, along with a magic USB drive that contains a working version of Linux.

When properly configured, when a website needs a 2FA action, it will request that you insert the device. A small LED flashes, you touch the LED and the flashing stops. Some magic happens, and the website confirms that you have the right device.

If you have the NFC version, you can just tap the key to the back of your phone to accomplish the same thing as plugging it into a device.

In general, you should have two of them. Just in case you lose one.

Conclusion

Two-Factor Authentication adds a significant improvement to your security stance. They can almost completely stop phishing attacks.

Even if you are tricked into providing your credentials to a phishing website, when they attempt to use those credentials, they do not have the second factor to complete the authentication process.

Using your phone as your security device isn’t as strong as an authenticator. Using an authenticator application on your phone, is.

Combine these with a good password manager and you have a strong, secure system.

Until you find that the bad guys just ignore all that authentication stuff and took your computers.

        

Comments

3 responses to “Two Factor Authentication”

  1. Archer Avatar
    Archer

    Yubikeys are great, aren’t they? I had the assignment of writing my workplace’s user-facing “how to” document on using them, which I greatly enjoyed doing. (Totally honest, it was a fun assignment, especially coming up with the visual aids.) They still distribute that document, unabridged, to all our new Yubikey users.

    We don’t issue them much, though. The higher-ups prefer employees to use a mobile-phone-based authentication app on a business-issued and -managed phone, and reserve Yubikeys for outside contractors and partners who need access but don’t get business-issued phones.

    In the past we used RSA tokens; the kind where you have a fob that displays a 6-digit number that changes every 60 seconds. To log in, one would need a valid username and password, and a 4-6 digit PIN, and the digits currently displayed on their RSA token. They could have configured the PINs to allow for duress codes, but to my knowledge they never did (we’re not that important, either, haha).

    As was explained to me, in the days before “biometrics” (or what passes for “biometrics”) became commonplace, good security is that which combines something you know (e.g. username and password) with something you have (e.g. a physical device or other separately-validated token). Combining those things is what 2FA (or more broadly, MFA – Multi-Factor Authentication) is all about.

    Reply
    1. pkoning Avatar
      pkoning

      RSA tokens work well and there are smartphone app versions of them so you don’t need a separate artifact.

      Fingerprints… meh. Both my current laptops have fingerprint readers, both were programmed with my fingerprint (and claimed success), but neither EVER recognizes my fingerprint. Perhaps I’m too old and my fingerprint too worn, but if so, why did the programming step accept it?

      A while ago I read a paper describing how fingerprint readers could be fooled into accepting printed images of fingerprints, if those were printed with special ink. Interesting.

      On a mostly unrelated but interesting security topic, there was a paper a decade or so ago that described how the authors recovered RSA private keys from smartphones by listening to the sound produced by the execution of the RSA algorithm. I kid you not, look it up. I think Shamir (the S in RSA) was a coauthor.

      Reply
      1. Archer Avatar
        Archer

        The things people have been able to do with acoustic analysis — closely analyzing the sounds keyboards, hard drives, processors, etc., make while doing their thing — are mind-boggling. It goes well beyond being able to tell what someone is typing based on the sounds coming from the keyboard (which all sound unique even if the human ear can’t tell). In some cases they can listen to a processor hum and tell what it’s working on.

        Air-gapping a computer may no longer provide adequate protection against snooping, if a bad actor can get decent microphones in the room.

        Crazy stuff….

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *