Security and personal privacy are hot topics. It seems we get news every day about compromised user accounts (LinkedIn, Twitter, MySpace), companies tracking users all over the internet and malware that spreads through ad networks. In this series I explain what steps I have taken to protect myself from these threats. Today I will take a look at 2 factor authentication.
Just an username and password
Authentication seems simple right? You enter your username and password and you get access to something. Previously I laid down the reasons for using a password manager; you can create really strong passwords and you don’t have to remember them. But is that safe? It all depends.
Given that a service has a good enough encryption standard, it is unlikely that your password will be revealed by a breach, however there are still plenty of techniques to actually get your password. The most common would be to use phising techniques to trick you into entering your password on a hacker-controlled site. Or worse, the service is compromised and a hacker is able to sniff the passwords on the server itself.
Sadly all experts agree that using a username and password is generally a bad idea, but it pretty much is the only thing we have. So how can we improve this situation?
Who are you?
Whenever you authenticate yourself to a service you can use 3 different factors; something you know, have or are. That sounds kind of silly, but lets take a look at them.
Obviously, something you know would be your username and password. They are known to only you and the are stored safely in a password manager, right?
Having something sounds really cryptic, but think of it like this; when you want to access something from my server I can give you a special, one-time, token that you need to enter. The fact that I have given it to you makes it something you have. The same goes for a one time password through SMS or via email.
Being you is awesome, but what is it about you that you can use to authenticate yourself? You probably already unlock your phone with your fingerprint, that is something you are. You could also scan your eye or give a drop of blood for a DNA check. All these methods are quite cumbersome when it comes to services that are not physical.
So we are left with what you know and what you have. The know part we have already taken care of, but what about the have part?
In its simplest form services allow you to enter your mobile phone number and they will send you a code that you need to enter in the 2nd step authentication. This works fine, but it has some caveats. Wired has an interesting article on why it is necessary to stop using texts for 2FA.
“SMS has turned that ‘something you have’ into ‘something they sent you,’” says Zdziarski. “If that transaction is happening, it can be intercepted.”
Basically the underlying techniques are flawed and it allows hackers to take over the messages sent via it. It does seem to be quite some work to just intercept a text message, but hey, stuff becomes easier every day.
As an alternative you can use, if supported, a calculator application like Google Authenticator. It uses some fancy math to generate a new code every 30 seconds that can be used verified on the server side.
During the activation process (in the screenshot you see the steps from Digital Ocean) you sync your authenticator with some information of the service, by scanning a QR code. After the initial sync the application will show you a new code every 30 seconds. There is no data transferred over the network, it is just you and your telephone.
Although it relies heavily on you having a smartphone, it is one of the best methods to provide a 2nd factor until the Universal 2nd Factor becomes more prominent. It requires a USB key that holds your private information to digitally sign verification requests. It is still early stages, but it does look promising. For mobile phones a method of verification using NFC is being implemented allowing you to just “bump” your phone with your key to verify yourself.
There are good reasons to stop using just your username and password for authentication. you can prevent a lot of drama by enabling 2 factor authentication, although it makes logging in for yourself a little more cumbersome. But good safety is worth it!