What is two-factor authentication?
Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that’s considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:
— Something you know, such as a Personal Identification Number (PIN), password, or a pattern
— Something you have, such as an ATM card, phone, or fob
— Something you are, such as a biometric like a fingerprint or voice print
— How old is two-factor authentication? Older than life itself.
OK, not really. But 2FA is nothing new. When you use your credit card and you must enter in your ZIP code to confirm a charge, that’s an example of 2FA in action. You must provide a physical factor, the card, and a knowledge factor, the ZIP code.
But just because it’s been around for a long time doesn’t mean that it’s easy to set up and use.
Wait, it’s hard to use?
It definitely adds an extra step to your log-in process, and depending on how the account vendor, such as Twitter, has implemented it, it can be a minor inconvenience or a major pain. Much also depends on your patience and your willingness to spend the extra time to ensure a higher level of security.
Fenton said that while two-factor authentication makes it harder to log in, it’s not “hugely” more so.
“An attacker might be able to collect a cookie or an OAuth token from a Web site and essentially take over their session,” he said. “So, 2FA is a good thing, but it does make the user experience more complicated…It’s done when you’re logging into an account on your device for the first time, for example.”
Will two-factor authentication protect me?
Well, that’s a loaded question when it comes to security.
It’s true that two-factor authentication is not impervious to hackers. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA revealed that its SecurID authentication tokens had been hacked.
Fenton explained both sides of the effectiveness problem. “The thing that concerns me as a security guy is that people don’t look at what the cause of the threats might be. 2FA mitigates the problems, but a lot of awful attacks can run on 2FA.”
At the same time, he said, two-factor offered more protection than logging in without it. “When you make an attack harder, you’re disabling a certain subset of the hacker community,” he said.
How is 2FA vulnerable to hackers?
To hack two-factor authentication, the bad guys must acquire either the physical component of the log-in, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. This can happen in several ways, including a phishing attack, malware, or credit card-reader skimming. There is a another way, however: account recovery.
If you remember what happened to journalist Mat Honan, his accounts were compromised by leveraging the “account recovery” feature. Account recovery resets your current password and emails you a temporary one so that you can log in again.
“One of the biggest problems that’s not adequately solved is recovery,” said Duo Security’s Oberheide.
Account recovery works as a tool for breaking two-factor authentication because it “bypasses” 2FA entirely, Fenton explained. “Just after [the Honan story was published], I created a Google account, created 2FA on it, then pretended to lose my data.”
Fenton continued: “Account recovery took some extra time, but three days later I got an email helpfully explaining that 2FA had been disabled on my account.” After that, he was able to log back into the account without 2FA.
Account recovery is not a problem without a solution, though. Or, at least, solutions are being worked on.
“I see biometrics as an interesting way to solve the recovery problem,” Oberheide said. “If I lost my phone, it would take forever to go through each account and recover them. If there’s a very strong biometric recovery method, a passcode of my choosing, and a voice challenge or something like that, it becomes a very reasonable and usable recovery mechanism.”
Basically, he’s suggesting using one form of two-factor for logging in, and a second, different two-factor combo for recovery.
What’s next for 2FA?
As two-factor authentication becomes more commonplace, it’s more likely that attacks will be more successful against it. That’s the nature of computer security. But by virtue of being more commonplace, it will become easier to use, too.
Oberheide said that many of his customers start off thinking that implementing 2FA will be expensive or hard to use, but often find that their experience with it is the opposite.
“I think that will come faster in the consumer space because they’re not dealing with all this cruft from the legacy of 2FA from the ’80s,” he said. But he noted that older systems can have a hard time getting 2FA going. “A few months ago, we published the bypass of Google’s two-factor scheme,” he explained. “It’s not a ding against two-factor in general, but against Google’s complicated legacy system.”
Fenton noted that increased adoption could create opportunities to refine the technology. “Should we be planning now on designing something that can scale to large numbers of sites? It seems that 2FA is really exploding right now,” he said.
Despite its problems, Oberheide sounded an optimistic tone for two-factor authentication. “If we can increase the security and usability of 2FA at the same time, that’s a holy grail that’s often difficult to achieve,” he said.