Rants

Two-factor authentication, are you using it yet?

password: letmein

According to an article in the New York Times a Russian crime ring has amassed over a billion internet passwords. To give you some perspective on that, there are approximately 7.19 billion people on earth right now. That doesn't mean that the password of every 1 in 7.19 billion people you meet is in a gangster’s possession, after all most people can have multiple accounts. But what ratio would be okay considering it may grant a criminal access to your bank account, personal emails, or as we've seen more recently photographs? 1 in 10? 1 in 20? 1 in 100?

Embarrassing personal data breaches involving companies like LinkedIn, Home Depot, Healthcare.gov, JP Morgan, Target, Adobe, and even Apple have happened and will continue to. New vulnerabilities like the OpenSSL heartbleed bug or the more recent bash bug are going to be discovered and exploited.

Giving up and going offline is an option, but not many people can seriously entertain that notion for long.

There is an effective and fairly simple way that end users can largely mitigate all that scary risk and it's called two-factor authentication. You may not have heard of it before, and even if you have you may be surprised to discover that every major online service offers it as an option for authentication.

What is widely used now is one-factor authentication: to log into your account you just need to provide one piece of information in addition to your user account, that is of course your password.

Something you have and something you know

With two-factor authentication you provide your password, and another piece of information you get from a physical device that is unique to you. This can be a number you read from a specialized device like a electronic key fob, but it could also be a SMS sent to your cell phone, or a number displayed by app on your smartphone.

This may sound complicated but it really isn't. In most cases, the user flow is something like this: After entering your username and password to log into a website you are prompted for a security code which you are either automatically sent via a SMS message or you retrieve via an app on your your smart phone.

That extra step takes about an extra 30 seconds, but it means that your password alone is no longer enough to access your account. Even if someone guesses it, hacks another site where you use the same password, or even buys your password from a criminal syndicate they won't be able to access your account without that second factor of authentication. Which is only retrievable from a device you have, probably the cell phone in your pocket.

The opposite is true as well if someone say steals your cellphone. They may be able to get the second factor of authentication from it, but they will still need to know your password before they can access any of your accounts.

Things can go wrong; you might forget your password, break your phone, etc... But each online service that offers two-factor authentication provides a means of gaining access to your account again in these situations.

In the next couple years you will see online services make two-factor authentication the preferred or default method of authentication. While they may still offer one factor (password only) authentication as an option for people who don't have a cell/smart phone they will STRONGLY advise against it.

Here's a list of links for the details of two-factor authentication offered by some of the major online services/sites:

Apple - http://support.apple.com/kb/ht5570

Google - http://www.google.ca/landing/2step/

Facebook - https://www.facebook.com/note.php?note_id=10150172618258920

Twitter - https://blog.twitter.com/2013/getting-started-with-login-verification

LinkedIn - http://blog.linkedin.com/2013/05/31/protecting-your-linkedin-account-with-two-step-verification/

Paypal - https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o Although for the moment it appears their system can be bypassed. https://www.duosecurity.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication

Dropbox - https://www.dropbox.com/help/363

Yahoo! - https://ca.help.yahoo.com/kb/activate-sign-in-verification-sln5013.html

Amazon web services - http://aws.amazon.com/iam/details/mfa/

Github - https://github.com/blog/1614-two-factor-authentication

... and I'm sure there are many more I'm leaving out.

Sadly Canadian banks don't yet offer two-factor authentication for personal or consumer online banking services. Needless to say it is backwards that better security is available for your Twitter account than for your bank account. Banks really should be more than a little embarrassed about this fact. Here is a good Globe and Mail article on the subject of lousy password policies at Canadian banks.

Comic "Password Reuse" above from the perpetually clever xkcd.

Clayton Partridge's picture
BY: Clayton Partridge
Founding Partner

Clayton is a developer, and likes to make things out of other things.

comments powered by Disqus