My friend Dr24Hours tweeted something disparaging about two factor security this morning:
Two-step authentication is mostly a scheme to collect more metadata. Discuss.
— Dr24hours (@Dr24hours) March 25, 2014
I’m a huge fan of two factor, but I’ve definitely noticed that it’s not well understood by a lot of people, and there are a lot of misunderstandings of what it is, how it works, and why it’s good.
Two factor is a mode of authentication. It’s a way of proving that you are who you say you are, in order to be granted access to some secured resource. You don’t want random people to be able to access your email, so your email provider has a way of ensuring that only you can access it. Before you an access it, you have to prove that you’re someone who’s supposed to be able to see it.
So how can you prove who you are? There are fancy terms for different strategies, but fundamentally, it comes down to one of two things: either something you know, or something you have.
If you’re using the internet, you’re guaranteed to be familiar with the “something you know” method: passwords are something you know. For any password protected service, you have a secret that you share with he service. By telling them the secret – something that no one but you should know – you’re proving to them that you’re you.
If you work in an office that uses ID badges, you’re familiar with a “something you have” strategy. The people at the security desk on the ground floor of my office have no idea who I am. They don’t recognize me. Someone could walk into the building, and claim that they work for twitter, and the security people would have no idea if they were telling the truth. But we all have security cards for the building. That card proves that I’m someone who’s supposed to be allowed in.
Passwords – something you know – are used all over the internet. Each of us has a ridiculous number of passwords. Just quickly trying to come up with a list, I’ve got at least 35 different passwords! And I’m probably missing at least another dozen.
Something you know has two big related problems: it’s only a good way of proving who you are if it’s really something that only you know; and if it’s something that someone else won’t be able to guess. If anyone else knows it, or if anyone else can guess it, then it’s no longer useful as a way of proving that you’re you.
Both of those weaknesses have major practical effects.
Lots of people choose really stupid passwords. There’s a huge number of people who use “password” or “1234” as their password. In fact, people who’ve tried to crack passwords to test the security of systems have found that the five most common passwords are “password”, “123456”, “12345678”, “12345”, and “qwerty”. If someone wants to get access to your email, or your amazon account, or anything else, those will be the first thing they try. A frightening amount of the time, that will work.
Even among people who use good passwords, the sheer number of passwords they need to remember has gotten out of hand, and so they reuse passwords. If you reuse your password, then that means that if any of the places you used your password gets cracked, or if any of the places where you used your password are dishonest, your password is no longer a secret that only you know.
What two-step authentication does is mitigate the risk of bad passwords and password reuse by adding a layer of “something you have” to authentication. First, it checks the shared secret – the thing that you know. If that’s successful, then it also checks for the thing you have.
For example, my work email account uses two-factor authentication. What that means is that when I log in, it first asks me for my password. Once I give it the password, then it asks for a four digit code. I’ve got an app on my phone that generates that code. Only my phone contains the data that’s needed to generate that four digit code – so if I get it right, that means that I have my phone.
Two factor doesn’t tell anyone additional information about you, beyond the fact that you have whatever device or artifact that you’re using. Using two factor doesn’t tell Google what I’m buying at Amazon, or what I’m tweeting, or who I talk to. Even if I’m using Google 2factor, Google gets no more information about me than it would get by checking my password.
But two factor has a huge benefit for me. It means that it’s much, much harder for someone else to get access to my accounts. I don’t reuse my passwords, but I do use 1password for password management, so if someone were able to crack my 1password data file, they’d have access to my passwords. But with two factor, that’s not enough for them to get access to my account. I wish that I could turn on two factor in more places!
I just wish two-factor weren’t so damn inconvenient. Most sites want to text (Google) or email (Steam) me the code. As someone who doesn’t text enough to justify a texting plan, and as an impatient person who doesn’t like waiting for emails to arrive, I tend to get very frustrated by two-factor authentication (and hence, don’t use it).
In an ideal world, when I attempt to log in, a little “ding” on my phone would ask, “Hey, someone’s trying to access your account. Are you sure you want this to happen?”
And of course, this only works for those of us that carry our phones around. My wife rarely has her phone in her possession.
Google will happily install a little app on your phone, so that it’s not texting at you.
My favorite, though, is the VPN that we run at Twitter. It installs an app on the phone, and then when you connect, it does exactly what you said: it sends a message to he app on my phone which says “someone is trying to connect to the VPN with your account”. I can then either approve or reject the connection.
If you have a device capable of running the Google Authenticator app, I suggest you switch to that instead of getting texts. Note that any android tablet can generate codes just as well as an android phone can, and that there’s no network connection required to generate codes. (Your device just needs an accurate clock) So for example, I could generate codes anywhere with my ancient Nexus One phone that has no sim card in it, once I charge the battery enough to power it on and set the time.
Then, for the “oh, I leave my phone at home often” use case, use backup codes. Generate them sometime when you’re sitting at your home computer, print them out and boom: ten logins to gmail from previously untrusted computers using codes from a piece of paper the same size as a credit card.
I think you’re missing his point: using 2FA doesn’t generate more metadata, but registering for it does. To sign up for 2FA on gmail, you have to tell them something about you: that “something you have” includes a mobile handset associated with a certain telephone number.
But does it in fact require that, if you choose to only use 2-factor through the app? Then you have to have a device scan a QR code, but it doesn’t need to be your mobile phone, or even an android device connected to your account or even a device running software Google compiled – the authenticator app is open source and based on open, published algorithms.
«Before you an access it» -> «Before you can access it»?
Thanks. I’m having a lot of trouble with my keyboard lately – it seems to be dropping a whole lot of characters.
This is true of actual 2FA. There’s a lot of sites (including government sites controlling health data) out there that think that 2FA means “something you know” and “a random assortment of other things you know”. Namely, a password and an answer to one of several randomly selected “secret” questions. This variety of “two” factor auth is just horrible and usually provides the same level of security as just the password, for obvious reasons.
It’d be worth asking Dr24Hours if they know what 2FA is supposed to be, or if they’re assuming that dodgy “secret” questions are actually valid 2FA.
Actually, at least *two* entities need to know the thing you know. You and the entity authenticating you. As Target and Adobe found out, that entity might be the soft spot.
Well, strictly speaking you (the Prover) need to know the TYK, and the Verifier needs to know something derivable from the TYK that extremely unlikely to be obtained without knowing the TYK. For the Verifier to know the TYK itself is one thing, but it’s more secure if they know some derivative Thing from which it’s difficult to reverse-engineer the TYK itself. Thus: cryptographic hashes.
Which as we know, did not work out well for Adobe.
In case you are wondering why I am ragging on Adobe: