What, You Are Not Using Two-Factor Authentication?

Due to the influx of security incidents in the media lately, you probably have heard about recommendations along the line of How to Pick a Good Password. You might even think you have taken all the necessary precautions by picking that 15 letter random password.

Well, I have bad news for you: Selecting a good password is not enough. However, there is one simple thing that you can do now to improve the security of your data.

Authentication

Before we talk about why a good password might not be enough, let me remind you of the purpose of the authentication process. Authentication and Identification are two separate things. I can identify myself by claiming that my name is "Sebastian Meine". However, if you do not know me, you have no way to verify that claim. Authentication is the process of proving that claim.

"Authentic" stems from the Greek word "authentikos" which means original or genuine. That means to authenticate myself I have to proof that I am the "original and genuine" Sebastian Meine.

Real-Life Authentication

In real life, there are several ways for authentication. If I want to prove to you who I am, I could ask a common friend, a person we both trust to vouch for me. If that friend could not be present at our meeting, she could write me a letter that included my name, my picture and her signature. Now I can authenticate myself to you by showing you that letter.

That is the principle that an ID-card is based on. While we would not necessarily call the government a "Friend", there is an inherent trust towards government-issued documents.

E-Authentication

Online authentication does not work by simply waving the id-card in front of your screen. Therefore, we have to come up with another means of authentication.

Most websites are not actually that interested in who you are in real life. All they need to make sure of is that you are the same person that opened the account you are trying to access, or at least that you are authorized (yet another term!) to access that account. Usually, this is achieved by some form of login process.

The Login Process

When I want to access say my e-mail account, I have to first authenticate myself to the server. For that, the server and I both hold two pieces of information, one public and one secret. The first piece is the identifier, also called user name or just login. When I provide that information, I identify myself to the server as the account holder. The second piece is commonly a secret password. Based on the fact that this password is only known to me and the server, if I type it into the password field, I have proven that I am who I say I am; I have authenticated myself. Now the server can give me access to my e-mails.

The Problems with Passwords

Authentication based on a password works only, if all involved parties (usually the server and the user) can be sure that only they know the shared secret, the password. If that password ends up in the hands of a third person e.g. through some form of breach, the entire process falls apart.

If that breach is discovered, the server cannot trust this authentication method anymore and another way of authentication has to be used to reestablish the trust. This can be all but trivial if the account was solely an online account. Usually this is attempted to be solved by using some form of pre-agreed secondary password, often touted a security question (and answer). However, this is still a "password" with all its problems attached to it.

Worse, if the breach is not discovered (in time), that malicious third person can now impersonate the legitimate user and wreak havoc on his account. In the case of an e-mail account, you often find that such a malicious user sends emails to the entire contact list, enticing the recipients to some form of unwitting action like providing their password, wiring money or clicking on a link to virus-infected target.

So, how might a password fall into the wrong hands? Most often, it is just guessed. The most common password currently in use is still a simple "123456". But, there are many other ways for a malicious person to get to know a victims password, reaching from shoulder-surfing over phishing to sophisticated man-in-the-middle attacks.

The point the preceding paragraph is trying to make really is that a password alone is not secure. Even if you have the world's most secure password, it still might mysteriously make its way into malicious hands through a leak in the connection between the victim and the server or through a hole in the server's own defenses.

That means, if the account, or the information accessible with that account, has any value to you (and do not make the mistake of looking at the perceived value that data might or might not have to someone else), you better come up with an additional line of defense.

Two-Factor Authentication

Luckily, many content and service providers now offer just that, an additional line of defense in the form of two-factor authentication. The idea of two-factor (or multi-factor) authentication is to require two (or more) "things" during the authentication process that ideally cannot be stolen in the same way.

Usually these authenticating items are categorized into three groups: "Something you Know"," Something you Are" and "Something you Have". The common password falls into the category of Something you Know. Biometric properties like the pattern of you iris or your fingerprint make up the Something you Are category. Something you Have finally consists of actual "hardware" tokens. Those can have the form of a key-fob, a chip card, a time-based password token or even a cell phone.

Two-Factor authentication requires two items from two distinct categories. The most common coupling nowadays is the combination of the good old password with your cell phone. To authenticate yourself to the server you now have to both provide the password and prove that you are in possession of your phone. The latter can for example be achieved by the server sending a text message to your phone at the time of authentication, containing a code that you have to provide during the login process together with the user name and the password.

There are several forms of two-factor authentication currently in use. I will follow up on this article with one comparing the different methods.

Requiring two authentication items from two separate categories does not provide unbreakable security. All of the methods available to us today can be cloned, copied or stolen. However, for an attacker to get their hands on two of them, particularly if they are from different categories, she would have to attack two different channels at the same time. That is such a high hurdle, that it makes sense for a targeted attack only. Most attacks that you face today are however not targeted at all. Instead, the attacks are executed by automated processes that just try out different things to see how far they get.

The Take-Away

Unbreakable security is not possible, at least not for an online system. However, if you use two-factor authentication, you can secure your online life against all but the most sophisticated attacks.

Now It is your turn

For any account that is important to you, like your e-mail account or your online banking account, go and check if the provider offers two-factor authentication. If they do, enable it. If they don't, demand it. Two-factor authentication is very easy to implement with commercially available libraries, so there is no legitimate reason for a service provider not to offer it. However, if no one asks it is easy to assume that nobody wants it.