Tuesday, October 6, 2015

Grog and Narg teach two-factor authentication

Multifactor authentication is combining a password with something else - often a smartphone or a keycard. If an attacker steals the password, it does them no good unless they also have the cellphone, or keycard, or whatever the second factor is.

This post was first published in March, 2014. It has been updated for October, 2015's "Two Factor Authentication Tuesday." While passwords are often the first line of defense for online accounts, they can also often be discovered. Multifactor authentication is combining a password with something else - often a smartphone or a keycard. If an attacker steals the password, it does them no good unless they also have the cellphone, or keycard, or whatever the second factor is. This makes it exponentially harder for someone with malicious intent to access your account.

10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.

Fast forward to 1962. MIT’s Compatible Time-Sharing System (an early multi-user computer) was one of the first computers to use passwords as a means of keeping users’ personal files separate. A Ph.D. researcher had been allotted a certain amount of time each week on the computer, but it wasn’t enough time to run the full simulations he had designed. Rather than suffer the atrocity of abiding by the rules, he found a way to print a copy of the password database so he could use other users’ time allotments. Thus occurred the first documented case of account compromise through password theft.

Limitations in password security

The first half of this is a fictitious account (the MIT CTSS story actually happened), but the moral is the basis for this post. Passwords or passphrases are usually the first line of defense for online accounts. They allow for some degree of protection, but they can be compromised.

Think about it: for your password to be useful, the computer or web site you are logging into must recognize the password – in other words, the password (or preferably a hash of the password) has to be stored somewhere. If this password database is stolen, depending on how the passwords or hashes are stored, it may be possible for the attacker to recover the original password of some or all the users. Owners of millions of accounts at Ashley Madison, Patreon, SnapChat, Adobe, MacRumors, LivingSocial, LinkedIn, and Sony (Playstation), just to name a few recent examples, discovered this the hard way.

Passwords are also frequently-used - which means there are many opportunities for a password to be captured during use. How often do you use your password? How often do you log in to a computer or email account or web site?

Each login event is an opportunity for your password to be stolen – by someone looking over your shoulder, by a keylogger device or app, by a fake website impersonating the one you think you are logging into, by a phishing scam, by someone that intercepts your network conversation, by a malicious wireless access point. Industry best practices demand that your browser have a secured (encrypted) channel to the web site before you log in; this helps but still there are many opportunities for a password to be lifted.

Weak passwords and re-used passwords are another limitation. How many passwords do you have? How many accounts do you have? Do you remember every password? Do you use the same password everywhere? Re-used passwords mean that if one site is compromised, the attacker can now log into other accounts. Even when we try to create strong passwords, we tend to fall into predictable patterns.

Passwords on sticky notes under the keyboard or on the monitor are a long-standing joke in the security industry, but are absolutely true. I could walk through just about any business in the country and log on to the network using a password written down on someone's desk.

Passwords and passphrases are a hurdle an attacker must overcome, but they can be overcome. Using strong passwords (mixing upper and lowercase characters with numbers and symbols, and using a long phrase instead of a short dictionary word) helps. Using different passwords for each account helps too (and to that end, a password manager such as LastPass or KeePass is an invaluable tool for keeping track of the individual passwords for each web site and account). WhoIsHostingThis.com posted an easy-to-follow infographic that highlights some simple steps to making a password hard to break.

If passwords are not enough, then what?

Security professionals define identity and access in terms of identification and authentication. Identification is the act of claiming to be someone, while authentication is the act of proving that the identification is true. I can say I am David Longenecker, but how do you know I am not am impostor? Authentication is the proof.

Authentication generally falls into three forms. It can be something you know, such as a password or passphrase, or some other piece of knowledge you would not expect anyone else to know. Your mother’s maiden name is probably not a good secret because that can be obtained relatively easily. So too might the last 4 digits of a credit card, or your cat’s name.

A second form is something you have. The classic example is a house key, but passports and driver’s licenses are also good examples. In computing, RSA tokens are a common example: you might have a small keyfob (or a mobile device app) that displays a seemingly random sequence of numbers that changes every minute or so; possession of that token is a form of authentication.

The final form is something you are. This is a growing area in the consumer world, as a growing list of services offer logging in via your fingerprint, your voice, or your face. Disney World and Sea World have used hand geometry for quite a while. In some high-security military and government environments, retina scans, palm prints, or voice pattern recognition are used to authenticate the user. The television show CSI turned epithelial DNA analysis into a household term; this is nothing more than authenticating a suspected criminal or victim through a biological characteristic, i.e. something you are.

Individually, any of these factors can be compromised. Your password might be stolen. Your RSA token or building access card might be stolen, or your door key or driver’s license copied. Biological authentication is a little harder to compromise, but it can be done (remember the MacGyver episode where he broke into a locked safe using a wax impression of the antagonist’s thumb print?) However, combining factors makes things exponentially harder on an attacker.

What does that mean in the real world?

A large and growing number of online services offer various types of two-factor authentication. As I have written before, much of life is an exercise in managing risk. Part of managing risk in the online world is deciding which services warrant some extra security and which really are not worth the extra effort (because truth be told, 2FA does add a little extra effort). For those that are worth the effort, check to see what the service offers.

The website https://twofactorauth.org/ maintains an excellent list of businesses that support true multifactor authentication. Most businesses also let you set a device to be trusted. On a trusted device you can login without the second step (because presumably, you are in possession of the trusted device). Keep in mind that it is a two-edged sword: if your smartphone is a trusted device, and is lost or stolen, whomever has that device can access your accounts using only the password. That doesn't make trusted devices a bad thing, but you do need to keep that in mind when deciding what devices to make trusted for what services.

One final caution

Two-factor authentication makes it far more difficult for a hacker to break into your account. By the same token though, if you lose access to the second factor you too will be unable to access your account.

When setting up 2FA, take a moment to download backup access codes - a set of single-use codes that can be used in place of the normal second factor. Store these codes someplace safe - for instance, in your password manager app.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen