Two Factor Authentication in 2014

Way back in January of 2011, I wrote a blog post evangelizing Two-factor authentication with Google Apps. At that time, what passed for two factor authentication (2FA) primarily involved RSA SecurID fobs, which made it impractical for all but large scale or well funded applications. Google was one of the first companies to add 2FA support to their security infrastructure by using SMS — the protocol used for text messages on mobile phones — greatly increasing security at a very small cost and inconvenience.

What is Two Factor Authentication?

2FA is a subset of multi-factor authentication (MFA). From Wikipedia:

Multi-factor authentication (also MFA, two-factor authenticationtwo-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows“), a possession factor (“something only the user has“), and an inherence factor (“something only the user is”).

 

Three ways to prove who you are to a system:

  1. Something you know (e.g. a password)
  2. Something you have (e.g. an RSA SecurID, a text message sent to your mobile phone)
  3. Something you are (e.g. a biometric factor like a fingerprint or retina scan)

Typical implementations of 2FA involve something you know, and something you have.

Why is Two Factor Authentication Important?

Passwords need to be easy enough to remember, hard enough not to guess

Humans are not great at creating passwords that do both of these well. If you believe you are the exception, I invite you to try out zxcvbn – a realistic password strength estimator:

My 1337  password  h@rdT0GUe$s!   would only take 4 hours to crack:

password crack

Gizmodo began 2014 by sharing the 25 Most Common Passwords people use, which frankly are embarrassing.

I strongly recommend a tool like 1Password to help you create and manage strong passwords across your computers, tablets, and mobile phones.

Passwords move between systems across the Internet; systems are susceptible to exploits

Your password is a key to open a far away door. The forest along the road between you and this door is filled with robber-barons (blackhat hackers) who want to take your key, make a copy, and put it back in your pocket before you ever notice. There have been several significant security exploits in the first quarter of 2014:

gotofail – 22/FEB/2004

gotofail was a nasty bug in Apple’s implementation of the SSL client-side libraries. It permit a server to present another’s secure credentials as its own, and the Safari web browser on Mac computers, iPhones, and iPads would allow this even if the check proved the certificate was a forgery.

Heartbleed – 07/APR/2014

heartbleed

The open source library OpenSSL enables systems to communicate securely over the Internet using the SSL/TLS protocol. A recently discovered exploit in OpenSSL, called Heartbleed, could potentially allow a hacker to read the server’s private encryption key, which would allow them to monitor your communications encrypted over https. Mashable shared a list of popular sites and shared which were affected by Heartbleed, and if need to change your password.

The community response to Heartbleed has been mixed. The Electronic Frontier Foundation shared a guide for system administrators on how to recover from Heartbleed that further discusses changing passwords. Veracode’s blog included an insightful post: Heartbleed and the Curse of Third-Party Code. The lead developer of security-centric OpenBSD, Theo de Raadt, asserted that OpenSSL is not developed by a responsible team. The Association for Computing Machinery (ACM) posted a referendum: Please Put OpenSSL Out of Its Misery

Vulnerability in BlackBerry® 10 Smartphones – 08/APR/2014

I would make the “who still uses a BlackBerry” joke, but T-Mobile already went there, and my former client NantHealth just announced a partnership with BlackBerry to develop niche devices for health care.

It’s not branded like gotofail or Heartbleed, but RIM announced a Vulnerability in qconnDoor service affects BlackBerry 10 smartphones (bold is my emphasis):

A stack-based buffer overflow vulnerability exists in the qconnDoor service supplied with affected versions of BlackBerry 10 OS. The qconnDoor service is used by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone.

Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user’s BlackBerry smartphone. In addition, the attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser).

An attacker can exploit this vulnerability in the following ways:

Over Wi-Fi
In order to exploit this vulnerability, an attacker must send a specially crafted message to the qconnDoor service on a smartphone located on the same Wi-Fi network. The smartphone user must have also enabled development mode on the smartphone before an attack.

Over USB
In order to exploit this vulnerability, an attacker must gain physical access to a smartphone and then send a specially crafted message to the qconnDoor service over USB.

Even if a hacker takes your password (what you know), they don’t possess your second factor (what you have).

What Websites Support 2FA in 2014?

TwoFactorAuth.org provides an exhaustive list of sites, grouped by category, and if they currently support 2FA or are working on it. They provide a button to help visitors easily encourage the addition 2FA support, or to thank their developers if they are currently working to support it.

TwoFactorAuth.org

Three Years Later, how is Google’s Two Factor Authentication?

I’m proud to report that since I enabled 2FA on my Google Apps account: I have never disabled it, and I have taken advantage of additional safeguards that Google has added during that time:

Expanded 2FA Support for Free Google Apps and GMail Users

When Google first rolled out their 2-Step Verification, it only supported paid Google Apps for Domains accounts. They have since expanded support for free Google Apps accounts and GMail users, making it universally acceptable for their users. I am happy to report the functionality is identical for paid and free GMail accounts.

Support for Additional Second-Factors

Initially only SMS was supported, but now Google users can be verified with a phone call or using the Google Authenticator App — a free alternative to an RSA SecurID — and works on planes while you cannot receive text messages or phone calls. Configuration screens have become much easier to interact with.

google-2fa-1

What if I lose my phone?

Google will try your backup authentication factors, but in my example both are my phone (the Google Authenticator App, and an SMS message). If I need to access my account before I can replace my phone, I can download a set of predefined codes to tide me over.

What are App Specific Passwords?

Many applications that access your Google Account are ignorant that you enabled 2FA; for those, you can easily create an Application Specific Password. I use Application Specific Passwords  for the Mail accounts on my iPhone and iPad, and my instant messaging client, Adium. You can easily see which Apps you have created passwords for, and revoke any that should no longer have access to your account.

Screen Shot 2014-04-10 at 9.40.41 PM

Registered Computers

Once you authenticate, Google asks if you want it to remember this device for 30 days. A great new feature since introduction is the ability to forget those computers you asked Google to remember.

Screen Shot 2014-04-10 at 9.47.41 PM

Conclusion

Security is everyone’s problem, not just the security conscious. Following best practices to protect your digital identity will reduce the risk that your accounts fall into the wrong hands.

Use Strong Passwords that Humans can’t possibly remember

One huge step toward protecting yourself from digital muggers is to take responsibility for using a different, strong password on every system you login to (not just one password “for the banks and credit cards”). There are tools and password safes that can help you generate strong passwords and keep track of them in a secure manner. If you password is misappropriated, the potential damage to you is contained.

Enable Multiple Factors of Authentication

If a system you use supports 2FA, enable it. It is much, much more difficult to clone something you have (e.g. your phone) than something you know, like your password. This includes email providers like Google, social networks like Facebook (after all, how many websites have you used your Facebook account to authenticate with?) and Twitter, banks like Bank of America and Chase.

Have a Disaster Plan

Hacking is a reality of the digital age that we all live in, and even luddites cannot hide from it. Invest the time to ensure your digital identity is as secure as you can make, and have a plan in case it suddenly isn’t.

Do you have a list of all the systems you sign-in to? Just the critical ones?

I don’t recommend a piece of paper with every website and password on it, because losing that is the keys to the castle. I do recommend keeping a list of important sites you access, even if it’s a backup copy of your web browser bookmarks. For the most critical sites, ensure you know where to find their contact information just in case.

Do you have a list with your banking information (e.g. credit cards and their phone numbers)?

This might be a photocopy of the front and back of every card in your wallet, or something far more sophisticated. If one of your accounts is compromised, and it has the ability to transact on your behalf (e.g. Amazon, Paypal, your bank account website), you may need to act quickly to mitigate your risk.

Wikihow’s How to Report a Stolen Social Security Card is a great step-by-step to follow in potential identity theft situations.

Be Prepared to Change your Passwords and any Cryptographic Keys

If someone stole a copy of your house key, you’d re-key your locks. Have the same standard when a breach (or potential breach) occurs.