Leveling up on Multi-factor Authentication
I have tried to keep a reasonable balance between convenience and security in my digital life. While not always convenient, I use a password manager and some form of multi-factor authentication (MFA) whenever possible. I spent the last year or so convincing family and friends to get on the MFA train as more and more online services began supporting it.
Just in time to explain to them why the multi-factor authentication they are probably using isn’t all that great!
Before we get to multi-factor authentication, let’s take a quick look again at passwords. Are you still reusing a small handful of passwords across all your online accounts? Have you ever wondered how likely your password might be linked to a website that’s been compromised? A quick check of Troy Hunt’s Have I Been Pwned? website reveals, of the roughly 200 “hacked” websites it is aware of, there are over 2 billion (yes, that’s a ‘B’) accounts that have been compromised. For context, take the entire population of the United States and the European Union. Now double it. That’s a lot of compromised accounts.
If you don’t use a password manager, it is likely you use the same — or a small handful of — passwords for all your online accounts. Leveraging a multi-factor authentication option provides an extra layer of security in case a password is compromised. Generally, a multi-factor solution combines something you know with something you possess. If you have ever used an ATM, you are familiar with multi-factor authentication. You insert your ATM card — something you have — and type in a PIN — something you know.
More and more websites and online services are adding multi-factor authentication options, also referred to as a “second factor” or two-factor authentication. You login with your password and something else — an additional factor. While different things can be used as a second factor, in practice, most implementations of multi-factor authentication use your mobile phone as the second factor, and generally a text message with a one-time-use code.
Great! A password which, when compromised, won’t let the intruder in because they don’t have my phone! It is quick and convenient because I always have my phone with me to receive a text message! Yay, Me!
I am a big fan of multi-factor authentication, but using a text message, or SMS, as a second factor is not as secure as one might think. Let’s say you use “Password1234” as your bank password (please don’t) and you use an SMS as the second factor. When signing into your bank, you provide your password and a code that is sent to your phone. Who cares if a hacker gets your password, right? They don’t have your phone — so you’re safe… Well, no… As we have seen in an increasing number of cases, it is not that difficult for a bad actor to social engineer your mobile phone operator or stop into a store and hijack your number. Now they have your second factor.
Frankly speaking, a text message really isn’t a second factor. Yes, your phone is with you — your phone is actually a great second factor choice as an item you possess. The problem is not your phone, it is your phone number. It can easily be ported from phone to phone and isn’t tied to your physical possession any more than a password is.
Even NIST (the National Institute of Standards and Technology) of the US Department of Commerce has poo-pooed SMS as a second factor for use. It recently published Digital Identity Guidelines which include this note:
NIST’s position remains the same: agencies should be careful about the use of SMS as it does not always prove possession of something you have, and therefore may not be an appropriate second factor. […] we want to signal to agencies that SMS is under serious consideration for removal in future versions.
So, multi-factor authentication is good, but using SMS as a second factor is…less good. Got it? Got it. Unfortunately, SMS as an alternate factor is the most prevalent option websites provide. So we’re stuck?
Not so fast!
Many online services that support multi-factor authentication provide alternative options that avoid the phone number portability problem. Here are a couple to consider:
An Authentication App
An Authentication app is an app that generates a code to be used in the same way a SMS does. The key difference is that it generates the key on the device and therefore not subject to the phone number portability attack. The Google Authenticator app shown to the left is an example. The Facebook app has a “Code Generator” feature.
A U2F Security Key
Universal 2nd Factor (U2F) is an open authentication standard. A U2F security key is a physical device you carry with you to be used as a second factor. It can be as simple as a dongle on a keychain you plug into your laptop or wave near your phone. A YubiKey is an example of one. There are a whole host of products in the market here — your one-stop-shop to find them is the FIDO Alliance.
These are equally as convenient as having your phone with you as a second factor — they are “something you possess”. However, if you lose the device, reset your phone or delete the Authentication app, you have now lost your second factor and there is (potentially) no recovery. At this point you are dependent upon the policy of the service you use to provide an alternate way to verify yourself. Which for a lot of services seems to be a phone number or SMS — which brings us full circle. A text message is not a great way to authenticate an individual.
The trade-off between convenience and security really boils down to you and your risk tolerance. Despite the concerns regarding SMS as a second factor option, the following is still true:
- Using a password manager is better than not using one.
- Two factor authentication using SMS is significantly better than not using multi-factor authentication at all.
- Using an alternative to SMS for multi-factor authentication — whether it is an Authentication app or a U2F security key — is even better still.
Take a minute to educate yourself about the available security options for the online services you use and look to taking your personal security game to the next level.