Making two-factor authentication more user-friendly through trusted devices
As a follow-up to my previous article on two-factor authentication, I needed to figure out a way to make 2FA more user-friendly, as entering an extra code every time you login can be quite cumbersome.
As you will see if you enable 2FA on big sites such as Google or Github, the 2FA code will be asked only once, and then you will have the possibility to save the device you just used as a “trusted” device, avoiding for a new code to be asked every time you login. If however you log in from a new browser or device, the code will be asked again.
The question therefore is: how to securely identify a device as a trusted device ?
Identifying a trusted device for two-factor authentication
As stated here, you can identify devices through multiple options:
- A GUID (long string of random characters) stored in a cookie
- A GUID stored in localstorage
- The User-Agent header
None of these options are fully secure, they can all be spoofed. What this means is that if an attacker gains access to your user’s computer and knows his password, if the user saved his browser as a “trusted” device, then the attacker can easily get access to your user’s account, without needing the user’s phone or 2FA device. The safest way to keep things secure, therefore, is to ask for a 2FA code on EVERY login.
However, if you’re ready to give up a bit of security for more user-friendliness, my advice to you would be to store a GUID in a cookie or in local storage AND use the User-Agent header to identify and store the device server-side as a trusted device.
What is the right policy for two-factor authentication ?
As always, there is no “right” policy: it depends on the level of security that you need/want for your system. Here is a list of questions you should ask yourself when implementing two-factor authentication:
- Should I make two-factor authentication optional or required ? Making it required is obviously more secure, but some users can be uncomfortable with it. Note also that the “right” answer for you for this question might be in the middle, by forcing privileged users (administrators) to use 2FA, while making it optional for the other users.
- Should I provide 2FA via SMS or application ? If you can afford it (remember that SMS have a cost), I would say both, but note that 2FA via SMS has been proven less secure than 2FA via an application, as SMS can be intercepted, so the most secure way is via an application.
- Should I allow users to save trusted devices ? If you require high security, then no (for example, I wouldn’t want my bank website to allow me to do this). If however user-friendliness is more important to you, then you can do it, and save a trusted device for, for example, 30 days.
- Should I protect sensitive operations via 2FA ? Unless these sensitive operations need to be performed repetitively, there is no reason not to do this. Make a list of the sensitive operations of your system, and protect them via 2FA.
Obviously your needs might be different, but a good policy in my opinion, which doesnt sacrifice security and is still relatively user-friendly, is to provide 2FA via SMS and app (again, if you can afford the SMS), while allowing users to save trusted devices for 30 days, but still requiring 2FA for sensitive operations. That way, even if an attacker were to gain access to a user account, he will not be able to perform any sensitive operation.
Originally published at https://www.gvj-web.com on September 19, 2017.