Online Security: Multi-Factor Authentication — the good and the not-so-good
Keeping yourself safe from cybercriminals online can prevent a multitude of financial issues, including credit card fraud and identity theft. Or even just embarrassing moments when someone posts something as you on Facebook. How about exposing something you would like to keep private, such as your account on Ashley Madison?
In this series of articles I’m covering what I do to keep myself secure online.
Quick Review of Multi-Factor Authentication
- Something you know (i.e., a password, or mother’s maiden name)
- Something you have (your phone or a security key)
- Something about you (your fingerprint, retina scan, or the image of your face)
When you choose information from two different categories, that’s called Two-Factor Authentication, which is more secure than picking two from the same category.
One key point is: these are pieces of information are private, no-one else knows or has them. If someone else has your password but does not have your phone or fingerprint they can not get access to your online accounts.
Ideally websites support Two-Factor Authentication in the form of Time-based One-Time Passwords using an app such as Google Authenticator. That’s what I use with my Yubikey Neo.
This is the something about you category. The most common form is your fingerprint; it’s pretty common to have a fingerprint reader on your phone these days. On Android phones you can use this to log on, you can also use it to authenticate to certain apps. On my Google Nexus 5X Android phone I lock access to my LastPass Vault with my fingerprint.
Another common way that biometrics are utilized is to use the camera on your phone to take a picture of your face. This is a bit less secure as some systems can be broken by holding a picture of your face in front of your phone.
Available on: iPhone, Android.
SMS is secure, isn’t it?
A very common implementation of Two-Factor Authentication is for you to receive a One-Time Password via SMS that you enter after you have entered your password. This is Two-Factor Authentication because you need to physically have your phone to receive the code. This is fairly secure, but not immune to hacking.
The reality is that it’s not to hard to get around this. Remember It’s not really the phone that you have that is the second factor, it’s really the SIM in your phone that tells your wireless carrier what your phone number is. A few well publicized hacks have been possible by Social Engineering wireless carriers to send a cybercriminal a new SIM for a celebrity’s account.
Another problem with using SMS for authentication is that even if your phone is locked, you may display text messages on the lock screen. If someone is in proximity they could see these messages and input your code.
The National Institute of Standards and Technology has marked SMS as deprecated.
E-mail based authentication
Some websites will e-mail you an authentication code or a link. This is very similar to SMS. It’s only as secure as your e-mail (do you use Two-Factor Authentication to access your e-mail)? Since it does not use encrypted e-mail, it’s open to snooping and/or intercepting.
Security Questions (your mother’s maiden name, your paternal grandfather’s first name, your first pet’s name) are a form of Multi-Factor Authentication because they are things you know, just like your password.
Is this information really secret? Did you ever post your first pet’s name on Facebook? Are the names of your ancestors in public records or in your Ancestry.com family tree? If you provided this information to a website do they adequately protect it from internal or external hacking?
A method to increase the security of these methods is to give different answers each time. Treat them more like secondary passwords and make them long and hard to guess. Maintaining these is more work, you need to record the questions and answers for each website.
How do you keep track of them all? Store them in your Password Manager, of course. But what if your Password Manager is hacked? All of your Multi-Factor Authentication for a given website or application is available. So use a second Password Manager for security questions? This is getting complicated, isn’t it?
Physical Authentication Keys
Some websites offer to send you a physical authentication key. These function the same as an authentication app such as Google Authenticator, but provide a Time-Based One-Time Password for only one website. These are Two-Factor Authentication and are quite secure.
The downside? They usually only work for one website. My smaller Yubikey NEO is currently doing the work of 18 of these and can replace up to 28 of them.
Some websites or applications will allow you to authenticate with other devices. For example, if you are already using Authy on your phone and try to login from your browser, it will pop up a request from the Authy app on your phone asking y0u approve the login.
I’m unclear if this is considered Two-Factor Authentication. I suspect it is, because you have to have the device that is already authenticated. You can not authenticate on another device with just something you know.
Universal Two-Factor Authentication
Many smart minds are working on better ways to securely authenticate. One group is the FIDO Alliance and they have come up with something called Universal Two-Factor Authentication (U2F). That’s a standard for an easy-to-use security key that can be used with many websites and applications.
Once you obtain a U2F device, you register it with every website and application that supports it. My Yubikey NEO supports this. When I’m prompted to enter my second factor, I just plug my Yubikey into a USB port and touch the button. Really easy. And it works on Linux, Mac and Windows. There is evidence that support is coming to Android phones to allow this to work over NFC; I’ll just be able to touch my key to my Android device.
This appears to be a great balance of security and convenience. Currently the only sites that I use that support it are Dropbox, Facebook, Github and Google. A community supported list of websites and applications that support U2F is available here.
As I write this, Facebook has announced their first foray into Universal Two-Factor Authentication and I have enabled it.
My bank’s security images keep me secure, don’t they?
No, not really.
This technique was implemented to try to prevent cybercriminals from creating a fake site to phish unsuspecting users. This may have been effective for a while, but cybercriminals have become more sophisticated. This technique is all but worthless now.
Why do banks still use this? Not everyone is computer literate, educating your customers on these fancy techniques requires a lot of training and hand-holding and that costs money.
So Jeff, what do you use?
Generally I go for the most secure method available, however convenience and practicality are major considerations.
If Universal Two-Factor authentication is available, I use that. However it does not yet work on my Android devices so I still enable Time-Based One Time Passwords. Both are handled by my Yubikey NEO.
On websites that support it, enable Time-Based One Time Passwords. My Yubikey NEO can only support 28 distinct websites with Time-Based One Time Passwords, so I use it for the websites I want to keep most secure, especially those with financial information. I protect this functionality with an additional password.
For websites that need less security, such as online forums that support Time-Based One Time Passwords, I’ll continue to use Authy.
Otherwise I’ll use what’s available, usually SMS, E-mail, or App-based authentication.
I do not have any physical security keys (besides my Yubikey Neo) as I just consider them too inconvenient.
That’s all pretty complicated!
It sure is! It’s always best to turn on the most secure multi-factor authentication that you can stand using.
Next time I’m going to dive into issues other than just logging in.