2FA could make the secure way the easy way — if we’d let it
It’s been a mantra at cybersecurity conferences for at least a decade: If you want to help people be secure online, make the secure way the easy way.
And that day is here, according to the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Security Agency (CISA), which oversee Cybersecurity Awareness Month (CSAM) — now in its 19th year. The “overarching theme” of CSAM is “It’s easy to stay safe online #BeCyberSmart.”
But that should come with a caveat. Given constant headlines about rampant (and successful) cybercrime that costs the U.S. economy billions every year — estimates are all over the map but two of them put it between $3.5 billion and $9 billion — “easy” is more aspiration than reality. If it really is that easy to stay safe, why are so many people and organizations still getting hacked?
Probably in large part because sometimes making something easy is hard. It can be very hard in the digital world. And human nature being what it is, it’s also hard to change people’s habits, even with the lure of better security.
But the promising news is that while it may not yet be easy to stay safe online, it’s moving in that direction.
The theme of the first week of CSAM, urging the use of two-factor authentication (2FA), also known as multifactor authentication (MFA), for signing into online accounts, is Exhibit A. It’s now easier and quicker to verify in two ways that you are you, which makes it harder for hackers to claim they are you.
But 2FA remains well short of mainstream. It’s increasingly available but not universal. Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, said part of the problem is that the online world still has so many different forms of authentication.
“I still see web platforms that have had 2FA available for years asking their users to enable it. It takes what — two minutes to enable?” he said. “On the other hand, some platforms are just adopting this technology, and others don’t even have somewhat secure input of usernames and passwords.”
Beyond that, all 2FA options are not created equal. How much harder you make it for hackers depends on what type of 2FA you use. All are better than nothing, but some are better than others.
As long as passwords are part of the 2FA mix, which is what the CSAM website recommends, “staying safe” online will remain more dream than reality. Because passwords are and have always been a lousy, obsolete way to secure anything online.
This has been known for a long time. Then Microsoft chairman Bill Gates promised the demise of passwords almost two decades ago, at the 2004 RSA Conference, because “they just don’t meet the challenge for anything you really want to secure.”
Even if they’re long, complex, and unique, they’re not good enough because there are too many ways criminals can steal them. A post earlier this year in ZDNet, noted that “you can create a password that is so long and complex it takes you five minutes to type, and it will do nothing to protect you if the service where you use that password stores it improperly and then has its server breached. It regularly happens.”
The FIDO (Fast IDentity Online) Alliance has been working since its founding in 2012 to replace passwords with what it calls “an open, scalable, interoperable set of mechanisms” for secure authentication. And support for FIDO authentication is now built into the Apple, Google, and Microsoft operating systems.
Which is encouraging but still well short of the goal. Passwords should by now be consigned to the dustbin of security history. Yet they remain the primary means of online authentication.
That means the exhortations about them, which should by now be familiar, are still relevant. Make them long and complicated. Use a mixture of letters, symbols, and punctuation. Don’t ever — ever! — use the same password for more than one account.
Yes, if we’re using passwords we should do all those things. But relevant shouldn’t mean recommended. Most people have 90 or more passwords. And not only does following the above exhortations make it harder and slower for users to get access to their online accounts (which is why most people ignore them), they don’t even offer much protection.
Yet here we are in 2022 and the CSAM description of 2FA is that “the first step is giving your password or passphrase. The second step is to provide an extra way of proving that you’re you, like entering a PIN code or texting/emailing a code to your mobile device, or accessing an authenticator app.”
This, NCSA and CISA declare, “makes it twice as hard for criminals to access an online account.”
Not much harder
Well, maybe. Harder, but unlikely twice as hard.
Yes, as noted earlier, any kind of 2FA improves security and takes all of a few seconds at most. But if passwords were eliminated from 2FA, it would improve security a lot more.
First, as is constantly being demonstrated, people can be tricked by so-called phishing attacks into giving away their password. Second, the username/password combination is a “shared secret” because it resides not only on the user’s device but also on a provider’s server somewhere that, as we all know, can get hacked.
Brett McDowell, former FIDO executive director and now executive director of Hedera Hashgraph, years ago labeled the term “strong passwords” an oxymoron, no matter if the little bar changing from red to yellow to green makes you feel better when you are creating one.
McDowell said what ZDNet echoed more recently—that complex passwords are little better than simple ones because “as long as the password is the key to get us into our accounts, users will be tricked into giving that password to the wrong party.”
And Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center has noted that 2FA “offers to improve the situation until you recognize that with a single point of failure, it really doesn’t add much to authentication security.”
So why promote passwords as a worthy component of 2FA when there is a better alternative?
Megan Shamas, senior director of marketing at the FIDO Alliance, said the CSAM is simply dealing with the world as it is — where passwords still prevail — not as FIDO hopes it will be soon. “Any form of 2FA that involves a password plus another factor such as a texted code is going to improve the security of an online account over just a password,” she said, adding that, “this is also the most common form of 2FA available today, so it’s good that CSAM campaigns are encouraging folks to turn on even basic 2FA.”
“The educational conundrum is that right now, the 2FA options for consumers aren’t all consistent and FIDO isn’t offered everywhere just yet so you wouldn’t want a consumer to say, ‘Oh they don’t offer FIDO, I’ll just use nothing,’” she said.
True enough. Something is better than nothing. But the sooner the online world can get to something better than the current something, the better. Especially since that better something is ready for prime time.
The FIDO mechanisms and some other 2FA models, as noted, are designed to eliminate “something you know” (the password) and rely instead on “something you have” (token or wearable) and “something you are” (fingerprint, voice, face, iris).
Those recognition mechanisms are either part of what a user is, or are stored only on the user’s device, unlike passwords.
To compromise those authentications, an attacker would have to attack the person or get physical possession of the device. That’s possible but vastly more difficult for hackers than invading your life or your organization while sitting at a computer anywhere in the world and using stolen passwords.
Lance Spitzner, director at the SANS Institute, who has been a security awareness trainer for decades, pointed out in a recent tweet that what matters most is not MFA per se as much as what kind of MFA. “Just remember that MFA comes in many different flavors, some more secure than others. Apple, Google, and MS [Microsoft] adoption of FIDO/biometrics is the long-term solution,” he wrote.
FIDO’s goal, Shamas said, is to “educate online service providers that they should be offering or planning to offer multifactor authentication options that are phishing-resistant, like FIDO.”
Not bulletproof, but …
A major factor in that resistance is FIDO’s use of encryption. Since anyone can be tricked into revealing even one-time passcodes, “using cryptography means there is nothing for the user to give away in an attack — the threat of a successful phishing attack is removed,” Shamas said.
Even that should come with a caveat, however. Nothing is perfect, including the best available 2FA. As a number of experts have noted, some phishing attacks can bypass 2FA.
Spitzner made that point in a subsequent tweet, writing that it’s important to be aware that phishing “resistant” doesn’t mean phishing proof. While calling himself a “huge fan of FIDO,” he noted that “adopting FIDO does not mean your org is secure against phishing attacks. A huge number of phishing attacks have nothing to do with passwords.”
Still, the FIDO version of 2FA is much closer to perfect than 2FA that includes a password, and adopting it ought to be a no-brainer, given the catastrophic amount of trouble that can be caused by getting hacked, from stolen identity to the compromise of intellectual property.
But as Cipot notes, logic doesn’t always prevail. He said it may take the hand of government regulation to force changes that the market might never accomplish on its own.
“Unfortunately, it is not enough just to make secure tech. It must somehow be required,” he said. “Seatbelts in cars were there far longer than the legal requirement that they be used. The same is true with getting rid of passwords. Until they are banned, passwords will be used, and better authentication technologies will not be broadly accepted.”