The Phone is Mightier than the Sword: Proving Who You Are in Life After Camelot
No one knew who King Arthur was until he pulled the sword out of the stone. The king before him had died without an heir, so it wasn’t Arthur’s name or his parentage that set him apart. He didn’t earn the title in a contest, or set himself apart in combat. Arthur was just like any other little boy, but (spoilers!) once he got the sword everyone immediately knew that he was their king. Arthur proved he should be king by possessing something that only a king could have.
When we’re talking about security, possession is one of the three possible “factors” you can use to prove who you are:
- Something you know, like a password
- Something you have, like a magic sword
- Something you are, like your fingerprint
Unfortunately, we can’t all depend on magic swords to help us log in, so most computers check something you’re more likely to have, like your phone. Then the question is, how does the computer know when you have your phone?
There are three methods to check your phone when you’re logging in: text messages, exploding codes, and push notifications. Even though they’re all trying to prove the same thing, they use different methods to do it, that each come with trade-offs. There are also dedicated products not discussed here that wrap similar technology into smaller computers and fit on your keychain or in your USB drive — they look different, but the underlying fundamentals are the same.
Text Messages (SMS)
Text messages are probably the most commonly used form of this second factor because they’re really easy to set up, but they also provide the lowest level of security. To use text messages, the website just needs to ask for your phone number. Then, every time you log in, they generate a random password and send it to you in a text message. You just need to type that password to prove that you got the text and have possession of your phone. Easy!
Unfortunately, text messages aren’t that hard to intercept. Your mobile carrier always gets a copy of your text messages before you do, and then they send it to whichever phone they think is yours. An attack can trick them into sending the text messages to a different phone, or compromise their systems and read the text messages while they’re en route. There have been two high-profile attacks like this recently, the first to Black Lives Matter activist, Deray Mckesson, and the second to an employee at Bitcoin company Coinbase, and it’s incredibly hard to recover from.
Text messages are also relatively expensive for websites with big user bases, because the cost-per-login is much higher for sending an SMS than for sending exploding codes or push notifications.
Exploding Codes (TOTP)
Exploding codes are time-based codes that change every 30 seconds, like the exploding messages that self-destruct in Inspector Gadget. They’re a little bit harder to set up because they you have to download an app on your phone. These codes are based on a standard called Time-based One Time Password (TOTP). Once you’ve set the app up, you can open it up any time to get a login code.
Exploding codes are more secure than text messages because the website doesn’t need to send one every time you want to log in. Instead, the codes are based on a shared seed that’s stored on your phone and on the website’s server. A seed is a secret random number, and the app combines the seed with the current time to generate a new exploding code every 30 seconds. Because the server also knows the seed and the time, it can prove that you’ve had a phone with the right seed sometime in the last 30 seconds.
Exploding codes are more secure than text messages, but attackers can still compromise them. The server and the phone both need to keep a copy of the same seed, so if someone breaches the server, they can get access to the seeds and then generate the TOTP codes themselves whenever they want, without getting ahold of your phone.
Push Notifications (Asymmetric Public Key Cryptography)
Push notifications skip the codes, and you just need to tap a button to confirm that you have your phone. You still have to download an app, but setup is a little bit easier because you don’t need to sync a seed with the server.
The user experience is simpler, but the technology powering them is much more complex. Instead of using seeds, push notifications are based on asymmetric public key cryptography. That means that instead of one, shared seed, there are two different secrets — a public key and a private key. The public key can always verify that a message comes from the private key, but not the other way around. That means that the private key can live on your phone, the public key can live on the website’s server, and that when you confirm the push notification, your phone can send the server a message that could only have come from you.
Using push notifications is more secure than exploding codes for a few reasons:
- If an attacker steals the seed, they can use it recreate your same exploding codes. However, if they steal the public key, they can only confirm that messages came from you, not create fake messages.
- The push notifications happen “out of band,” which means that they’re being confirmed through a different channel than your username and password. If an attacker intercepts your keystrokes or web traffic, they can intercept your password and your codes (text message or exploding). If you’re using push notifications, they would only get your password unless they were intercepting messages from your phone too.
How Can I Know It’s Really You?
Possession factors add a lot to internet security because most attackers aren’t located in the same place (or even the same country) as the people they’re attacking. That makes it really hard for them to steal a physical item. Passwords live on a server that someone can break into from anywhere with an Internet connection. Your phone only exists in the material world and is very expensive to track and take.
Still, it would be even better if we could prove we had something without sending secrets that attackers can intercept or steal. Even if no one gets our phones, our mobile carriers sometimes give up our text messages, companies lose databases full of seeds, and malware can even steal the private keys on our phones if we download the wrong apps.
And that’s what makes two-factor authentication important. Breaking one factor isn’t easy, but breaking two different factors drastically increases the challenge. When the next big breach includes your username, a second factor on your phone can keep you safe.
Text messages, exploding codes, and push notifications each come with trade-offs, but we don’t have magic swords yet, so whichever version a website offers, you should turn it on.
B is the CEO and co-founder at Clef. If two-factor authentication has been in your backlog for months, but still hasn’t gotten prioritized, check out Clef’s new product Instant2FA.com — it’s two-factor authentication that takes minutes to integrate instead of weeks.
