Tuesday, May 28, 2013

Two Factor Authentication Adoption

Two factor authentication appears to be one of the current hot topic in information security. Many of us have been complaining for years, if not decades, that password-based authentication is weak and that it should be abandoned sooner, rather than later.

As a quick summary: authentication is the process of verifying a claim of identity. That verification can be achieved by developing a properly designed process which combines multiple "factors". These factors can include physical tokens (something you have), knowledge of some shared secret (something you know) and something that is uniquely measurable about you as a person (something you are). There are more factors, but, as of yet, they are not as common. One that seems to be gaining some traction is somewhere you are (geo-fencing), but technically that is more an access control than an authentication mechanism.

An easy example, that we are are all familiar with, is an ATM card. A person requires a physical token (the ATM card) and a shared secret (your PIN code) to withdraw cash from a machine. Just having the card is not enough, nor is just having the PIN code.

There are plenty of ways to get around the card+PIN limitation (a gun to your head will work nicely...), but in general, combining two factors could be sufficient to achieve an acceptable level of security.

Note how nicely U.S. credit cards, that merely require possession of an item (the card), or knowledge of the information printed on the card contrasts with many E.U. credit cards that require the card and a PIN code.

Unfortunately, when we transition to an online world, we run into some trouble.

Two Factor Authentication typically requires some form of specialized hardware. Specialized hardware has a tendency to be expensive, prone to error, and people generally don't like having to worry about yet another single purpose gadget.

Lately though, the limitations of using two-factor seem to be less than a problem than they have been. People carry cell phones, and most phones are now fully matured computing platforms. Recently Twitter has jumped on the bandwagon by providing two-factor based authentication based on text messaging a randomly generated number to the cell phone on record. Nothing beats true randomness. And while cell phones can be cloned and malware can be written to look at cached SMS messages, there is little doubt that 2FA is still better than just relying on a single password.

Google has been supporting two-factor authentication based on open standards for quite a while now using a dedicated smart phone App, or by using pre-generated transaction numbers.

Because Google decided to build their two-factor authentication fully on open standards, it is actually ridiculously easy to integrate with. I was able to write a Google 2 Factor integration backend in Python in less than two hours on a rainy Saturday evening. Because of the fact that Google 2FA is based on open standards, it is becoming more widely adopted in the consumer market than any 2FA mechanism that I am aware of has ever been.

Unlike dealing with RSA (or one of its competitors) using the Google Authenticator as a platform for integration is virtually risk-free from a vendor lock-in perspective; since everything is based on open standards (RFC 4226 and RFC 6238) you don't depend on Google's offerings AT ALL.

Now that it is becoming normal to offer 2FA as an opt-in mechanism, there is really no reason why, in a corporate setting, 2FA should not be more widely used. The complexity of managing multiple factors is still there, and there are still many ways do get it wrong, but since user acceptance seems to be growing at the moment, it is really a good time to start playing with this technology and to take it past the technology playground level.

The need for dedicated devices is also diminishing. Cell phones are becoming smarter, and people are becoming smarter in the way that they use them.

Two Factor Authentication is not a silver bullet. There are still many ways in which to get it wrong. But, by not doing anything, we're not going to learn, and we're not going to advance. It is time to get started. Begin with you password reset/recovery mechanisms, and take it from there.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.