The list of consumer brands adding two-factor authentication to their consumer accounts under the halo of protecting them from password thieves is growing daily. Apple, Microsoft, WordPress, and Evernote are some of these company to jump on the two-factor authentication bandwagon and trumpet the new levels of safety they’re offering their end users.
What most end users don’t realize is that the biggest benefit of implementing two-factor authentication is often just a public relations one.
There are a variety of two-factor authentication solutions available, and many of these can be just as vulnerable as password-based access systems. For starters, what makes the password so broken is the fact that the shared secret (the password) is stored right where it’s subject to attack (the website). Deploying many types of two-factor authentication doesn’t fundamentally change this model. In most two-factor authentication deployments, a user will be asked to share something else with a site (such as texted code), which will then be stored, again, where it’s subject to attack. Instead of fortifying the security, we’ve actually increased the amount of user information that’s shared.
That second device — the ‘something you have,’ as it’s commonly referred to in two-factor authentication descriptions — should improve security. But there are both usability and security elements working against it:
Deploying two-factor authentication means issuing tokens or embedding cryptographic keys in user devices, and both of those approaches require user participation. Experience to date has shown that, in cases where two-factor authentication is provided as an option, most users won’t use it — the security is not worth the pain of the experience. Consumer usage rates are in the low single digits in opt-in models.
If two-factor authentication is suddenly required, many existing website users would find themselves without the necessary means to log in (such as a smartphone or a dongle). That’s a non-starter for consumer sites because it leads to their two least favorite things: increased cost via clogged support queues and declining customer satisfaction and traffic. So they default to the opt-in model and no one uses it.
Most two-factor authentication technologies generate a one-time code for users to then provide to authenticate their identity. But this common implementation is not immune to today’s threats or emerging ones. Cyber thieves use Trojan-horse malware, for example, that tricks a person into approving an attacker’s transaction without knowing it. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common.
Third-party authentication tokens are also dependent on the security of the issuer or manufacturer. Case in point is the March 2011 breach of RSA SecurID tokens. Companies that issued RSA’s two-factor dongles were simultaneously relying on RSA’s internal security. Telecom-based technologies, such as text messaging (SMS), lean on the security of the mobile provider, which is chosen by the user. A service using SMS, such as Facebook’s two-factor authentication, can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages.
The swift reaction of many consumer sites to embrace two-factor authentication and their efforts to protect customer information are highly commendable. But this is a complicated problem that can’t be solved by ‘turning on two-factor.’ Until we address the foundational problem of secrets being shared between consumers and the sites they love, we can’t truly safeguard their information.
Jim Fenton is the chief security officer for OneID and is responsible for security design of the OneID identity system as well as oversight of the company’s corporate information security.