Security is top of mind for many companies, and it should be for you as well. There is a lot of terminology regarding security, and I want to take a little time to discuss one small piece of the security world – Authentication. Make no mistake – this is NOT a short article and there is a lot of information. Take the time to read and re-read this until it sinks in and makes sense for you, and ask questions if you’d like in the comments section
Terminology and Definitions
Here’s a partial list of terms that you may have seen that are all sort of related to this topic: Multi-factor authentication, MFA, two factor authentication, 2FA, two step authentication, one-time password, OTP, token, authenticator, push notification, SMS, text message, verification code, and more (I am quite certain I have missed plenty of terms that could easily be on this list). This article intends to demistify all of this terminology and help you understand what the underlying PROCESS of multi-factor authentication as well as being able to know when you truly have it and when you don’t.
Let me quickly provide some definitions that we’ll refer back to…
– Authentication: Proving that you are who you say you are.
– Factor: Think of this like a piece of evidence in a court case. It’s something you use as part of your process of proving that you are who you say you are.
– Two-step Authentication: The process of providing a second piece of evidence to prove one’s identity, and NOT based on something the person already has (often a code sent via a secondary means like email or SMS)
Example use case: You browse to your bank’s website and attempt to log in to your account. Since it’s the first time you’re using your brand new computer (or tablet or whatever) to access this site, they want you to do a little something extra to “prove” that it’s really you. Great! Your bank takes the security of your accounts (and money) seriously! Except…
At first blush, you may feel good about your bank taking the security of your account seriously. But, if you look very closely at the process that they stepped you through, and then dig down into the underlying security associated with that process, you will understand two things:
1) The web site is using Two-Step Authentication
2) Two-Step Authentication is inherently “useless” for security
It’s All About the Details
Point number one is important to fully digest and take to heart. Two STEP Authentication is not the same as Two FACTOR Authentication. The latter specifically relies on two of the following list: something you know (password), something you have (like a token), someWHERE you are (like a connection to a specific network or GPS location), and someTHING you are (think biometrics like a retina scan). I’m calling out the stark difference in these two terms very specifically because searching the web for the former term yields primarily results for the latter term. There is a difference!
Point number two requires a bit of thinking through the process to understand why there is no true security that’s added by leveraging two-step authentication. There are three main ways that this method gets implemented: by sending a code via email, SMS, or a phone call. The code itself can be thought of as a factor, but the delivery method for that code invalidates its strength.
Use Case in Detail
Here’s the process of accessing your bank account information: Open a web browser and navigate to your bank’s web site. Enter your username and password. Receive notice that you need a second code and request the code via email. Log in to your email and read the code. Enter the code into the bank’s web site. Obtain access to your accounts.
Your Credentials Aren’t Secure
Let’s make some basic assumptions… I will play the part of John Smith and my email provider is through Microsoft. I have used a couple of online forums for some of my hobbies like Photography and DIY Home Repair. Like most people, I use the same password in many places across the web. I have made a pointed effort to use a stronger password on my bank account, though.
Here’s one final assumption that is almost certainly true: Your account credentials have been compromised. This is a big one, so I’m going to repeat it. Your account credentials HAVE BEEN COMPROMISED. Don’t believe me? Check for yourself: https://haveibeenpwned.com/
Even in the extremely unlikely event that checking your email address at the site above tells you that your email credentials haven’t been exposed, you should always be operating with the mindset that they have. Keep your password on your email account strong, unique, and receiving periodic changes. Your email address / account is central to so much of your online activity that you should be protecting access to this resource “at all costs.”
Two-Step Auth and Security
Back to understanding why two step authentication does not add security… 🙂
As a hacker, I have discovered your email and password for a specific online web forum via one of the various exposures shown for your email account. I attempt to access your email account directly using the password that you had set for the web forum. It works.
I now search your email inbox and find a message from your bank about your latest statement being available. Now I know who your bank is and browse to that site. I try logging in there, again using the same password. It works. The web site requires a second code which is sent by email. I have access to your email and I get the code. I am able to now complete the login to the web site and your account is breached.
Let’s change the assumption a bit to that of the password NOT working. That’s ok… I’m still able to breach your bank account because I can request a password reset link which will be sent to me by email. Do you see the issue here? Breaching your email gives a hacker the keys to your entire online, digital presence. And if web sites offer additional “security” through ONLY the use of Two-Step Authentication, they are not providing you any actual additional security.
SMS and Phone Calls
The focus so far has been on delivering these codes via email and the weakness of email itself (by the way – did you know that almost all email messages are transmitted through the Internet in clear text?). SMS and Phone Call delivery is not quite as weak as delivery by email, but it’s still weak.
First and foremost, search out information on something known as a SIM Swap Attack (or Hack). The idea is that someone learns your cell number, contacts the company providing your service, and convinces them that they are you. They then tell some story about a lost or stolen phone and the need to activate a new SIM card. They oblige and you no longer have service on your cell phone with your phone number – the hacker now does. As a result of this attack, phone calls and text messages meant for you actually go to THEM. And this is now a method to compromise your account.
Use Multi-Factor Authentication
There are a number of Authenticator applications available from the various “app stores” (Android and iOS). These applications will allow you to use a second factor for authentication into systems that support it. Be mindful that the Authenticator apps from both Google and Microsoft have issues and that the Google one (at least) will likely never be fixed.
Reach out to the various companies that you do business with online and encourage them to add multi-factor authentication as an option to protect your accounts, and feel free to point them here if they don’t understand the difference between Multi-Factor and Two-Step Authentication!
Multi-factor authentication is a significant step up in terms of the level of security required to obtain access to an account. Anywhere that you want an additional layer of protection for your online presence, look to using this tool. Predominantly, any web site where you access any kind of sensitive data (financial, health, etc.) should afford you the option of leveraging MFA. And, if they don’t, find a competing site that does!