Security is top of mind for many companies, and it should be for you as well. There is a lot of terminology regarding security, and I want to take a little time to discuss one small piece of the security world – Authentication. Make no mistake – this is NOT a short article and there is a lot of information. Take the time to read and re-read this until it sinks in and makes sense for you, and ask questions if you’d like in the comments section
Terminology and Definitions
Here’s a partial list of terms that you may have seen that are all sort of related to this topic: Multi-factor authentication, MFA, two factor authentication, 2FA, two step authentication, one-time password, OTP, token, authenticator, push notification, SMS, text message, verification code, and more (I am quite certain I have missed plenty of terms that could easily be on this list). This article intends to demistify all of this terminology and help you understand what the underlying PROCESS of multi-factor authentication as well as being able to know when you truly have it and when you don’t.
Let me quickly provide some definitions that we’ll refer back to…
– Authentication: Proving that you are who you say you are.
– Factor: Think of this like a piece of evidence in a court case. It’s something you use as part of your process of proving that you are who you say you are.
– Two-step Authentication: The process of providing a second piece of evidence to prove one’s identity, and NOT based on something the person already has (often a code sent via a secondary means like email or SMS)
Use Case
Example use case: You browse to your bank’s website and attempt to log in to your account. Since it’s the first time you’re using your brand new computer (or tablet or whatever) to access this site, they want you to do a little something extra to “prove” that it’s really you. Great! Your bank takes the security of your accounts (and money) seriously! Except…
At first blush, you may feel good about your bank taking the security of your account seriously. But, if you look very closely at the process that they stepped you through, and then dig down into the underlying security associated with that process, you will understand two things:
1) The web site is using Two-Step Authentication
2) Two-Step Authentication is inherently “useless” for security
It’s All About the Details
Point number one is important to fully digest and take to heart. Two STEP Authentication is not the same as Two FACTOR Authentication. The latter specifically relies on two of the following list: something you know (password), something you have (like a token), someWHERE you are (like a connection to a specific network or GPS location), and someTHING you are (think biometrics like a retina scan). I’m calling out the stark difference in these two terms very specifically because searching the web for the former term yields primarily results for the latter term. There is a difference!
Point number two requires a bit of thinking through the process to understand why there is no true security that’s added by leveraging two-step authentication. There are three main ways that this method gets implemented: by sending a code via email, SMS, or a phone call. The code itself can be thought of as a factor, but the delivery method for that code invalidates its strength.
Use Case in Detail
Here’s the process of accessing your bank account information: Open a web browser and navigate to your bank’s web site. Enter your username and password. Receive notice that you need a second code and request the code via email. Log in to your email and read the code. Enter the code into the bank’s web site. Obtain access to your accounts.
Your Credentials Aren’t Secure
Let’s make some basic assumptions… I will play the part of John Smith and my email provider is through Microsoft. I have used a couple of online forums for some of my hobbies like Photography and DIY Home Repair. Like most people, I use the same password in many places across the web. I have made a pointed effort to use a stronger password on my bank account, though.
Here’s one final assumption that is almost certainly true: Your account credentials have been compromised. This is a big one, so I’m going to repeat it. Your account credentials HAVE BEEN COMPROMISED. Don’t believe me? Check for yourself: https://haveibeenpwned.com/
Even in the extremely unlikely event that checking your email address at the site above tells you that your email credentials haven’t been exposed, you should always be operating with the mindset that they have. Keep your password on your email account strong, unique, and receiving periodic changes. Your email address / account is central to so much of your online activity that you should be protecting access to this resource “at all costs.”
Two-Step Auth and Security
Back to understanding why two step authentication does not add security… 🙂
As a hacker, I have discovered your email and password for a specific online web forum via one of the various exposures shown for your email account. I attempt to access your email account directly using the password that you had set for the web forum. It works.
I now search your email inbox and find a message from your bank about your latest statement being available. Now I know who your bank is and browse to that site. I try logging in there, again using the same password. It works. The web site requires a second code which is sent by email. I have access to your email and I get the code. I am able to now complete the login to the web site and your account is breached.
Let’s change the assumption a bit to that of the password NOT working. That’s ok… I’m still able to breach your bank account because I can request a password reset link which will be sent to me by email. Do you see the issue here? Breaching your email gives a hacker the keys to your entire online, digital presence. And if web sites offer additional “security” through ONLY the use of Two-Step Authentication, they are not providing you any actual additional security.
SMS and Phone Calls
The focus so far has been on delivering these codes via email and the weakness of email itself (by the way – did you know that almost all email messages are transmitted through the Internet in clear text?). SMS and Phone Call delivery is not quite as weak as delivery by email, but it’s still weak.
First and foremost, search out information on something known as a SIM Swap Attack (or Hack). The idea is that someone learns your cell number, contacts the company providing your service, and convinces them that they are you. They then tell some story about a lost or stolen phone and the need to activate a new SIM card. They oblige and you no longer have service on your cell phone with your phone number – the hacker now does. As a result of this attack, phone calls and text messages meant for you actually go to THEM. And this is now a method to compromise your account.
Use Multi-Factor Authentication
There are a number of Authenticator applications available from the various “app stores” (Android and iOS). These applications will allow you to use a second factor for authentication into systems that support it. Be mindful that the Authenticator apps from both Google and Microsoft have issues and that the Google one (at least) will likely never be fixed.
Reach out to the various companies that you do business with online and encourage them to add multi-factor authentication as an option to protect your accounts, and feel free to point them here if they don’t understand the difference between Multi-Factor and Two-Step Authentication!
Multi-factor authentication is a significant step up in terms of the level of security required to obtain access to an account. Anywhere that you want an additional layer of protection for your online presence, look to using this tool. Predominantly, any web site where you access any kind of sensitive data (financial, health, etc.) should afford you the option of leveraging MFA. And, if they don’t, find a competing site that does!
Comments
Good writeup on 2FA. You’re right to point out that email is basically keys to the kingdom. My general rule of thumb is setup MFA unless it is SMS in which case I figure I’m slightly more secure with no MFA.
Author
Thanks for the comments, Ben.
Actual MFA tops my list as well. I’m also generally not inclined to set up SMS-based ‘security’ because I don’t feel it actually adds any additional strength and merely slows me down when I’m trying to get in.
If SMS is the only option that they offer, I am more inclined to use a virtual phone number for it that isn’t actually tied to a real phone number for multiple reasons:
– The security of that virtual account is 100% on me. If I knowingly use weak passwords there, it’s my own fault.
– Virtual accounts are often accessible from multiple devices, including “any old web browser” (which I can use on a PC).
– There’s no way to execute a SIM swap attack on it (although I do have to ensure I’ve locked that number so it can’t be ported out to an actual provider).
I would be curious about where to get a virtual account? The reason I think SMS is weak is I’ve seen a lot of poor implementations. For example, one of my financial institutions (that I don’t use anymore and you’ll know why in a second) required setting up SMS for MFA. I found out after setting it up, that if I lost access to email and forgot my password, that because I setup SMS as a factor, they added an option to allow me to reset the password using SMS alone. I think the bank thinks they’re being more secure, but without realizing it they actually increased the attack surface area!
Author
There are a number of “free” texting apps that provision a virtual number for SMS. TextNow is one example of this sort of product, but you have to be mindful that the free version requires that you actually -use it- periodically or they will simply reclaim your number on you. Personally, I have used this app and Sideline (while they offered a free version) for things like texting with buyers and sellers through sites like Craigslist. It provides a way to actually communicate with them, including voice, without ever giving them your actual phone number.
Another option is Google Voice. While there are zero guarantees about the longevity of the service, the fact that Google allows you to port in your own numbers and they have had it tied to Google Fi for so long means that it’s likely not going anywhere any time soon. The biggest risk here is that its security is completely reliant on the password you set on the Google account that controls it. My suggestion here is that you create a new Google account specifically for the voice component (bobsmith.voice@gmail.com, for example) and never, EVER, give that email out to anyone for any reason. That way, you know that 100% of the emails that account gets are SPAM.
Author
Recently, Microsoft has gotten fairly “vocal” about Multi Factor Authentication by urging the elimination of anything that relies on a phone number. While there are a lot of write-up’s available to read about this, I’m linking a specific one here because it’s published from a reasonably well-known site that will lend value and credibility to the content.
https://www.zdnet.com/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/
I “mostly” agree with the recommendations. The predominant reason that phone number-based authentication solutions should not be used is because of the pure risk of your phone number being “ported out” (stolen) by a hacker and then used to gain access to your various accounts. If you are using a virtual phone number, like Google Voice, and NOT forwarding that number to your actual phone (using only the specific app to access those messages), then you are at a different level of risk of having your phone number hijacked. Lots of caveats around this, and I still fully urge you to STOP doing business with companies that rely on phone numbers / text messages for authentication into your accounts.