Month: January 2016

• Three-Factor Authentication is the process of identifying a person based on all three of the following three factors: 1) something you know, 2) something you have, and 3) something you are.
• Multi-Factor Authentication (MFA) is the process of identifying a person based on more than one of the following three factors: 1) something you know, 2) something you have, and 3) something you are.

WIKIPEDIA

• credit card number
• social security number
• bank account number
• your mother’s maiden name

Keep in mind that you frequently disseminate this information in your normal course of business. For example, your bank account number is at the bottom of each check you write. Also, note, there are a lot of people focused on stealing your information, and are frequently successful. Even from supposedly secure sites. Case in point: the 2015 OPM Breach. 

The ‘something you have‘… the presumption is this is something you and only you physically have, and you can prove it. An example is a small keyfob with a computer built into it which generates a sequence of numbers known only to the device and the second party. The device changes to the next number every few seconds (or on every press of a button). You prove you have the device by typing in the number displayed on the device. Passing authentication of this factor happens when the second party agrees with the number you typed.


I do NOT include apps (authenticators) or SMS in this category of ‘something you and only you have‘. See below for an example of SMS issues. Apps frequently reside on a system that might be compromised, and hence in the control of bad actors… meaning it’s not something ‘you and only you have‘ as the bad actor is able to obtain a copy. I know of a company that uses ‘RSA SecureID Software Token Application’ (ie, an application) to access a VPN connection to the enterprise. Shame on you RSA for even offering such a weak security product! See “WEAKNESS” below.

The ‘something you are‘… the presumption is this is something you and only you are. An example is a fingerprint (on a live and attached finger). Other examples are characteristics of your eye (retina), voice print, hand print, DNA, etc.


This ‘something you are’ factor is not widely implemented due to lack of technology to determine more than one aspect of the factor to insure it is ‘something you and only you are’. By ‘aspect’ I mean (using the fingerprint example), measuring the temperature of the fingerprint, determining a pulse rate at the fingerprint, measuring capacitance at different points of the fingerprint, etc… all this to insure the finger was not severed, overlaid over a live finger, or otherwise faked. There is much discussion on the internet as we hash through some of the technical details of defining what is needed to say for certain this factor is actually something you are. This factor will become more common in the near future as better technology becomes available.

• ATM cards use 1928 era magnetic media. They are easily duplicated; ATM cards to not make a good ‘something you and only you have‘. Note, the PIN, albeit four digits, is the second ‘something you know‘ factor. 
• SMS is frequently claimed to be something you and only you have. This misconception is probably because most people read SMS on their phone, and they have the phone. I used to read my SMS messages on-line via Google Voice, without having the phone near by. SMS is not something you have. It may be available to technicians & hackers. Here’s an example… a developer places an app in the Amazon App Store. A PayPal user installs the app on his Android phone, clicking OK when prompted (acknowledging the app’s access levels). The app keylogs the user using Chrome to go to PayPal, so it knows the userID & password. The app covertly notifies the bad guys. Once notified, the bad guys tell the app to http proxy a connection to PayPal. The app connects the bad guys to PayPal, enters the userID & password, intercepts the SMS “second-factor”, enters the “second-factor”, deletes the SMS, and turns control via http proxy to the bad guys… all covertly. Updated SMS and phone number based identity continue to be a concern. Another way to look at SMS is that SMS can be considered an “out of band” second factor, which is better than just using a single factor. But, I highly recommend when doing security, you do it right. Don’t use an “out of band” factor when two of the three factors provides premium security for very, very, little cost.
• Having a computer call you to deliver a recorded PIN may be claimed to be something you and only you have. Without rehashing the above paragraph (with regard to a phone call), consider how the call forwarding feature could be used to circumvent this claimed second factor. Do you really have to have your phone to receive your phone call? The situation would be even worse if the automated phone call was recorded by your voice mail.

WEAKNESS



Apps on the same device used to login is not really a second factor. Consider the ‘RSA SecureID Software Token Application’ application mentioned above. Here is how connecting to a VPN happens... 1) Launch the soft token application, enter a password/pin, click the ‘copy’ button. 2) launch your VPN software, click the paste button. Note, steps 1 & 2 are on the same computer. Now, consider a computer with an arbitrary code execution vulnerability. Enough said?

Google Authenticator suffers the same problem. Here’s a fix. Obtain an Android phone that you can dedicate to being a second factor. Flash it to the latest OS. Install Authenticator on it. Put it into ‘airplane mode’ and leave it that way. You can now add all your accounts that allow Authenticator to be your ‘second factor’. Note, given that Authenticator is time dependent, the Authenticator time offset will need to be updated a few times a year. See the Authenticator settings. You will have to turn wifi on for about 15 seconds when updating the offset. (My wish is that the time would be updated via the GPS clock!).

Many web sites (companies) make it difficult to implement two-factor authentication, or
don’t offer it at all. The weakest link is ‘what if I forget my
password’. See Brian Krebs’ 2015 Christmas Eve
experience. A bad guy called PayPal’s help desk claiming to be Brian. PayPal’s
support asked some questions that the bad guy was able to
answer from public databases. They then proceeded to turn off two-factor
authentication and reset the password. Comment below how PayPal can fix
their customer service’s security problem.

The
above “support issue” is really a “people issue”. People also implement technologies. If you’ve
not had specific and purposeful security training, or not even actively
participated in a ‘pen test’, then you have no business implementing
security technology without at least consulting someone that knows
better. Ok, off my soapbox. My wish is that all companies implement security training for all employees, and specific and detailed training for those employees that deal directly with security.

• SQRL
• FIDO  

CONCLUSION


Two-Factor Authentication, commonly implemented as ‘something you know‘ and ‘something you have‘, is the best we have to protect our data. It must be implemented correctly… both the architecture and the policies/procedures/best practices.


Please comment on the use of apps as a second factor. Do you use them? How?


If you know of a significant site that does two-factor authentication, please comment. Also, add a note about their customer service.