A Two Factor Authentication Makeover for your Protection
Cybercrime. SpyEye. Zeus. Anonymous. APT1. PRISM. Bullrun. Hackers of every sort are everywhere. As I wrote in “TrustNo One Device (Part 2)” and “Direct Memory Access (Again)” you have no assurance your device isn’t already compromised.
You don’t want to that happen. In a serious cyberattack that I described in “Account Recovery May be the Weakest Link,” a person saw his Twitter and email accounts hijacked, and his reputation sabotaged. In other incidents, people have seen their life savings wired out of bank accounts.
If, however, you have the audacity to hope there’s something to do other than just hope, try two factor authentication (2FA). It might give you an additional measure of safety and recoverability. And its available for free from some of the most important services you use online.
The 2FA options discussed in this post are really forms of two device authentication, generally using one time password (OTP) techniques. It looks something like what’s shown in the figure above. To log into something from one device, you must furnish proofs of something you know (a password) and something you have (a second device). For example, the authentication sends a code to your phone and you input that as part of the login dialogue. Thus code typically changes about once per minute.
Per Wikipedia, “A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will be no longer valid.”
OTP using two devices (or a hardware token such as the RSA SecurID or Verisign VIP Security Token) also helps prevent a hacker from remotely controlling your computer and logging into protected accounts when you’re not actually there. So, turn on the two factor, log in securely, and when you’re done working, log off and say goodbye to any ghosts of potential malware resident on that computer. To get you when you’re not already on, the hacker would also have to compromise your second device with the codes.
Two factor authentication with OTP technology is now conveniently available from many of the major vendors that we use, such as Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft and Twitter listed in the table below. There are also enterprise products from vendors such as Microsft, RSA, Vasco, Verizon and VeriSign that provide 2FA to corporate employees. When an organization is also going through the throes of trying to manage the risk of a bring your own device (BYOD) environment, device-independent OTP solutions really shine compared with smart cards or any other technology that’s tightly coupled to specific device operating systems.
Per Wikipedia, “A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will be no longer valid.”
OTP using two devices (or a hardware token such as the RSA SecurID or Verisign VIP Security Token) also helps prevent a hacker from remotely controlling your computer and logging into protected accounts when you’re not actually there. So, turn on the two factor, log in securely, and when you’re done working, log off and say goodbye to any ghosts of potential malware resident on that computer. To get you when you’re not already on, the hacker would also have to compromise your second device with the codes.
Two factor authentication with OTP technology is now conveniently available from many of the major vendors that we use, such as Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft and Twitter listed in the table below. There are also enterprise products from vendors such as Microsft, RSA, Vasco, Verizon and VeriSign that provide 2FA to corporate employees. When an organization is also going through the throes of trying to manage the risk of a bring your own device (BYOD) environment, device-independent OTP solutions really shine compared with smart cards or any other technology that’s tightly coupled to specific device operating systems.
|
Vendor
|
Verify new device
|
Two factor login
|
Support link
|
|
Apple
|
Yes
|
No
|
|
|
Dropbox
|
Yes
|
No
|
|
|
Facebook
|
Yes
|
No
|
|
|
Google
|
Yes
|
Yes
|
|
|
LinkedIn
|
Yes
|
No
|
|
|
Microsoft
|
Yes
|
Yes
|
|
|
Twitter
|
Yes
|
Yes
|
The middle columns require explanation. “Verify new device” means you will be challenged for an OTP when you use an unrecognized device (or perhaps just delete your browser cookies). “Two factor login” means you can set an option to be challenged every time you log in; something to think about if you don’t trust a device.
Here’s what to consider as you’re deciding whether its worth the trouble to turn on 2FA with one of these systems and how to proceed.
- Functionality: As indicated in the table above, some services only invoke the two factor verification when you try to login with a new device. Others require, or give you the option, to put in the OTP code with every login. Some work only with individuals’ services, such as a Twitter account, others work with apps such as third party email clients. Some send you the code over SMS, others send it to an app or even in a voice call. Some, such as Microsoft and Google, can provide the service to organizational administrators for all their users as well as to individuals. All these options affect the availability of the service, for example, when you’re phone’s out of its coverage area or the battery’s drained.
- Mobile: Make sure the service’s 2FA works with your mobile apps or browser. In some cases, services offering 2FA don’t support access from mobile devices or mobile apps. A few months ago, for example, I found myself unable to log in with the LinkedIn iPhone app because it appeared not to work with LinkedIn’s own 2FA. Today, however, I updated the LinkedIn app and was able to log in with the code. I was also able to log in with the latest Twitter app which didn’t even ask for the code.
- Risk: What are you protecting? Many of the services in the table above are key to your reputation. Some of them may host your email, others may constitute your email recovery account or be used for social login. A hacker with access to Apple or Microsoft accounts may even be capable of remotely wiping out your hard drive. Look at how you use each service to determine how much risk is aggregated there for you. That should determine whether you turn on 2FA and whether you decide to enable new device verification, verification of every single login or both.
- Recovery: The downside to 2FA using your phone is this: lose it and you could be cut off. That’s one reason why some of the vendors only use 2FA for verifying new devices; supporting it for every login is much more work. The vendor’s offer various recovery options, such as providing you with one time “recovery keys” to write down and store in a safe place.
Bottom line – my most important recommendation in this post is to turn on two factor if your risk warrants it. Do this not only for your email accounts but also for cloud storage systems, such as Dropbox, used across multiple devices. My second most important recommendation is to read the vendors’ support documentation very carefully, particularly concerning recovery. Make sure you understand how availability may be affected and how you’re going to recover from loss of the phone before you turn two factor on.
Homework assignment: Turn on the two factor for all of the systems you use in the above table (or similar systems) and print out all recovery information and lock it in the files. If you’ve already done this for some of them, verify that you can still find your recovery information. Should only take about an hour. You have to do this systematically to get the full benefit without some potential downside.
Extra credit: Make a habit of clearing out potentially-stale authentication state information periodically. Delete the cookies in your browser that these services use to remember your devices and also delete server-side information such as Google 2 step verification application-specific passwords. This will flush out potentially-dangerous stale credentials and also enable you to verify your security configurations are working. Make sure you have a bit of spare time and have your phone and recovery information close at hand before trying this at home.
Revision: This was first published February 1, 2014 and was last rechecked for accuracy and reposted February 23, 2015.