By James Hanback
Just when you thought it was safe to pull the curtains back from the windows and let the sun shine in on the bodies of all the defeated zombies of the weak password apocalypse, you find out that they're not really dead. You shored up your devices, your Internet accounts, and maybe even the combination on your locker at the gym with the strongest, most secure mixture of characters you could conceive. Nobody can guess them. Nobody can brute force crack them. You're gold, right?
One unfortunate weak spot in your password-protected stronghold is known as password reset or password recovery. Most companies provide a means for users who have forgotten or have lost their passwords to reset or recover them so that the user can continue accessing the services the company provides. After all, the point of any organization's online presence is to provide you with easy access to the services or information it offers, not to erect a bunch of roadblocks intended to frustrate you or to prevent you from obtaining those services. ("Hey, buddy! Want to buy some ebooks? Ooooh, sorry. You have to walk barefoot over all these hot coals while juggling three lit sticks of dynamite first.")
Alas, password recovery techniques can also be used maliciously. Other people can exploit simple password recovery measures by using any number of tactics that do not require guessing or cracking your password. One tactic is social engineering, such as calling an organization's customer service center and pretending to be the victim. Personal information is widely available online these days (just ask the NSA). That can make it trivial for someone to impersonate you by correctly answering password recovery security questions like "What is your dog's name?" Chances are, you've already posted that particular bit of personal information on Facebook or some other social outlet.
To counteract such threats, companies like Google, Apple, Facebook, Twitter, Dropbox, and PayPal are now offering—although not requiring—a form of security known as two-factor (or multi-factor) authentication. Distilled to the basics, two-factor authentication is a process that combines two out of the three common authentication types. The authentication types are:
- Type 1, or knowledge factor, which is something that you know
- Type 2, or ownership factor, which is something that you have
- Type 3, or inherence factor, which is something that you are
Most current two-factor implementations use a combination of knowledge and ownership. For example, an online service can send a text message to your mobile device, which is something you have, when someone begins the authentication process by entering your user name (or e-mail address) and your correct password, which is something you know. The mobile device is used as a token. You might use it to receive a voice message or a text message that contains a one-time verification code. The code is typically a one-time use series of digits that you are required to provide to the online service in addition to the correct password. Because only you should have received the code on your mobile device, only you should be able to enter the correct verification code. Aside from mobile devices, smart cards and security keys, which are small devices that either receive or calculate valid authentication codes, are also ownership factors.
Inherence factor authentication is typically biometric, such as the use of fingerprint or retinal scanners to verify you are who you say you are. Biometric technology is not as ubiquitous as passwords or smart phones. Therefore, we don't currently see much everyday two-factor authentication that pairs inherence factor authentication with either knowledge factor or ownership factor. However, it is important to know about all three types of authentication if you plan to obtain a security certification, such as CompTIA Security+ or the Internet Security Consortium's Certified Information Systems Security Professional (CISSP).
It's also important to not confuse two-factor authentication with what can be called two-step authentication or strong authentication. Technically, you could build a two-step authentication system that does not require the use of two separate authentication factors. For example, some online services require that you input the answer to a security question, such as your dog's name, after you have successfully authenticated by using your user name and password. Because your dog's name is something you know, not something you have or something you are, such sites are really only asking you to provide two different layers of knowledge factor authentication. Because the two layers of knowledge factor authentication in such a scenario are not combined with a form of ownership factor or inherence factor authentication, such a system uses two-step authentication, not two-factor authentication. Further confusing things, both Google and Apple refer to their two-factor authentication systems as two-step authentication.
So, if you enable two-factor authentication on all your online services that support it, you'll finally be guaranteed protection against any kind of account compromise, right?
Nope. Wrong again.
Although Apple in particular had the foresight to disable any type of customer service–based password recovery options you had before you enabled two-factor authentication, there are still (and there always will be) ways to get at your data. For example, even if an attacker can't social engineer a way through a customer service call, the attacker could still wind up with your mobile device, or token, via theft. If your mobile device is a smart phone, chances are the thief now not only has access to any e-mail accounts or store accounts that you have established on the device, but also to any text message or voice codes sent to the device by the authentication service. The best method of defense against such a scenario would be to use something other than your smart phone as the token device. Unfortunately, that would mean carrying two phones or some other kind of device in addition to your smart phone, such as the PayPal Security Key.
Naturally, with customer service recovery no longer an option, Apple had to provide some kind of recovery assistance if you forget your password. Therefore, if you sign up for Apple's two-factor authentication process, you are also provided with a "Recovery Key," which is a static string of characters that you can use to recover access to your account should you ever forget your password or lose your token device. The problem with this strategy is the storage requirement. Apple recommends that you print or write the Recovery Key and store it somewhere other than on your computer or mobile device. Why? Because the computer or mobile device can be lost, stolen, or potentially accessed by a third party. And what happens if your Recovery Key is compromised? That's right. The whole two-factor authentication setup is moot because the person who swiped your neatly hand-printed Post-it® note off your fridge now has your Recovery Key and can access your account with it.
Even so, two-factor authentication does provide a layer of complexity to account access above simple knowledge factor authentication. Additionally, more online services are supporting it. In fact, it is becoming easier to implement thanks to companies like Authy, which provides an application programming interface (API) that enables developers to include two-factor authentication services in their own projects. CloudFlare, a Web site security and acceleration service, uses Authy to power its two-factor authentication, and an Authy plugin is also available for users of the Wordpress blogging platform.
Perhaps someday we'll get to a point at which the only means of accessing data is by using a retinal scan, your thumb print, or your death certificate, in which case there might be a black market boom for false death certificates and Play-Doh digits. Still, why would you limit your protection against the zombie apocalypse to only the boards you've tacked up across windows and doors when you can add whole new layers of doors for them to have to crash through as well?
Lock photo: Chad Cooper