(This blog was originally written for Bangalore Mirror – http://www.bangaloremirror.com/bangalore/others/Two-factor-authentication/articleshow/52169477.cms with Kiran Jonnalagadda and Beli Bopaiah)
Anyone who’s been alive long enough will remember the act of locking their desk drawer (or briefcase) with a shiny metal key. Today they’d store virtual files on a laptop – and instead of a keyhole, they’d be confronted with a ‘login screen’ with a little rectangle indicating where they could type in their ‘password’ – a secret word that they’ve memorised.
The problem with having a secret word is that we all live in fear of picking a word so secret, we forget it ourselves. So we take shortcuts. We write it down on a little piece of paper conveniently within reach. We use the same password on multiple websites. We use the name of a person we care about. Or – and this happens a lot – we simply use the word “password”. Clever, huh?
The problem with this approach is that anyone can write a little program to run through all the words in the dictionary (or a baby names list) and try them one by one until they crack your password. This kind of thing is trivial for the average computer, taking mere minutes to run through hundreds of thousands of word combinations. This is called a “brute force attack” because it uses nothing more than a computer’s ability to do repetitive tasks, trying all possible passwords.
What if you were smart enough to use nonsense words and symbols? Congratulations, your password is indeed better. But you’re no longer like the average person who isn’t so careful, and this is a problem if you manage IT security at a bank and a customer is on the phone sobbing about all their money disappearing from their account.
Password theft happens in many ways and using a difficult password won’t protect you all the time:
- Shoulder surfing, in which someone watches over your shoulder when you’re typing out an ATM pin (or similar public situations).
- Vishing: A caller claiming to be from the bank dupes victims into revealing their passwords.
- Phishing: Links sent over email or SMS perfectly impersonate a target website (banking, email) duping people into entering their password.
- Keyloggers: A “virus” or malware infecting victim’s computer that can capture keystrokes and send them (including passwords) back to their masters.
- Man-in-the-Middle Attack: An entity (most often, software) eavesdrops on and modifies traffic at any point between your device, WiFi router, and ISP. If you bought a WiFi router and installed it without changing the default password, chances are it’s already infected by someone accessing it over the internet, and now it’s spying on you.
- Man-in-the-Browser Attack: A man-in-the-middle attack conducted by malware infecting a victim’s web browser, usually because you installed a browser extension that claimed to give you extra smileys or emoji.
Security professionals have known for a while that passwords are too hard for the average user, a lot harder than telling someone to be careful with their keys. What if a password could be more like a key, something you have rather than something you know? Or better, use both?
This is the idea behind “two-factor authentication”, where you prove your identity to a service provider by demonstrating both that you know your password, and that you have some kind of physical object that no one else has. Question is, exactly how does a website verify that you’re currently possessing some physical object? Maybe if your computer can somehow communicate with it?
Everybody has a mobile phone these days, and every mobile phone is capable of receiving an SMS, so what if the service provider sent you an SMS and asked you to type back the number received? This is the idea behind the “One Time Password” or OTP SMS your bank sends when you do a financial transaction.
Mobile phones are a recent phenomenon, but the idea of using a physical object has existed for decades and the industry has come up with many ways to do this, some of which are superior to an SMS, although at additional cost.
Let’s look at the sort of things you can have:
- You have a phone and it’s capable of receiving an SMS. The service provider sends you an SMS with an OTP. Almost everybody has an SMS-capable phone, so this is by far the most common mechanism. However, sometimes the network is congested and your SMS doesn’t arrive on time. Since it’s transmitted over radio, anyone with the appropriate radio equipment sitting anywhere in your neighbourhood can also receive it, just like in a spy thriller. Unlikely to happen to you, but you never know.
- Remember the discussion we had in the last column about how encryption works? Your bank now sends you a little device (like an RSA SecurID) that displays a number that changes every minute. The number is based on an encryption algorithm for which the bank already has the secret key. When you type in the number on the website, they know you’re now in possession of this little device, and it doesn’t depend on an SMS arriving on time. This is called a “Time-based OTP” or TOTP because the constantly-changing number is based on the current time, and both the device and your bank’s servers are set to the same time. If an attacker somehow manages to steal a number from you, it’s only good for the next one minute. They can’t predict what the next number will be.
- That little device your bank sent you is a small computer powered by a watch battery. Your phone is also a computer that can keep time, so why can’t your phone do the same thing? Download the Google Authenticator or Authy apps from your phone’s app store. They work with many websites including Gmail.
- While Google Authenticator and Authy are very convenient, your bank doesn’t support them. They insist on an SMS or their own hardware dongle. If you operate multiple bank accounts, pretty soon you’ll have a bagful of these devices. To get around this problem, several companies joined hands to form the FIDO alliance and agree on common standards so you can use one device with multiple service providers.
- There’s another problem with TOTP, whether you use a physical device or your phone. You went to your bank’s website and entered the number, but is it really your bank’s website? Is that URL saying ICICI or 1C1C1? The number ‘1’, uppercase ‘I’ and lowercase ‘L’ all look similar, so if you’re not in the habit of looking at the letters carefully, you may not even notice. The FIDO alliance decided to solve this problem with their “universal 2-factor” (U2F) specification, a hardware key that you must plug into your computer. If you use the Chrome browser, it automatically recognises this security key and will ensure you don’t accidentally enter a code into the wrong website. Firefox and others plan to add support soon. Yubikey is a popular brand. The company that makes them recently gave away 500 keys at a conference in Bangalore, so chances are there’s someone around you that already has one.
Several companies have made it mandatory for their employees to use U2F keys, and you should consider using one too. Because it’s a public standard, any U2F key will work with any website that supports the standard.
At the very least, turn on SMS or TOTP-based authentication using your phone on all the websites you use frequently. Here’s a good list of websites where you can use them: https://twofactorauth.org
This may just save you from losing your entire digital identity one day.