The Rise of Two-Factor Auth (and monopoles, quantum stuff)

The rise of mass password compromises has lead to increasingly lower security services adopting two factor authentication. First it was banks, which is understandable. Now it’s resume-sharing social network sites and the like.

As the commenters point out, it’s unclear whether people will put up with the extra hassle just to ensure some Tajikistani teenager doesn’t add obscure sexual practices to their resume. Additionally, two factor auth for the masses seems limited to SMS codes and occaisionally a smartphone-based app, which I think sucks. I don’t really want to give my cell number to random websites, or put the battery in my phone just to log in somewhere.

The article ends up concluding that a “something you have” solution (e.g a TPM chip in your laptop) is the better way to fly. I’m not so sure… one of the key points earlier up the article is that people aren’t using just one device anymore.

Possibly the easiest but least user friendly solution would be to develop a challenge-response function people can compute in their heads. Instead of entering a password, users would mentally compute a response to some challenge code given a secret they chose ahead of time. Sadly, most people aren’t about to sign up for this.

A cross-platform challenge-response generator program (NOT written in Java kthx) is probably the most likely solution. There are already standards for this sort of thing, so it seems logical that websites start supporting any RFC 2549 (or whatever) compliant two factor program. It’s probably only a matter of time before someone comes out with a Cryptocat-style two factor hosted applet, as horrifyingly self-defeating as the thought might be.

Better still is a widely-used, widely-owned hardware platform. Consider here the chipTAN system used by German banks: a number of manufacturers make “chipTAN readers” which are sold online and retail. More or less anyone can use any “reader” with the online banking from any bank.

In order to execute a transaction, you insert your bank card into the calculator-like widget and hold it up to the screen, where a flashing barcode transmits an encrypted message to the bank card, which does its hash magic and displays the amount, destination account, and PIN code.

(There’s also an SMS based system available, for those who don’t want to buy the widget.)

By virtue of requiring two pieces of dedicated hardware, it’s not really feasible for social networks that don’t issue smartcard-equipped cards to their customers to use this exact system.

Magnetic monopoles: Here’s an English-language version of the magnetic monopole / vortex article:

Quantum stuff: Entanglement works not just across space, but across time. Physicists have successfully entangled photons that exist at two different points in time, and used them to transmit data across space and time. Anyone have a plausible explanation for this that doesn’t involve the universe being a computer simulation?

” much like those other services, the move to a stronger form authentication is a reactionary one, coming on the heels of a hack that resulted in the leaking of more than six million passwords just about a year ago.

Inevitable and probably long overdue, two-factor authentication does indeed bolster the security of user accounts and reduce the scale of future attacks against a service, but there is a trade-off in convenience and usability. None of these services will provide an accurate count of how many are actually using what is in most cases a SMS-based PIN as a second form of authentication, because the number is likely relatively low.[…]

While two-factor authentication via hardware tokens or SMS PINs may be a way of life in some corporate settings such as financial services or government agencies, consumers in the U.S. especially have lagged behind. Most UK online banking customers, for example, must use a second form of authentication for certain high-value transactions or if they’re adding a new payee to their accounts.

“Users will absolutely ignore everything they possibly can to make it easier, faster and simpler,” said Michael Sprague, Wave Systems’ VP of web services. “You can tell them to use long, strong passwords, but if you don’t force them to, you will end up with a password called ‘password.’”

Two-factor authentication is not immune from attack either. Hackers have successfully circumvented SMS PINs for some time, the most notable via man-in-the-middle attacks on mobile devices. Zeus in the mobile, or Zitmo, has been a nuisance for some time, especially in Europe, as has the Ramnit malware family.”

%d bloggers like this: