If you follow us on Facebook, you may have seen us post this link about Microsoft Office 365 and Google GSuite accounts which have been compromised despite having two factor authentication. For those not in the know, I’ll dive into How Two Factor works, and why some “Two Factor” services are better than others.
What You Know and What You Have
Two-factor is a method of authentication which uses two disparate parts: a part you know and a part you have. Historically, the idea of choosing a password — a word that only you or those you trust know — has been the only major way of using computer systems. A password is like a key to a door, once you let it leave your control, you can never be certain that it’s not in the hands of untrusted parties unless you change it. The same is true for passwords. We now have over a decade of history proving that passwords are not secure. No matter how strong you make your password, you also must inherently trust that whomever you give the password to won’t be hacked as well. A locked door is useless if you have an open window.
Two-factor aims to bolster the strength of passwords by adding a second part to the authentication process; something which can’t be (reasonably) copied. If you’ve ever seen a spy movie where they have to get past a retinal or finger print scan (or even walking analysis from Mission Impossible 5), you’ve seen the concept of “something you have.” Now the fingerprint reader on your phone isn’t necessarily a second factor if you aren’t also always entering some sort of password or code, it’s just swapping a “thing you have” for a “thing you know.” Additionally, the fingerprint scanner on most phones is only good enough to provide comparative verifications; it can confirm the fingerprint it scanned was likely yours, but given a random fingerprint it couldn’t easily pick which it was (hence why you need to train it on your fingerprints).
Time Changes Everything
These days, most Two-Factor authentication is time based. There are several standards, but by far the most popular is TOTP (Time-based One Time Passcode). It’s in use by Google, Facebook, Amazon, and many more large players. When you set it up, you use an app on your phone (I highly recommend Authy) and the service picks a random number and gives it to the app, noting the time. Then both the app and the server keep track of how much time has passed since the code was set up, and using a complicated algorithm come up with a 6-digit code that is based on the time and the starting code. Because both the app and service have the code, they can both figure out the correct answer. And because the window for how long any code is valid is 30 seconds, in order to be used by an attacker, they would have to intercept or find out the code and login before that window expired (and most sites only let one device log in with a given code, meaning that if the user logs in first, they win).
SMS Alternative
Many sites, such as Twitter and many banks, use SMS instead of an app, for ease of use. When you log in, they text you a code that is only valid for a short window. This seems to be an equivalent technology, and maybe even easier to use, but it’s also less secure. It’s sadly very possible to convince the phone company to transfer your number to a new phone SIM, meaning an attacker who knows your password can also receive the SMS code. This can lead to targeted attacks on the rich, popular, or those who might have political enemies. It’s a very real threat, but not one most people need to worry about at the moment, since it’s only viable as a targeted attack. If you’re not rich, famous, or a politician, you’re probably safe to use SMS as a second factor versus using nothing.
All in all, passwords as we know them don’t really solve many more problems than they create, but they are not likely to go away any time soon. Having a second step standing in the path of attackers and your data has become necessary in this age as it’s become a question of when rather than if the sites and services you trust will be compromised.