Tuesday, October 20, 2020

Authentication Factor 2: Something you have, like your phone (Cybersecurity Awareness Month, Day 20)

Authentication token technology collection: code generator, cards, USB, NFC, phone

The security and privacy of your digital devices and accounts are threatened by people who have found that gaining unauthorized access to such things can be very profitable, as described in this article, illustrated with screen shots of criminal markets on the dark web. 

And for as long as Cybersecurity Awareness Month has been observed, improving people's understanding and use of passwords—sometimes referred to as password hygiene—has been a recurrent theme. This makes sense because passwords have been a major line of defense against unauthorized access to computers and their contents for more than 30 years. 

Even today, a surprising number of information systems and services rely on passwords alone for authentication. That means they are just one bad-guessed-exposed password away from being compromised. Some of the limitations of passwords as an access control technology were described in yesterday's article. Today's article, written for Day 20 of Cybersecurity Awareness Month, focuses on another access control technology: a token or key that can add a second factor to user authentication. 

Whereas a password is something you know, a token or key is something you have, a physical object of some kind. To control access to laptops and workstations, this token could be a card with a magnetic stripe on it or a key fob with a chip in it. It could be a USB device you plug into your computer. Or it could be a code-generating gizmo like the one on the left in this collection of nine tokens.

As you can see, this collection of tokens includes a couple of mobile phones. There are several ways in which these can be used as tokens, typically by providing you with what is called a one-time code. This has become popular with online services that want to add a second authentication factor to account access. The basic assumption is that you are in possession of your phone and that you control who can use it.

For example, when logging into a bank account online, a name and password are typically used as the first authentication factor. But when you see something like "please enter the code we just sent to your phone," that is the second factor, the something you have, namely: your phone. 

These codes are a "one time password." Basically, a random string of numbers and/or letters that expire very quickly. In fact, timing is very important to this type of technology because the code generator is synchronized with the system you are logging into. 

In the collection above you can see a token that looks like a calculator, but it is actually a code generator. During authentication, the account to which the generator is linked will ask you to type in the code that appears on that small screen. Note that you can't get a code from the code generating device without first unlocking it by using its keypad to enter the assigned PIN. So you are using something you know to protect something you have and tie it to the authorized user.  

A variation on sending a code to your phone is for you to use an app on your phone that generates the code. On the right you can see the Google Authenticator app, which can be used by other companies as well (Amazon being a prime example, with apologies for the pun).  

As I said in the previous article on authentication, I recommend using a second factor whenever it is offered. The "code to/on your phone" is the second factor most widely offered for online accounts and it generally works well. However, I would be the first to admit that it can be annoying at times (like when your phone is in the upstairs bedroom and you are logging on from your laptop from the downstairs living room). 

I should also note that 2FA systems which send a code to your phone can get complicated if you lose your phone, or it is stolen, or you move to another country. I will try to write out some tips for handling those situations in a later blogpost (one of those tips is to get a Google Voice phone number).

You be who, and you've been what?

The small blue USB key pictured in the collection of tokens is a YubiKey, which can be used instead of a code generator for two factor authentication. This technology can be implemented inside companies, for internal network security, or by individuals who want to add 2FA to online services such as Facebook, Google, and Dropbox. According to this WIRED article on how to start using a YubiKey, once it is set up, for example to use with Facebook, it works like this: 
"place your YubiKey into your USB port. Once plugged in, the key should show you a blinking light...press the gold disk in the middle of the key...With that, your hardware two-factor authentication key is activated. The next time you try to log in to Facebook, instead of using a six-digit passcode to verify your identity, you’ll be asked to insert your YubiKey and give it a touch."
The Yubikey is make by a company called Yubico and I am giving them a shout out here because they recently sponsored some extensive research on password issues. It was carried out by the venerable Ponemon Institute, as discussed in this blog post, and it is available in full as a PDF at this link: The 2020 State of Password and Authentication Security Behaviors Report

The research findings show how much many organizations still rely on passwords, and why that is problematic. Here are some highlights: half of the respondents who were in IT said they reuse passwords across workplace accounts (as did four out of 10 individual users); 60% of IT security respondents said their organization relies on human memory to manage passwords (and 42% rely on sticky notes?); less than half of IT professionals require the use of 2FA to gain access to corporate accounts.

Remember what I said yesterday: passwords are susceptible to both "guessing by humans" and "deduction by software programmed by humans." Exactly how the latter works is not something I have time right to get into here, but what I do want to share with you before I end this post is the fact that, once passwords are discovered, they tend to get shared. 

When someone discovers someone else's password, that password is said to be pwned (slang based on "owned"). Right now there over half a billion pwned passwords, as documented by the website known as Have I been pwned? These are "real world passwords previously exposed in data breaches." As it says on the website—which is entirely legitimate and safe to visit—"This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts."

In fact, you can go to that website and enter your email address to find out if any accounts where you were registered with that address have been breached, thereby exposing your password for that account. Don't be alarmed if you get a response like the one I did: "Oh no — pwned! Pwned on 10 breached sites." 

If you scroll down the page you will see details of which websites exposed your password, and it is likely that some of the breaches are quite old. But if you still have accounts at any of those breached sites, go and change your password for that site. And then think for a minute. 

Can you remember if you are still using the same password from any of the breached sites? If so stop using it, anywhere. Also think about adding 2FA to your accounts. And if 2FA is not offered, learn more about what makes a strong password by playing with this password tester


No comments: