Is a second-factor assist enough to rally web users against passwords?

Is a second-factor assist enough to rally web users against passwords?

Summary: I changed jobs to get a front-row seat to see if end-users can lead a culture shift and bring on stronger, more secure authentication

TOPICS: Security, Networking

Today was earmarked for my transparency story to reveal my new affiliation with Yubico, a strong authentication vendor that develops a unique hardware token known as the YubiKey. (Disclosure: I joined the company this week).

But my story's narrative so parallels what's been happening this week, it is best to examine it against that backdrop.

I have found a perch with an interesting perspective on the modernization of multi-factor authentication, which looks like the first in a set of steps toward giving end-users the pitchforks and torches they need to chase passwords out of town and quiet the breach epidemic.

The Apple hack this week and last month’s Russian hacker pilfering of 1.2 billion passwords from 420,000 websites are just reinforcing my notion that strong authentication is the first upgrade needed to DARPA’s relic – the password.

If just half of the people who secretly raced to iCloud earlier this week to delete their own naked selfies would agree to adopt at least two-factor authentication (2FA), we may have a revolution on our hands.  (Of course, Apple also has to retool and take the lip service out of its 2FA implementation.)

But let’s be real, it won’t be proselytizing that saves the day, it will be the demands of embarrassed celebrities, frustrated social media junkies, empty-pocketed credit card customers, privacy victims and shamed corporations.

What’s needed is a cultural shift, an attitude adjustment and a willingness by end-users to slightly alter their behavior. It's the third-factor: humans

The bad news is that has never been easy, and it’s not often successful. The good news is innovative technologists have never shied away from disrupting the status quo.

Coincidently, many of the reasons I was attracted to Yubico have been revealed by this week’s events, and events over the past year or so that have resulted in millions of stolen passwords. The current username and password schemes are old, tired, and need an exit strategy. Something needs to be done.

If we can’t kill passwords today, the best thing going now from an awareness and usability perspective is pairing passwords with a strong authentication bodyguard. That combination has potential to slow the bad guys, and help protect data and privacy.

Let’s quit with deaf-ear advice on crafting longer, more secure passwords and make the strength happen in the second factor.

The emergence of modern easy to use, two-factor and multi-factor authentication options coincides nicely with the popularity of smartphones and other devices offering a second authentication factor. A nice combination of technology and end-user desire.

For me, I was drawn to the USB-based Yubikey that requires just a one-touch gesture to execute strong authentication. But there are other models in this space, SMS on mobile devices, software tokens and other methods to authenticate users with something that is better than a static password.  

The field for solutions is wide-open given a multitude of use cases based on varying levels of security demands. While the industry always seeks a killer app to wipe out the incumbent, in this case a range of multi-factor options will come in a number of form factors and target specific use cases, industries and job titles.

The other half of the equation involves standards. In this blog, I have written on the pros and cons of other recent standards work, namely OAuth 2.0 and OpenID Connect, which combined begin to define an “identity stack.”

The next piece of that puzzle could well come from the FIDO Alliance, which could help erase some sins in 2FA’s past. The group plans to add to the “stack” a standardized authentication layer. This is where websites, applications and services, along with hardware and software devices, can plug in and spread 2FA solutions across the internet at scale.

FIDO technology is designed to work with web browsers and web-based applications. The FIDO protocols leverage existing device hardware such as TPM chips, fingerprint readers, microphones, and cameras; and capabilities like Near-Field Communications, Bluetooth and One-Time Passwords; to enable multi-factor authentication.

Is there a pie in the sky with this 2FA infrastructure and client-side advancement? Sure, but that is the birthplace of innovation.

Multi-factor authentication is not the end game, but part of a journey that may eventually include multi-factor attributes and contextual authentication. All these models carry challenges. The inevitable failures, however, will foster advancement.

The technology, however, is not the hard part. Buy-in from end-users is the Holy Grail.

Perhaps Vladimir Katalov, CEO of ElcomSoft Co. said it best when he told TechTarget’s SearchSecurity reporter Brandan Blevins, "It is all about the human factor; it is not possible to protect your privacy and security using technical measures only."

But a good set of tools is always a great asset.

(Discloser: My employer is a member of the FIDO Alliance)

Topics: Security, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Authentication and "contextual authentication."

    "Multi-factor authentication is not the end game, but part of a journey that may eventually include multi-factor attributes and contextual authentication. All these models carry challenges. The inevitable failures, however, will foster advancement."

    Hard to say what's "after" multi-factor. Not sure how you could improve on the concept itself, although the technologies can be plenty improved.

    "contextual authentication" sounds like a bit of a buzzword; preliminary research indicates it's really more of a method of assessing risk rather than an actual authentication method. Seems as if some people are playing fast and loose with the technical terminology.
  • Yubikey

    I love my Yubikey. It works great and is, generally simple to use.

    I have the NEO, which I use with my smartphone to enable 2 factor authentication for my password safe - or rather I would, once Yubikey get a patch out for WindowsPhone on their new keys. The old script to enable WP support doesn't work on the latest batch, so I can use it with my Galaxy, but not my Lumia.

    The principle of the Yubikey is great and, apart from the WP issue, it works great.

    I even use the NEO with our corporate building entry system - it is Mifare compatible.
  • 2FA is only as good as the PIN on your phone

    I find it mind-boggling that people supposedly well-versed in "technology" recommend using the same device that contains the accounts to be secured for 2FA.

    How many of those phones are even protected with a screen lock PIN, and how many of those PINs are more than teh default 4 digits?

    Why would you use an easily stolen and compromised device to secure accounts?

    And why, oh why, would you ever, EVER use the same device to protect the accounts that the accounts are accessed from?

    Give me your phone for a minutes and I will lock you out of all accounts that have 2FA.
    • That's why

      I use the Yubikey for second factor, where I can.

      I can't even get at my password safe without the Yubikey. If I just have my PIN number, I can get on the phone, but I still need the master password and the Yubikey to get at the password safe.

      If I could use the Yubikey to unlock the phone, I would.
  • Here's the two factor we need...

    Bio-token via Bluetooth:

    1. Small bluetooth connected token which is worn on the belt, kept in the pocket, held in the hand, etc.
    2. It records your walking gate, the way you get up and down from a chair, the way you go through the door, and continuously sends these patterns, in encrypted form, to the phone.
    3. With it in range, you can enter a passcode, swipe pattern, etc., but without it, the phone is locked.
    4. On a periodic basis, or when suspicious activity happens, the phone requires answers to security questions outside the lock screen, and it includes at least one "panic" question in each session, such that if you answer it in a certain way, the phone locks down tight instead of opening.

    Until security is dummy proof in this kind of way, too few people will go to the trouble. Yubikey, for instance, requires a working USB port. But THAT requires that one physically take the key out to protect the PC... people forget.
    • Contextual

      I don't see a problem with contextual as a layer on top of multi-factor. Multi-factor can only have pretty binary rules, whereas contextual can consider things aside from the obvious, such as the device being used (which can be used to determine the suitability of various factors), the location of the user (in much the same way as credit card companies can use transaction locations to pinpoint suspicious activities), and other environmental factors that would make it harder to fool.
  • No smartphone

    I don't have a smartphone. I don't have texting. My phone just makes phone calls and that's all I need from a phone. So I get annoyed when web sites want me to sign up for text messages as part of their security. I'm supposed to spend several hundred dollars for a smartphone just so web sites can verify who I am???

    Now multiply by all the hundreds of millions of people who have website accounts but no smartphone. All this two-factor stuff would be a real windfall for cell phone manufacturers and service providers.