Is two-factor the savior for secure logins?

Is two-factor the savior for secure logins?

Summary: A pair of security experts laud the renewed interest in two-factor authentication, but say there are other improvements needed to tighten security around end-user logins.


The rise in interest around two-factor authentication among embattled online service providers may look like the solution to securing end-user logins, but it is only one piece of a long-term project, according to a pair of security experts.

Just last week, Evernote became the latest service provider to commit to offering a two-factor authentication option to its end-users. A hack of the company's systems forced it to reset 50 million passwords.

Already, Facebook, Google, Dropbox, Amazon, Microsoft, PayPal, and Yahoo are committed to two-factor authentication options for end-users.

Twitter, which was hacked last month and lost 250,000 passwords, is under pressure to join the group and offer two-factor authentication, which is the addition to the common password of a second piece of identification in order to gain access to computer resources.

There is no question that forms of two-factor authentication can increase security around end-user logins, but by itself, a two-factor system is not a universal remedy.

"This is an incremental win, and it is generally good that [this interest in two-factor authentication] is happening," said Gunnar Peterson, managing principal at Arctec Group. "Initial authentication needs to get stronger, but for sure, it is not a panacea."

Peterson pointed that out two-factor is not new. The security technique is not in question, but historically, users often became burdened with its extra steps, and lost or forgot hardware tokens, which drove abandonments or creative workarounds.

Many providers, such as Evernote and Google, offer two-factor only as an option, not a mandate. So despite all their efforts, the tightening of the security screw is left to the proverbial weakest link in the chain, the end-user.

But Peterson said that it's a positive development that service providers are getting creative in using techniques such as SMS and smartphones, devices that users want to carry and that help two-factor scale.

"It's nice to see that some of these hurdles are being cleared," he said. But today, there is a lot of "silver bullet frenzy" around the topic.

Jeff Stollman, principal at Secure Identity Computing, said the details around two-factor authentication are not always clearly explained, and that leads to poor decisions.

"Deployment is often pushed by regulators, but how it should be done is not defined," he said.

In-band factors, such as answering security questions, are notably weak, given that they are prone to man-in-the-middle attacks. And answers to the personal questions they ask often can easily be discovered online or in social media accounts.

"Two factor needs to be out-of-band; either a token or a mobile phone," said Stollman. On a scale of one to 10, if authentication is a one, out-of-band two-factor can increase security to a three or a four, he said.

With these methods, users are sent a code to enter to complete login or they acquire a token, a bit of data to prove who they are, that is presented to complete authentication.

Of course, mobile devices are a blessing and a curse. They diminish out-of-band methods, given that users may be logging into services via their phone, therefore, negating the second factor

"The smartphone has the ability to simultaneously weaken two-factor because you are going to be using Facebook, Google, Twitter from that device, and is that really another factor if you are pushing your credential back through it," said Peterson. "Just because that happens on another channel, is that really as secure as something like a smart card."

The two-factor movement is also being pushed by the fact that companies don't have to dramatically change or update infrastructure to enable the technology.

"Evernote can roll changes out without re-doing its entire site or re-doing its entire API," said Peterson. "It's an isolated change that offers a lot of security for a little bit of work, and that is always a good thing."

But there are other factors to consider, especially around infrastructure for service providers, such as how accurate is their initial identity proofing on the front-end. Also, what have they changed in their backend plumbing to address any session management problems, data leakage, SSL implementation errors, or inaccurate authorization data that could lead to a host of vulnerabilities.

Peterson likened it to installing a bright new shiny sink and connecting it to 110-year-old plumbing.

"I would prefer people target the structural and strategic problems as well," he says.

He mentioned techniques such as risk-adaptive access control that recognize use and behavior, along with fraud and attack models that drive intelligence into authentication and authorization tools.

And he said device features such as GPS or geo-location could be resources to help improve authentication from the client side. Even techniques like shaking the phone or speech recognition could provide an identifying factor.

To wit, two-factor hasn't proven that it is excused from human error or human manipulation. Researchers found holes in Google's two-factor system based on a number of integrations gone wrong across the backend of its services. And the infamous foundation shaker in 2011 — the RSA Secure ID hack — began with phishing on the client side, and ended with previously unimaginable exploits on the backend.

"The way security works is we raise the bar and the hackers try to jump over it," said Peterson.

"Does two-factor raise the bar? It raises it some percent, but do I think that hackers will not be able to clear that bar? No, I think they will still be able to clear it."

But it doesn't mean that two-factor authentication won't push the ball forward.

Topics: Security, Cloud, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • For Some Time...

    It will help for some time. Savior tech? No. And it's unlikely anything will ever be.
    Creative minds find their way...
  • Mobile fail...

    The problem with Smartphones is, if the smartphone is stolen and they try and log in to a service, they also get the SMS! On the other hand, if you don't have you phone handy, how do you log in?

    Plus, in my office there is mobile signal, so I have to run upstairs, wait for a signal, wait for the SMS, run back down to the basement.

    A secure token is a much better idea, IMHO.
    • secure token is subject to similar drawbacks as a smartphone

      You can lose your token generator, and have it stolen, just like a phone. I'd argue that a smartphone is slightly better, in that you can screenlock your phone and it you're more likely to notice it's missing, or at least notice it sooner.
    • If you lose your phone, the thief doesn't have your password.

      So, you're still secure. But, the concern about using the phone in low-signal areas is certainly valid. I live in a weak-signal area and can't count on my cell phone working 100% of the time.
  • Remember The Three Factors... enumerated by Bruce Schneier:

    * Something you know (e.g. a password)
    * Something you have (e.g. a physical key)
    * Something you are (i.e. biometrics)

    Effective two-factor authentication is based on choosing two DIFFERENT ones of these.
  • The weak link is the service providers themselves.

    First, the number of attempts should be limited, after which the account is locked down. The second easy to implement is ip domain tracking. Don't allow a Moscow ip access to a Minnesota account by default. This includes specific ips from VPN services. Computers are only anonymous because the industry allows them. Many of the 'attacks' that governments complain of could be prevented using similar strategies. Is it really rocket science that a Chinese IP should not be allowed to connect to a defense department network? I do recognize that all attacks cannot be stopped, but certainly they could be slowed down. Domains have addresses, owners, and traffic can certainly be tracked back, owners of networks can start taking some responsibility for managing their networks instead of managing their bandwidth. At some point countries will have to come together and agree on a reasonable protocol for tracking computer crimes and prosecuting them. Ideally this should involve cutting connections of countries that don't cooperate.

    There is one thing that will have to be accepted, ultimately; there is no truly 'secure' networked computer.

    As far as Facebook and Twitter? Who cares?! Those are entertainment sites where people publish public information, people should never trust damaging information by putting it on the internet in the first place. When a person cannot not hear and/or see the voice of the person they are talking to, they should not be sharing confidential information in the first place.
  • Sometimes Fails Too

    Some time this technique will help out!
    Mostly wont help with mobile,
    If a mobile is stolen then this is very hard to work out !
    • Re: If a mobile is stolen then this is very hard to work out !

      That's why we have TWO factors: so if one is lost or stolen or otherwise compromised, the system is not immediately rendered insecure.
  • We should be chipped!

    For the 'something you have' it should be a microchip (RFI chip) inserted under the skin (like pets have). That way you can't lose it. RSA keys are easily lost/stolen. If phones and computers could read these wireless chips, then wouldn't it be worth having one inserted in your arm so you could never lose it? It could be purely voluntary.
    It would be far more convenient than carrying a passport and safer too. There would need to be a pin sent to it before it transmitted the information back though (big flaw in current oyster/wireless credit cards!).
    Also, short passwords should not be permitted - they should ask for a password phrase not 'word' - e.g. 'you will never guess my password is zorro' for one site and 'you will never guess password is doris' for another, etc. still easy to remember but a lot more difficult to crack.
  • Not everyone has a smartphone!!!

    I have a stupid phone. It just makes phone calls. I have no need of a smartphone, and I would object most strenuously to having to buy one just to be able to access my on-line accounts. I am sure a lot of folks with Yahoo or Hotmail accounts don't have a cell phone at all. I have friends who make do with a landline phone.

    Furthermore, I travel regularly to places that have no phone service of any sort. Lots of high-end nature travel goes to places that offer internet connection, but no phone service. An example is wilderness hiking lodges that have satellite internet but no phone, or only satellite phone for emergencies. For reasons I am too non-tech to understand, satellite phone costs several dollars per minute to use, while satellite internet is cheap enough for a wilderness lodge to offer to its guests at no cost. Cell-phone-based two-factor authentication would completely cut off people in such locations from access.

    OTOH its really not that hard to create a password that nobody it going to guess: Close your eyes, hit ten keys at random, and then memorize it.
  • Biometrics

    I know a company called Authenware that claims that their software recognize who is typing the user\password, it recognizes the way you type.