Two-factor authentication won't protect Twitter, Google: OneID

Two-factor authentication won't protect Twitter, Google: OneID

Summary: Although hailed as an effective means for securing accounts from attack, OneID founder Steve Kirsch believes that two-factor authentication isn't the answer to the number of security breaches that organisations are facing today.


Although Twitter is looking for an engineer to implement two-factor authentication for its users, it still won't prevent a repeat of the recent attack that saw 250,000 users exposed, according to OneID founder Steve Kirsch.

Two-factor authentication provides an additional effective step to thwart would-be attackers from taking over users' accounts, but it is currently not an option for Twitter users. On the back of recent attacks on the site, many have been calling for Twitter to implement it, but, according to Kirsch, even if Twitter does roll out the security measure, it won't prevent the attack from occurring.

While not dismissing two-factor authentication systems' effectiveness at preventing existing phishing attacks from being successful, Kirsch said that the number of people signing up for it in existing services is abysmal, and doesn't do much for improving overall security.

"From a practical point of view, it would be like offering a feature that no one used," he said.

Given that many attacks are opportunistic, focusing on the number of accounts that attackers and scammers can hack, Kirsch said that it would barely make a difference. In fact, he said that introducing two-factor authentication would hurt the user experience.

"Even adding a single character to a password in Twitter — if you require nine characters versus eight characters — even just doing that requirement measurably affects sign-up rates and so forth. Twitter wants to do whatever it can to make it easier for customers, and adding two-factor authentication is moving in exactly the wrong direction," he said.

"Even if they move to two factor, and even if everyone adopted it, which they wouldn't ... it'll make no difference."

The reason for this is that the most recent attack on Twitter wasn't conducted on users' accounts; it was on Twitter's own infrastructure. By directly attacking the servers containing the password hashes of Twitter users, two-factor authentication would make little difference.

Kirsch admitted that although user passwords might be salted and hashed, if attackers have compromised a server to the point where they can retrieve that information, it would be likely that they could do worse. This includes sniffing users' passwords as they enter the server, and converting them into hashes to be compared. Such examples have been documented for some time, where sensitive information that's sent to a web server is intercepted as it appears in plain text in the machine's RAM prior to processing.

Kirsch said that at the centre of the attack is the fact that Twitter, along with many other organisations that already use two-factor authentication, relies on a "shared secret" — a user password, whether it is eventually converted into a hash, a keyfile, or similar.

He argued for a better system, where even if the server is completely compromised, it would still be impossible to gain access to users' information. And he says that such a system has existed for years.

Kirsch is pushing for companies like Twitter and Google to use public key cryptography. In this case, if attackers wanted to retrieve passwords for accounts, they wouldn't have a single point that they could break into, because the only thing they would obtain from centralised servers are public keys, which are useless by themselves. The private keys — the other part of the "secret" needed to secure communications — would be located on users' machines, jointly opening the possibility to remove passwords altogether.

"We basically said, let's take a clean sheet approach to the problem and design a solution that eliminated the use of shared secrets, used modern-day cryptography, and that made it user friendly. The result is a system that has the security that is far better than even using those hardware tokens and so forth, but yet has the ease of use of Facebook Connect."

As for why it hasn't been adopted in greater numbers yet, Kirsch said that the relative complexity of public key cryptography schemes has been user unfriendly, but that those days are numbered.

"It's the advances in browser technology; things like having HTML5 local storage, things like JavaScript, which is powerful enough to run these cryptographic algorithms; things like the invention of elliptic curve cryptography, which makes the computation very fast.

"All of these factors have come together to finally and after all these years — after 30 years — we can finally make this public key-digital signature world a reality. [Users] can essentially have one username, one password, that they can use everywhere and that even if there's a breach of any site, or multiple sites, that it doesn't matter. That will truly change usability for everyone."

Topics: Security, Google, Hardware

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It still doesn't address the complexity.

    Or the fact that penetrating the server that authenticates the signing keys allows them to be completely broken.
  • It's about time!

    Public keys are much more secure and can be completely transparent to the user. Using current MFA technologies are vulnerable to eavesdropping attacks.
  • Two-factor authentication won't protect Twitter, Google: OneID

    Current technology is itself good fro the security... Its very easy to avoid these eavesdropping by the present one! But in this process it leads to authenticate keys to be broken...
  • Just a question

    If my private key is on my computer (or phone or whatever), and I am traveling and my device goes belly up, am I unable to to access my account because my private key became MIA with my device? I don't always carry my laptop AND my phone with me, and don't ask me to carry a fob.
    • The inconvenience is not in carrying a fob...

      It's in carrying an entire pocketful of them. I'd be happy to carry one fob that operated multiple accounts.
    • Just FYI

      If you don't want to remember a password, don't want the insecurities of biometrics, and don't want to carry around a device, then your only option is a brain implant (as long as it can't be hacked) to protect you.

      The single best solution *is* unfortunately a fob/dongle/token/whatever you call it + some PIN/password for it.
  • Use public key authentication also has its problem

    Yes, it could avoid many accounts to be hacked in the same time on the server. But for the user, the private key saved on PC or phone or tablet could get stolen without the user knows it. That's very dangerous. Only 2-factor authentication can solve this problem.
  • Stealing your PC does not lose private key

    If your storage with private key is stolen you are safe. The private key is encrypted with a pass phrase and is useless if you o not have it. The only way to break a secure phrase is called rubber hose decryption, beating it out of you. Of course they need both you and the data.
    • re: Stealing your PC does not lose private key

      Actually, brute forcing a password for a private key is quite possible without a rubber hose.

      StackExchange has a resonable explanation of why/how

      If a device which stores my private keys was compromised (stolen/malware infected) I'd consider the keys at least suspect.

      The really issues with using public keys are:
      1) How do you handle multiple devices
      -- does each device have its own keys, or share the keys (in which case, if one is compromised, all my devices need new keys)
      2) How do I as a user enroll a new device
      -- what about temporary enrollments (internet cafe's / airpoirt lounge PCs)

      What is the problem that is being solved here? It's not a security one (if a site is compromised, so is your data on that site regardless of how you log in), as the article points out (big) breaches happen through infrastructure weaknesses, indivudual account breaches occur because of poor passwords. What is proposed seems mainly to solve a user convenience issue (same sign on), and there are many other ways to resolve that (OpenID/SAML/etc), which of course have their own sets of issues.