First, thanks everyone for your suggestions on what to cover in interest.co.nz’s new technology section.
Fifteen Yubico YubiKeys have been sent out to the lucky winners of the prize giveaway - congratulations.
The YubiKey draw sparked some discussion in the office as to what multi-factor authentication or MFA is, and how it can make a difference for security. Let's try to untangle some terms and technology.
The problem with passwords
Why are we doing MFA then? Well, almost every single site and application requires you to log into an account. This tends to be done with a unique username and a password which kind of worked fine when the Internet was young.
Unfortunately, there are plenty of pitfalls with a simple password-username login strategy. Passwords are hard to remember, particularly if you create ones complex enough not to be easily guessed.
It’s also tempting to reuse passwords that you do remember on different sites, which is a very bad idea.
You can be tricked (phished) into revealing passwords. Sometimes through the helpful password reset function on sites, other times attackers simply ask you for it, or they create fake login pages that capture credentials information.
Passwords and usernames, which are more often than not email addresses, also leak out in hacks and data breaches, with the information being traded in cyber crime forums.
If you aren’t doing so already, get a good password manager. A password manager generates unique and strong passphrases, and remembers them for you. They can also audit existing passwords for reuse or insufficient complexity, and check against https://haveibeenpwned.com which tracks login credentials leaked in data breaches.
As of writing, HaveIBeenPwned lists 12,961,127,682 compromised accounts, a massive number that illustrates the size of the problem. By all means look up your email addresses used for logins on HaveIBeenPwned. Chances are you’ll find yourself in the database of compromised accounts.
Password managers and credentials monitoring are two helpful security strategies, but don’t stop there: make life harder for threat actors with MFA.
Adding another layer of authentication for protection
MFA implementations include at least two out of the three factors below:
- Something you know: a password or phrase, a personal identification number (PIN) or the response to a security challenge question.
- Something you have: a device like a phone, smartcard, or a hardware key.
- Inherence, or something that you are: biometrics such as fingerprints, facial and voice recognition, and the sci-fi style iris and retinal scans.
You can add further factors such as geolocation and window of time to MFA for even stronger security, using advanced algorithms and continuous monitoring, but let’s leave that for NSA and other intelligence agency spooks for now.
In simple terms, MFA adds defence in depth. Even if a remote attacker has your username and password, they’re missing the other factors required for authentication to succeed and can’t get into your account.
MFA isn’t fail safe, and it is a trade off between security and convenience. Nobody’s going to use MFA if it has too onerous requirements. Vendors are aware of this, and have worked hard to make MFA easier for everyday use.
Smartphones have become authentication devices
In practice, most of us come into contact with MFA through our smartphones simply because we carry them around with us all the time.
If the site (or app) you’re accessing supports it, you could use an authentication app for your smartphone. Most of the apps use the open standard Time-based One Time Password (TOTP) protocol and are easy to set up with QR codes.
After you’ve set up the authentication app and connected it to a site that supports it, you log in as usual. As an additional step, you’re asked to open the authenticator app, and enter a code displayed in it to get into the service or site in question.
Reputable authentication apps include Google Authenticator, Microsoft Authenticator, Authy, or the open source Aegis Authenticator. They go a long way towards making your logins secure.
Now, be careful not to lose access to the TOTP app or the device it runs on. It can be very difficult to get back into sites and applications without it. Follow any instructions on how to generate and backup recovery codes, or other ways to reset access, to the letter and test what you have set up works.
Smartphones and wearables can also be used to display authentication prompts. Xero does this, asking if you’re trying to log in with a prompt on your phone, or on your Apple Watch, which has to be unlocked.
You can also use a four-digit code from the Xero authenticator, which is less convenient.
Apple uses authentication prompts on devices in a similar fashion. When you log in to an Apple ID, a prompt pops up on your iPhone, Mac, or iPad.
This shows a map of where the login attempt is taking place. If you say it’s logging in, a six-digit code is generated, or it’s read out via a robotic voice call. It's a convenient, built-in MFA if you have the budget for Apple hardware; Google offers a similar feature as well.
Newer smartphones have built-in hardware keys which, when combined with biometric factors like facial recognition, fingerprint scan or just PINs/passwords create the MFA. It’s convenient and secure, although you’re dependent on having access to your device and a network.
We shouldn’t use codes sent via texts anymore but…
You can’t talk about secondary authentication on smartphones without mentioning the text messages with codes all of us are familiar with.
What’s great about SMS 2FA (it’s not MFA) is it’s easy to use. It doesn’t require difficult setting up or additional software or hardware, and the codes can be set to automatically expire after a specified amount of time for additional security.
SMS 2FA isn’t the most secure, unfortunately. Number porting attacks (also known as SIM swapping) in which someone takes over your mobile phone number could lead to the codes being intercepted.
What’s more, SMS is an old telco technology which originally wasn’t designed for strong security. If a mobile provider’s network is compromised, Codes sent via text messages could be intercepted.
Even so, in the vast majority of cases, SMS authentication codes are much better than nothing at all and beats verification via emails.
If that’s what’s offered, use SMS verification. It probably won’t be around for much longer since thanks to the cost of application to person (A2P) messaging having shot up in recent years providers are looking for cheaper authentication alternatives.
Hardware keys take up security a notch
For the most robust account protection that’s still fairly convenient to use, separate hardware keys are the gold standard.
Google introduced hardware keys after a bad hack in 2009. Nine years later, Big G reported there have been no account takeovers since hardware keys were deployed.
Reverse proxy and content delivery network provider Cloudflare also used the physical keys to thwart a very clever phishing attack in 2022.
Google also runs the Advanced Protection Programme (APP or GAPP) for exposed people like journalists, politicians, business leaders and activists. This too uses hardware keys to authenticate users, and turns off SMS 2FA texts and Google Authenticator codes which are less secure.
Security conscious users who reach this stage start to learn about acronyms like FIDO (Fast IDentity Online), an open industry organisation that’s working on killing passwords, and its U2F (universal second factor) standard.
The hardware keys themselves are somewhat pricey little devices that work offline, with no network needed. With different connectors such as USB-A, USB-C, Apple Lightning, and even Near Field Communication (NFC) taps, the keys work on just about all modern devices.
If you go down this route, key management becomes crucial and you’re always feeling a bit paranoid that you’ve misplaced “My Precious” without which you can't log in. Having back-up keys, with at least one spare, is a must. They should be stored in a secure yet conveniently accessible location.
When you lose a key or it can’t be used, you also need to be able to remove it from the account(s) it protects.
Phishing attacks are very common, and can be deployed at scale and with automation. Even security conscious users can fall for well-crafted attempts. When that happens MFA could prevent a “game over” situation with data and financial loss and its definitely worth having that extra layer of defence.
9 Comments
In theory password managers always sit behind your firewall and don't actually connect to the internet.
The old hardware keys remind me of the ultimate defence on Cold War missile systems - a floppy disc! Which, like keys and phones can be and often are lost or damaged. At the end of the day the only realistically secure option is your biometric information, which can be cut off, pulled out, or modelled, but at least are very difficult to lose (unless you hang out with Serbian gangsters). But I don't like the idea of submitting my biometric information to a privately-owned company which can be hacked or otherwise influenced to use my information against my wishes. They already have my shopping and purchase preferences, my general location, my address. What else can they make money off?
There is no perfect solution.
Biometrics can be hacked as well, after all you are leaving them about the place everyday. A photo of your face, a print that can be easily transferred & copied (super glue is cheap now to get decent readable prints from where ever you leave them). These are not the realm of spy movies but things even children can access to get CC details. Sadly though biometrics are never good when it is your single layer of security. Hence apps need multiple layers of security and governance checks.
Ironically hardware, hardcopy stored passwords are safer now then ones that can be accessed remotely, especially if they have services susceptible to online attacks. Online password managers have for ages been hacked and leaked etc. But again there should never be a single layer of security and if not at least 2 factor then do not go near it. Phones do not count as 2 factor much anymore as sim swapping has such a low bar for entry. Memory tests can add a layer of security unique to each person but only if those people are tested on memory not commonly available to others, and not stored anywhere.
Really the factor of why you have not been hacked is that you probably don't have enough money or are lucky to not be targeted that day. It helps if you don't go anywhere, don't buy anything, etc but even for banking now we are forced to accept weaker levels of security, e.g. the very insecure 1 factor apps, the even less secure payment cards, no identification of account ownership for payments etc. Banking is sadly one of those areas where security has traditionally been more backseat then what is needed for a typical email account.
A good password manager eg Bitwarden is pretty hard to hack, its fully encrypted end to end, so even if somebody steals the server your passwords are as safe as your master password, and if you pair it with a Yubikey (preferably a couple of yubikeys, in case you lose/break one) for MFA I think you're fine, unless its the NSA after you. With bitwarden you can also use phone based MFA, which utilises the fingerprint reader on most modern smartphones.
A really nice article by Juha with one glaring issue.
"Google also runs the Advanced Protection Programme (APP or GAPP) for exposed people like journalists, politicians, business leaders and activists."
One will never use Google if they want protection, privacy.
They use Proton in Switzerland.
On the advice of someone who works in the security area, hard-copy password recording and a hidden lockbox for the important stuff work pretty well.
And as to biometrics: don't. When your pass info get hacked, while you can change passwords, how about your face or fingerprints?
The issue with 2FA managers is that someone may have a hundred 2FA key, and that provider then may close down. Then you have a major job to move all your keys to another system. Banks such as Rabo actually give you a hardware 2FA token. Others with have 2FA built into their app. Some like ANZ still use SMS. The benefit of SMS is if you lose your device, you still own the phone number, so will still have 2FA. But that may not be the case if you lose you device with a 2FA app on it, and don't have the 2FA app synced to any other device.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.