.png)
Twitter, Apple recently got it. Google, Microsoft, Facebook, and Amazon have had it for a while. But why's two-factor authentication important.
Two-factor authentication or 2FA adds an extra step to your basic login procedure. Without 2FA, you enter in your username and password, and then you're done. The password is your single factor of authentication. The second factor makes your account more secure, in theory.
Jon Oberheide, a two-factor authentication expert and co-founder and Chief Technology Officer of Duo Security
Twitter made the decision to use SMS, to deliver its second factor, because it makes sense from their position
Jim Fenton, Chief Security Officer at OneID, an enterprise password replacement system.
Two-factor authentication does help, but Twitter is a high-value target and it needs to be protected like one
What is two-factor authentication?
Two-factor authentication adds a second level of authentication to an account login. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:
- Something you know, such as a Personal Identification Number (PIN), password, or a pattern
- Something you have, such as an ATM card, phone, or fob
- Something you are, such as a biometric like a fingerprint or voice print
Is it hard to use?
Depending on how the account vendor, such as Twitter, has implemented it, it can be a minor inconvenience or a major pain.
Much also depends on your patience and your willingness to spend the extra time to ensure a higher level of security.
Fenton, said
while two-factor authentication makes it harder to log in, it's not "hugely" so.An attacker might be able to collect a cookie or an OAuth token from a Web site and essentially take over their session. So, 2FA is a good thing, but it does make the user experience more complicated... It's done when you're logging into an account on your device for the first time, for example.
Will it protect me?
It's true that two-factor authentication is not impervious to hackers. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA revealed that its SecurID authentication tokens had been hacked.
Fenton explained both sides of the effectiveness problem.
The thing that concerns me as a security guy is that people don't look at what the cause of the threats might be. 2FA mitigates the problems, but there are a lot of awful attacks can run on 2FA.
At the same time, he said,
two-factor offered more protection than logging in without it. When you make an attack harder, you're disabling a certain subset of the hacker community.
Is 2FA vulnerable to hackers?
To hack two-factor authentication, the bad guys must acquire either the physical component of the login, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. This can happen in several ways, including phishing attack, malware, or credit card-reader skimming. There is a another way, however: account recovery.
Journalist Mat Honan, accounts were compromised by leveraging the "account recovery" feature. Account recovery resets your current password and e-mails you a temporary one so that you can log in again.
What's next for 2FA?
As two-factor authentication becomes more commonplace, it's more likely that attacks will be more successful against it.
Oberheide said
Many of his customers start off think that implementing 2FA will be expensive or hard to use, but often find that their experience with it is the opposite.I think that will come faster in the consumer space because they're not dealing with all this cruft from the legacy of 2FA from the 80s. But that older systems can have a hard time getting 2FA going. A few months ago we published the bypass of Google's two-factor scheme. It's not a ding against two-factor in general, but against Google's complicated legacy system.
Fenton noted that
increased adoption could create opportunities to refine the technology. Should we be planning now on designing something that can scale to large numbers of sites? It seems that 2FA is really exploding right now
.
Despite its problems, Oberheide sounded an optimistic tone for two-factor authentication.
If we can increase the security and usability of 2FA at the same time, that's a Holy Grail that's often difficult to achieve
Jon Oberheide, a two-factor authentication expert and co-founder and Chief Technology Officer of Duo Security
Twitter made the decision to use SMS, to deliver its second factor, because it makes sense from their position
Jim Fenton, Chief Security Officer at OneID, an enterprise password replacement system.
Two-factor authentication does help, but Twitter is a high-value target and it needs to be protected like one
What is two-factor authentication?
Two-factor authentication adds a second level of authentication to an account login. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:
- Something you know, such as a Personal Identification Number (PIN), password, or a pattern
- Something you have, such as an ATM card, phone, or fob
- Something you are, such as a biometric like a fingerprint or voice print
Is it hard to use?
Depending on how the account vendor, such as Twitter, has implemented it, it can be a minor inconvenience or a major pain.
Much also depends on your patience and your willingness to spend the extra time to ensure a higher level of security.
Fenton, said
while two-factor authentication makes it harder to log in, it's not "hugely" so.An attacker might be able to collect a cookie or an OAuth token from a Web site and essentially take over their session. So, 2FA is a good thing, but it does make the user experience more complicated... It's done when you're logging into an account on your device for the first time, for example.
Will it protect me?
It's true that two-factor authentication is not impervious to hackers. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA revealed that its SecurID authentication tokens had been hacked.
Fenton explained both sides of the effectiveness problem.
Is 2FA vulnerable to hackers?
To hack two-factor authentication, the bad guys must acquire either the physical component of the login, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. This can happen in several ways, including phishing attack, malware, or credit card-reader skimming. There is a another way, however: account recovery.
It's true that two-factor authentication is not impervious to hackers. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA revealed that its SecurID authentication tokens had been hacked.Fenton explained both sides of the effectiveness problem.
The thing that concerns me as a security guy is that people don't look at what the cause of the threats might be. 2FA mitigates the problems, but there are a lot of awful attacks can run on 2FA.At the same time, he said,
two-factor offered more protection than logging in without it. When you make an attack harder, you're disabling a certain subset of the hacker community.
Is 2FA vulnerable to hackers?
To hack two-factor authentication, the bad guys must acquire either the physical component of the login, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. This can happen in several ways, including phishing attack, malware, or credit card-reader skimming. There is a another way, however: account recovery.
Journalist Mat Honan, accounts were compromised by leveraging the "account recovery" feature. Account recovery resets your current password and e-mails you a temporary one so that you can log in again.
What's next for 2FA?
As two-factor authentication becomes more commonplace, it's more likely that attacks will be more successful against it.
Oberheide said
Many of his customers start off think that implementing 2FA will be expensive or hard to use, but often find that their experience with it is the opposite.I think that will come faster in the consumer space because they're not dealing with all this cruft from the legacy of 2FA from the 80s. But that older systems can have a hard time getting 2FA going. A few months ago we published the bypass of Google's two-factor scheme. It's not a ding against two-factor in general, but against Google's complicated legacy system.
Fenton noted that
increased adoption could create opportunities to refine the technology. Should we be planning now on designing something that can scale to large numbers of sites? It seems that 2FA is really exploding right now
.
Despite its problems, Oberheide sounded an optimistic tone for two-factor authentication.
If we can increase the security and usability of 2FA at the same time, that's a Holy Grail that's often difficult to achieve
0 comments:
Post a Comment