The title of this outpouring should be “2FA considered harmful” but articles containing ‘considered harmful’ are harmful and attract abuse from people who claim to know better. But 2FA is crap, and here’s why.
Although I’ve touched on my thoughts behind two-factor authentication’s problems before, I feel the problem deserves its own topic.
Anyone who has used Facebook, Twitter, Yahoo, Gmail, Hotmail, or any such cloud-based service will likely have heard companies claim that two-factor authentication (also called two-step verification) is the best way to secure your account. This is an outright lie.
I suspect they really want your number so they can sell it on. But let’s assume for a moment that their intentions are benign and they really do care about the security of your account; even if it is to try and save future public embarrassment when their service is hacked.
First, a little background: all good security is based on two (or more) independent sources of information. Conventionally, something you know and something you own. When these multiple sources are provided together, the result is deemed good enough proof that you are the rightful owner of the secured information.
A password is something you know.
A mobile phone is something you own.
Job done, right?
Wrong.
Here’s how two-factor authentication is supposed to work:
- You register for an account with a Service. Let’s choose Facebook.
- The company send you an email with a unique challenge token in it.
- You click the link and get taken back to the company’s site.
- The token is validated, hence they know you own the email address because the token is virtually impossible to fake, unless the system’s badly implemented.
One factor authentication done. Next:
- You supply your mobile number.
- They send you a text message with a unique code in it.
- You tap the code into a box in your account.
- They know you own the mobile phone to which the code was sent.
Two factor authentication set up. Great. They have two methods to contact you in the event you lock yourself out of your account, and thus you can prove who you are with just half the information.
One snag; your phone gets stolen. Now the security is useless:
- Ned Rotter has your phone.
- He swipes your pattern or enters your phone lock PIN (both easy to eye-ball prior to stealing the phone).
- On his own phone, he brings up the front page of Facebook and clicks the ‘forgot password’ link, entering your email address.
- He opens your email app on your phone, which is automatically available because the password is stored already (you find it a pain to type it in every time, after all).
- He retrieves the unique code and taps it in, then sets a new password.
Result: you’re locked out and, worse, can’t prove you own the account as Ned has the second factor in his sweaty palm.
In the unlikely event the email account is not logged in, Ned can phone up and request a code from Facebook (usually via text message) be sent to the phone in order to perform a password reset. Same result: you’re locked out and can’t prove you’re the owner of the account, whereas Ned can.
But I look after my phone
“Come on, Stef,” you’re thinking. “That’s no worse than any other dual-key system.” True in some regards. If you have a unique token generator key fob or USB access stick and lose it, you have a problem. If someone steals your wallet, you have a problem. But nowhere near as big as if your phone’s nicked.
Why? Because in all cases of carrying something that you own, you don’t write the damn password down with it. You don’t put your PIN in your wallet (ahem, you shouldn’t). You don’t write your secure access token password on the back of the fob. But with phones, you do. The password’s in there, logged in the whole time so the app/browser remembers it for you.
It’s plain stupid behaviour, but is there by design: for convenience. And the companies peddling 2FA know this, yet they gleefully tell you that enabling 2FA is a step up the security ladder. It’s not. The only worthwhile security measure in this flawed system is to use an incredibly tough phone lock code and protect it like it’s the key to the crown jewels.
Trouble is, the chances of you choosing a suitable phone lock are pretty much non-existent. You’re addicted to the Internet after all, and don’t have time to unlock your phone every forty seconds with a long sequence just to see life-changing messages from your Facebook friends. Even if you do choose something amazing, Ned can get round it (sort of) by performing a factory reset. Yank the battery out, put it back in and hold down a few keys at boot up. Job done in two minutes. Your data will be lost of course, so if the primary reason for stealing your phone is to look at your Facebook details (unlikely) then 2FA didn’t thwart the attack, but your phone lock did. Far more likely of course is that your phone was stolen to access your nudie selfies or to sell the device (or photos) down the pub in exchange for drugs. But that’s an aside.
Either way, 2FA is useless at securing your information, so don’t believe the corporate lies. It’s a slight step up as long as you don’t compromise on other security, and might be useful as a way to reduce the chance of social engineering attacks where people call up minimum-wage customer service representatives or those in other countries with dubious privacy laws and trick them into supplying personal information.
It’s far better to use more solid security wholesale – an awesome lock code, for example – and set your email system up so that you have to manually log into it in order to fetch your messages. You’ll be surprised how easy and quick it is to tap in even a 15 or more character code with practice. Muscle memory, not phone memory, for the win.
By using a good security policy and saying no to 2FA – or at least only enabling it via an app, not text message – you leave only one avenue of attack open: brute force. Either you, the password or lock code. Choose an awesome lock code and an awesome unique password for each account, commit them to memory and enter them every time. Yes, every time.
Supplying two methods of resetting your account to a service provider – and one of those being the laughably insecure SMS – you’re doubling your attack surface for little or no security gain, depending on how well you implement/guard other parts of your phone ecosystem.
Plus, giving your mobile phone number to corporations who can’t be trusted to even keep the most basic data about you safe is not such a good idea. When (not if) their system is hacked or an employee opens your record (by fair means our foul), there’s two readily-available pieces of personal info up for grabs instead of just one.
The only valid reason to supply them more information than necessary is because you enjoy being shot in the digital face when they’re hacked. And I happen to like my digital face. How about you?
Further text punishment? Try: Related articles
They call him Mr Lucky | Proof of irrelevance | Trial of convenience | The curse of the intermittent fault | Censorship for an Instant | Email without wires
Gimme your thoughts