Two-Factor Authentication is not a Silver Bullet

Matt Asay at points to Adobe’s recent security breach as why we need to increase the implementation of Two-Factor Authentication. He points out in his post that many of the passwords in the Adobe leaked dataset were rather weak such as “123456.” He then suggests that developing numerous and complex passwords is not a good solution to the problem since most people cannot remember their passwords and thus he suggests that two factor authentication is a better solution that complex passwords. In reality while two-factor authentication is helpful at mitigating weak user authentication it is not “the answer” to providing increased consumer security as Asay argues. In large part this is because weak passwords are not the greatest security risk to users. Another reason is two factor authentication is non-trivial to implement. Finally security is a state that is highly dependent not on a single point but a multitude of variables making strong security extremely difficult and complex goal. Increasing security for users cannot be obtained through a single measure but rather requires a holistic approach necessitating changes within how society views and implements security.

Two factor authentication can, and does, offer a way to ameliorate weak passwords used by users but, as the Adobe security leak shows, it does nothing to protect you, the user, from poor security implementations. In the case of Adobe they had numerous security issues which allowed a malicious actor access to their systems but one of the worst security mistakes of Adobe was not adequately protecting user personal information using strong encryption. Indeed Adobe used an out dated algorithm, Triple DES, instead of a strong one way hashing algorithm. Furthermore the encryption method they used was not implemented properly (Adobe did not use a salt to reduce ability to perform brute force attacks on passwords retrieved during the data breach). Most mass data breaches and leaks, according to Symantec, occur because of human error or system issues not weak passwords. Indeed attacks on banks, credit card companies, insurance companies, retailers and the like are the main risk normal people face in the mass release of their personal data. In large part these threats are not ameliorated by two factor authentication but rather strong use of encryption methods and security practices. If anything this is the issue Asay should have pointed out. That being said even when implemented two factor authentication still does not guarantee your account will not be exploited.

Two-Factor Authentication even when properly implemented is not a sliver bullet. Numerous malicious actors have exploited various services two-factor authentication. In part this is because how many people implement two factor authentication, which because of its complexity, often results in weaknesses crafty hackers can exploit. For example even Google has had issues with getting two factor authentications reasonably secure. So have major players like Twitter, Apple, and Dropbox. As you can see in the linked stories for each vendor  poor two factor authentication implementations have either added little extra security or potentially made users even less secure. Furthermore two-factor authentication, which is now required for banks, has been effectively exploited by malicious actors using various Man-in-the-Middle exploits to Trojans that specifically monitor for two-factor authentication. The infamous ZeuS Trojan has been doing this for years now. In part this is because of the weak security of the various end points, or even nodes in the network, over which a transaction passes. Bruce Schneier clearly identified in this in 2005 in his article “The Failure of Two-Factor Authentication.” As Schneier notes a much more effective method for securing users is to not focus on authenticating a user but rather authenticating a transaction which takes us back to the main theme of this post. That is that singular and simplistic security solutions cannot address the complexity of the changing security environment. Rather what is required is a more holistic approaches to security if we are ever going actually make systems more secure.

Continuing with Schneier’s ideas on authenticating transactions provides an actual, provable, security increase that has little cost to actual users. Authenticating transactions focuses on evaluating if a transaction is likely to be legitimate by looking a number of factors such as the device initiating the transaction, IP, geolocation, timing, transaction history and numerous other factors similar to credit card transactions.  What is attractive about this approach, much like credit cards, is very little attention is paid to the individual and barriers of access are greatly reduced. Something Asay seems to be mainly concerned with, that is the ease of use of applications by users. While implementing such systems is not particularly difficult, indeed many vendors now provide software or services to validate transactions, but there are no easy fixes. To really make systems more secure for users, and reduce the chance of fraud and identity theft, we need to put in place standards that keep up with the evolving state of security. At minimal we need to put into practice basic requirements for personal data be encrypted at rest and in motion, for passwords to be hashed, for minimal transaction authentication, as well as behavioral traffic monitoring to defend systems that contain user data from intrusion. While other security experts can probably name more minimal requirements this goes to the real point of this article. There are no simple silver bullets when it comes to security. Rather security is always evolving and is inherently complex requiring a holistic in depth approach.



About ordo tacitus

ordo tacitus
This entry was posted in hacking, security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s