Industry Observations-Technical Insight

Two-Factor Authentication

What is two-factor Authentication?

In the most basic terms, and I’ll let those of you unfamiliar with the term do some more digging, it is an authentication process that requires two (or more for multi-factor auth) of the potential identifying factors.

  • 1- Something you know (passwords, security questions, etc.)
  • 2- Something you have (token, debit card, RFID chip/badge, etc.)
  • 3- Something you are (biometrics, fingerprints, iris scans, etc.)

The most common use of two-factor auth that is in circulation today is the ATM. Swipe your card (something you have) & enter your pin (something you know) in order to withdraw money.

Wikipedia: Link

Why you should care?

Well security of course! Why else are you reading this blog? 😉

If any one factor of authentication is compromised the other is still required which drastically reduces the odds of exploitation. If your password is stolen or intercepted, it alone will not be enough to take over your account. Debit card lost? No worries even if you are in the habit of giving out your pin or are using 1-2-3-4 as your pin – the second factor is still unavailable to the adversary.

Why else should I care?

Lots of very popular services you use everyday are enabling 2-FA to help make their users more secure. This list includes but is not limited to: Facebook, Google (Gmail), and now Twitter.

Turn these features on. Seriously.

How?

Somebody smart once said “If its not on by default it doesn’t count” about opt-in security features. I tend to agree because the public at large will not care enough to figure out how to enable. This is the reason behind most browser plugins or additional settings being ignored in most security research because the Internet as a whole will not use these things. Same stands true for 2-FA, if not more so because besides having to care enough to turn it on you also have to care enough to go through an extra step to actually login.

Also doesn’t help that most of these settings are buried multiple clicks deep in many accounts setting pages.

Here are a few of the major ones so you can help protect yourself.

Google: This one is easy.

Advanced Sign In Security – Google Blog

Google authentication

In your Google account settings scroll down to 2-step verification. Then on your iOS or Android phone download the “Google Authenticator” App to make life easy. When you successfully enter your username and password it will ask you for a code.

Google_code

Looks something like this on an Android device. The code will last for a ~30 seconds before becoming invalidated.

If you don’t have an iOS or Android device the option is available to get a text message of a code to use.

Facebook: Slightly more cumbersome to use but still very effective and highly recommended.

Facebook Blog

Go to your Facebook Account Settings click on the Security Tab. Then check the box for “Login Approval”

If you are a security paranoid such as myself you are most likely using Chrome in “Incognito” mode or FireFox in “Private” mode. Facebook doesn’t like this hence my comment on it being a bit more cumbersome.

If you try to enable in one of these private modes this is what you will see.

Facebook 2factor authentication

This error occurs because Facebook’s 2-FA allows you to “save” known browsers to not need to utilize the tokenization every single time. In private mode saving the browser does nothing and so Facebook complains.

Go to the account page in a normal browsing mode and you’ll see this:

Facebook authentication

Enable this and it will send a text message to the phone number you have attached to your account with a code. This will be the second factor whenever you’d like to login you’ll get an SMS message.

Slightly slower, more intrusive (SMS rates, etc.), and also SMS interception techniques have been demonstrated in the past to help make this attackable. That all being said, this is still highly recommended as the attack complexity goes up multiple factors and most attackers will not go through all the trouble unless you are a high profile account worth hours of trouble to hack.

Twitter: This is new! Super shiney and awesome.

Improvements to Login Verification – Twitter Blog

Twitter implemented the SMS 2-FA a few months ago but recently updated the security feature to include a more secure and easier to use method of utilizing their iOS or Android apps as a verification method.

In iOS:

Twitter authentication

Go to settings.

Twitter authentication

Click on the account you’d like to enable 2-FA.

Twitter two factor authentication

Turn Login Verification on. Voila! You’re all set. Next time you try to logon to Twitter you’ll get a push notification on your phone which will ask you to verify. That’s it! No code to enter, no SMS, nothing!

Android steps for those interested:

Twitter authentication Andriod

Click Settings

Twitter authentication Android step 5

Click the Account you’d like to enable 2-FA on

Twitter 2FA

Click Security.

Twitter authentication final

Enable Login Verification. Voila!

The private/public key methodology Twitter implemented is great, even the backup code for if you lose or don’t have your phone is a great security feature. If you’re interested please make sure you read the link to the blog I posted at the top of the Twitter section and if you want more tech nitty gritty: https://blog.twitter.com/2013/login-verification-on-twitter-for-iphone-and-android

That’s it?

That’s it. Enjoy your heightened sense of security!

-Matt Johansen

@mattjay