May
2017
The case for Two Factor Authentication
There is no day that passes where we don’t hear about hacking of one kind or the other. The most prevalent ones are phishing attacks because they are easy to carry out and the dividends for the hackers are pretty high. Here is another link that shows more statistics on phishing. Please note that the statistics probably are way underestimating the reality because they are generally based on surveys. Since there are no legal requirements to report a phishing attack unless there has been compromises involving personally identifiable information, there is no other database of phishing attacks.
Because of the advances in operating systems and other tools such as antivirus, malware & spyware protection as well as local firewalls, personal computing devices have become much harder to invade directly, unless of course, for a variety of reasons (including the cost of virus protection software), someone decides not to install and run these protection tools. In addition, browsers have become sophisticated in helping protect our information. Again, it requires some effort in terms of updating the browser and sometimes installing additional extensions etc. I strongly recommend you reading “Securing Your Browser” from US-CERT (Computer Emergency Readiness Team), however, use your discretion in reading this given that this is from the US government which has a strong surveillance program. May be a few of their recommendations are to help them gather your information 🙂
We all know the story – technologies are imperfect, companies roll out products that have flaws, the bad guys discover the flaws quickly and exploit, the users who have too much faith in technologies fall for these exploits and sometimes the results are devastating. The bad guys are all over the world and it is the same technologies that have made our own lives simpler (such as internet banking) that are coming in handy for the bad guys to steal our money and information. We cannot go and sue the technology companies because they have these long and undecipherable EULAs (End User License Agreement) written by expensive attorneys that basically say “Here is a great (sometimes crappy) product, we really are not responsible for this long list of possible breaches and other loss of information and use it at your own risk”.
So, it is incumbent upon all of us as users to take additional precautions to protect ourselves from attempts to compromise our computers or online accounts. Sometimes these protections may appear as an annoyance and inconvenience. Would you rather be inconvenienced a little bit for safeguarding your bank account and personal emails or prefer the easy way out and face the larger inconvenience one day to find that someone had transferred your bank balance or retirement money to another account? Or receive your tax refund? These have happened several times. Granted that the financial institutions now have methodologies to detect issues and stop them on their tracks, imagine something like this happening to you. You will be stressed to no end for days while the issue is getting resolved and not knowing what the resolution will be.
There is a solution that can help protect you. It is the two factor authentication. Conceptually it is simple. In addition to the traditional password security, you need to provide one additional piece of information that only you know and can provide to the service provider for validation. Early on, systems provided security questions (called knowledge factors) , which are at best, weak two factor authentication because a hacker can potentially answer some of those information (such as your spouses’s name or the name of your pet) from stolen information (I know it is hard, but is still possible).
A stronger two factor authentication uses possession factor methodology. In addition to the password, you are required to enter a secure token that you and only you “possess”, that is validated by the service you are trying to access. In the early stages, this was used primarily by technology professionals in certain industries. They carried a physical device with them, like the RSA Secureid (the older model can be seen here). A fairly large number is shown in this device that you need to enter along with the password for the servers to verify you. These numbers charged frequently and are unique to each device. So, another colleague cannot use your token to authenticate. In order for the hacker to access your account, not only he/she need to steal your password, but also steal your physical device. While not impossible, it is much harder.
Whereas this method is viable for a small number of professions, it is not viable for a very large population. It is extremely hard to manage (people lose these devices, for example) as well as costly. With the proliferation of cell phones, two factor authentication using these phones has become fairly simple and relatively inexpensive.
One of the most popular system is from Duo Security. Once you have been set up, whenever you log in to a service that requires two factor authentication, you have to provide the second factor in your possession. This can be done in one of many ways. For example, you can have Duo send a token to your cell phone or you can install the Duo app and approve the login. You can also provide a landline phone number to which Duo can make a call and provide you with the token through an automated voice. Finally, you can also carry with you a registered USB device called a YubiKey that you can plug into your computer’s USB port and touch it to authenticate.
Is two factor authentication inconvenient? Indeed. Is it worth it? Of course it is. Initially you will need a period of adjustment, but then you will get used to it. Wherever two factor authentication is offered, take it! Your financial institutions most likely offer them and we offer it in Wellesley. Sign up now…
Jasin Kessler
May 15, 2017 at 9:01 pm (7 years ago)Ravi, I appreciate your commentary on two-factor authentication. I’m pretty familiar with Duo and they are doing some really neat things. I’m about your thoughts on biometric security, namely voice and facial recognition. I’ve had some conversations with pioneers in this space but can’t figure out if this is the next great thing or has the makings of a creepy stalking tool.