listen to this article:
Authentication is hard.
Users aren’t great at remembering passwords, and even if they are, hacks and other vulnerabilities can still happen. In recent years, application developers have started to implement additional features like two-factor authentication to help protect user accounts from unauthorized access – but it’s hardly perfect. In imperfect systems, two-factor authentication can be bypassed, and even in more secure ones, the users themselves can be hacked. As it stands, all forms of two-factor authentication have their own drawbacks, but thankfully there are alternatives that can be deployed to mitigate some of these issues and provide a more secure — and yes, usable — world for everyone.
What Exactly Is Two Factor Authentication?
Two-factor authentication, or 2FA, is generally synonymous with the randomly-generated codes that get texted to you by your bank or — *shudder* — Facebook, but in actuality, 2FA is shorthand for the process of requiring two different pieces of private information in order to authenticate to a service or application.
What two different pieces of private information, you ask? Well, in a nutshell, 2FA would require you to present two of the following things to verify that you are who you say you are:
- Something you know (a password, a passphrase, a pin number, etc.)
- Something you are (your fingerprint, your face, your DNA, etc.)
- Something you have (a phone, a hardware token, a key, etc.)
Alongside something you know, the most commonly used second factor for authentication tends to be something you have (the growing ubiquity of FaceID and fingerprint scanners notwithstanding). While this can be loosely defined to mean anything from a skeleton key to a one-time pad, the following list outlines a few of the more frequently used methods.
The most commonly used method, SMS 2FA, is when an identity provider sends a user a text message with a one-time code to enter upon login. As far as usability goes, SMS 2FA is the easiest for less technical users to use, as it involves a technology they are already intimately familiar with.
Time-Based One-Time Password (TOTP) 2FA is what is utilized when users are asked to use an “authenticator app” to verify their identity. These one-time passwords are available offline and change on a set interval, meaning that even if the code is compromised, it is only valid for a very short period of time. TOTP 2FA is inherently more secure than SMS 2FA, but at the cost of usability for less technical users.
Universal 2nd Factory (U2F) Tokens are physical devices — typically a USB or NFC key fob — that users must present in order to verify their identity. These devices work by being plugged directly into or physically placed onto the machine being used to log into the account. While generally more secure than phone-based 2FA, these devices are at much higher risk of being lost or forgotten.
Larger identity providers like Google and Facebook have started to rely on Push-Based 2FA for authenticating users. Similar to TOTP 2FA in that it requires an app to be installed on a user’s smartphone, Push-Based 2FA triggers a push notification within an app that has already been authenticated to the target user. Rather than putting in a temporary code, users only need to verify from within the app that they are indeed the ones attempting to login to their account.
Where Two-Factor Authentication Falls Short
While the proliferation of two-factor authentication as a concept was a leap forward in personal security hygiene, it’s hardly perfect. There are a number of ways in which an attacker may circumvent or manipulate the introduction of 2FA into an authentication workflow, such as:
Security can be complicated, which means that one of the biggest risks of 2FA is poor implementation. While there are a number of good third-party services that help make the implementation of 2FA into software applications easier, there are just as many poorly-considered implementations that are more theatre than security. One common — albeit overly-simplified — mistake is the successful authentication of users prior to confirming a one-time code. This implementation, while seemingly innocuous, means that attackers can simply bypass the 2FA page entirely, leaving the second-factor requirement effectively useless.
In the case of SMS 2FA, SIM hacking is the largest risk. While most users have their phones on them at all times, that doesn’t necessarily mean they have access to their phone numbers at all times. Thanks to the amount of personal information that is spread across the web, attackers can successfully impersonate their targets and convince the phone company to simply assign the phone number to a new SIM card that they own. Try doing that to an app.
While SIM hacking involves convincing the phone company to do your dirty work, it is just as likely that attackers can convince the users themselves to give up their codes. By impersonating someone with the right amount of authority — think someone from their bank or Google support — attackers can trick users into just giving them their one-time codes or clicking on the little “authorize” button from their fancy push-based 2FA.
Not all operating systems are created equal — nor are all apps. Some have vulnerabilities, while others are downright malicious. While hardware-based U2F tokens and push-based 2FA are definite security improvements, they both assume that the cryptographic keys stored on the underlying device are safe and secure. This assumption, while “good enough” in some cases, is hardly something to rely on when dealing with sensitive information or even finances.
An Alternative to Two Factor Authentication
Two-factor authentication, as is often implemented today, is a step up from the authentication methods of yesteryear — but it’s hardly a panacea. When poorly implemented, it’s effectively useless, but even when it’s implemented properly, it can lull users into a false sense of security and leave them vulnerable to phishing or even physical hacks.
At its core, the problem with 2FA as it stands today is trust. We trust that the extra resistance is enough to keep attackers out of our accounts. We trust that our devices are secure and aren’t leaking secrets. We trust that manufacturers know what they’re doing. But for a high enough target, this trust is generally unfounded, and many companies have started taking a Zero Trust approach to security. If you always assume that the attackers are in the network (the call is coming from inside the house!), then the way in which you approach security changes.
Through a process of distributing only pieces of trust, such as through multiparty computation, there is no single point of failure. Many machines are required to authenticate users rather than just one. The attack surface is distributed, and thus diluted. In the case of two-factor authentication, this means not storing cryptographic keys in their entirety on any device, but instead storing pieces of them in multiple places and using all that fancy math stuff we all said we were never going to use after high school to verify them without ever actually looking at the keys.
No codes, no texts, no problem.