Wired hack rekindles urgency for wider use of two-factor authentication

August 10th, 2012

The hackers who, on a whim, devastated Wired reporter Mat Honan’s digital life, got their 15 minutes of fame this week.

The simple trickery they used was clever, but nothing new, and certainly didn’t require much technical hacking skills.

Honan detailed in this Wired story how hackers tricked an Amazon rep over the phone into revealing the last four digits of his credit card number. Next, they used that information to persuade an Apple rep to reset his AppleID password, which enabled them to wipe clean his iPhone, iPad and MacBook, destroying all of his files, including irreplaceable photos of his young daughter.

Honan

That caper has put a spotlight on a long running debate as to whether web companies that aim to strike riches delivering consumer cloud services, ought to bear the burden for assuring the person logging into an online account is who he claims to be.

Apple iCloud, Google Apps, Amazon’s Cloud Drive, Microsoft’s Windows Live and most other web services that require you to create an account rely on single-factor authentication, also referred to as knowledged-based authentication, or KBA.

But some banks – and, notably, Google Gmail – offer two-factor authentication, which brings into the process something you have. The style of two-factor that  has gained the most traction involves issuing  a single-use PIN code to your cellphone. When doing certain transactions, such as resetting a password, or transferring a large amount of money, you must retrieve the PIN and enter it along with your username and password.

So is it time to mainstream two-factor authentication? Here’s what three authentication experts told Last Watchdog:

Chris Brennan, CEO, NetAuthority

Brennan

Many of the current strong authentication solutions are expensive, difficult to manage and scale and frustrate user experiences.

Companies constantly trade-off a stronger authentication solution in fear that poor users experience will drive them to other service providers. Users aren’t apathetic, they are frustrated. They will change services if their information has been compromised, which is making companies sit up and take notice.

The real issue here is that username and password are not sufficient methods of identification. The reality is that “what I know” is likely posted publicly in social websites providing critical answers to traditional methods of challenging user identity. This is not sufficient or adequate. The right strategy is to introduce an additional factor that is irrefutable.

Todd Feinman, CEO Identity Finder

Feinman

Brute force password-guessing and social engineering happens every day, and 99% of the incidents never make news. Over the last few years we have seen an increase in data breaches that have led to passwords and personal information leaked online. There are massive databases containing username and password combinations that criminals test against banks, email providers, and other online services. Because of rampant password reuse, many of these hacks are successful. The identity thief’s hope is that they hit a financial institution like paypal where they can withdraw money. The scope of the fraud is hard to quantify, but we know millions of passwords are stolen each year.

Consumers should avoid storing personal information that could lead to identity fraud in an unprotected manner. Shred any files they no longer need and encrypt the files they do. They can use strong passwords and avoid password reuse as well as turn on multifactor authentication when available.

Consumers can download a free copy of Identity Finder to search their computer for personal information that could be used to commit identity theft by going to www.identityfinder.com/free

 Stephen Cobb, security evangelist, ESET

Cobb

Based on several decades spent observing patterns of system abuse, I would say it is extremely likely that a. more hacks like this are possible, b. more people than ever are looking for them right now, c. not all of those people have honorable intentions.

In technical terms the online world currently suffers from an atrocious conflation of identifiers with authenticators (your phone number, email address, and Social Security number are identifiers, not authenticators).

This situation is compounded by a widespread failure to implement shared secrets effectively (the name of your first pet is not a shared secret and asking for all the digits of my pin number is profligate and inviting of interception). Underlying all of this mess is an excessive reliance on single-factor authentication and an alarmingly widespread misconception that multiple authenticators = multi-factor.

Multi-factor authentication refers to the three factors: A. Something you know, like a password; B. Something you have, like a physical key, C. Something you are, like your face or your fingerprints or the veins in the palm of your hand. Asking me for two or three or more pieces of information that I know is not multi-factor authentication.

Why large companies with big research budgets get things like this wrong is hard to fathom and it strikes me as unfair to force consumers to become security experts just to safely navigate services for which someone is paying (either the consumer themselves or the people paying for ads on ad-supported sites or within ad-supported apps and services).

 –By Byron Acohido