The Untapped Potential of Two-Factor Authentication
Remote authentication traditionally depends on two factors: something the user knows, such as a password, and something the user has, such as a hardware token. This is called two-factor authentication (2FA).
In practice, something that the entity knows typically serves as the primary method of authentication. Passwords have long reigned supreme because they are simple to create. There has been some progress in the area of token-based authentication, but this method has yet to gain widespread acceptance. This might be due to the need to securely disseminate hardware tokens to users, not to mention the cost of the token and reader.
Before we speculate on the future of this technology, let’s take a look at the evolution of several forms of two-factor authentication.
As the internet grew more pervasive, passwords became ineffective — even when accompanied by a static digital certificate. A password could be easily stolen by a threat actor, who could then fully impersonate the user if the password was the only bar on the gate.
In one of the first forms of 2FA, one-time passwords (OTPs) were sent via short message service (SMS) to users’ phones. Of course, a user was required to enter a valid phone number to receive the SMS push, but there was no real way to verify that the number truly belonged to that user.
This kind of 2FA became popular rather quickly. It offered the feeling of additional security without inconveniencing users. Twitter, Facebook and Google adopted the method. In fact, the Social Security Administration was poised to adopt it as a primary method to authorize transactions.
However, threat actors quickly realized they could break SMS authentication by intercepting text messages containing OTPs. It wasn’t long before they developed malware that could hijack and redirect SMS messages, and launched social engineering campaigns to trick phone companies into rerouting texts. Recognizing these risks, the National Institute of Standards and Technology’s (NIST) “Digital Identity Guidelines” depreciated the method altogether.
And so the race for a replacement out-of-band authentication method began.
Authentication apps represented the next leap forward. These apps use the time-based one-time password (TOTP) algorithm, which combines a secret key with the current time via a cryptographic hash function to generate temporary, single-use passwords.
Like SMS authentication, this method is vulnerable to threats. If the implementation does not limit login attempts, for example, a threat actor could break it with a brute-force attack. In addition, the session that occurs after login is prone to hijacking. Fraudsters can also obtain passwords through phishing attacks, as long as users enter them immediately rather than storing them for later use.
Google has done a lot of work on hardware dongles called security keys (SKs). These keys protect users from threats such as phishing and man-in-the-middle (MitM) attacks by “binding cryptographic assertions to website origin and properties of the TLS connection,” according to a two-year study by the company.
The dongles are designed for the masses with an emphasis on privacy, security and usability. They interface with computers via a USB port. These devices are available from a range of vendors and typically cost between $6 and $18 per unit, far below the total cost of ownership of a smartcard solution. The actual hardware is interoperable and doesn’t greatly impact the overall system.
Of course, there is a catch: The webpage or other entity using the key must leverage a protocol to access the information and obtain cryptographic attestation. However, the protocol has been standardized by the Fast Identity Online (FIDO) Alliance as the Universal Second Factor (U2F). In addition, Google has open sourced a reference implementation of the standard.
Security keys are currently supported only by the Chrome browser and the login systems of certain web service providers such as Google, GitHub and Dropbox. More widespread adoption would increase their effectiveness.
The Future of Two-Factor Authentication
While potential methods such as sensor-based authentication have yet to impact the market due to hardware limitations and other obstacles, we are more likely to see a much-needed universal 2FA system emerge. Some critical systems even require it now, but those are special cases motivated by particular security needs. Unfortunately, the potential of 2FA will remain largely untapped until the masses demand it as part of their everyday computing.