Got your NUDE SELFIES in the cloud? Two-factor auth's your best bet for securing them
Infosec made simple: 2FA, its good points and bad points
Bill Gates in 2004 predicted the death of the password over time. “They just don’t meet the challenge for anything you really want to secure,” Gates said.
Ten years on, passwords haven’t gone anywhere and as the recent nude-celeb-pics-on-iCloud proved, the medium is still not up to muster yet is in widespread use in scenarios that didn't even exist when Gates was talking.
At this point, the naked celebs story looks like it was a case of human error – setting passwords that were relatively easy to break – as much as the technology itself being breakable.
In the wake of password breaches it becomes a scramble to remember which passwords you used on what sites. Humans are not programmed to remember super complex passwords of gibberish! Some less security-conscious people may resort to the trick of adding a 1 or a 0 to the password come renewal time.
Rather than blame the users, one could look at the length of password and argue that reuse is understandable, if not excusable. You were clever and kept a spreadsheet right? That in itself is an epic failure of basic security.
“There has to be an easier way?” I hear you scream. Yes, there is.
Two-factor authentication (TFA) was shoved into the spotlight by the naked-celebs story not least because Apple claimed iCloud already employed this technique, as we noted here, though, don’t let that put you off TFA – Apple wasn’t being entirely straightforward about the need for TFA on its cloud.
The fact remains, TFA remains a strong option for securing your web activities.
TFA for dummies – an overview
Simply put, TFA is based around the premise of using something you know – a password – and something you own – like a smartphone or the hardware token that some banks provide to users to gain access. TFA is perhaps the simplest method of attacking the password problem.
When both parts of the password and token information are paired together they give you a unique key that allows access to the device or resource in question. The system can be fairly sure that the person is who they say they are. The only downside, other than forgetting your phone or it having a flat battery is the question of what is supported. Any services you want to use will need to support TFA and also the type of TFA you want to use.
There are several variations to choose from. Interchangeable it is not. This is not such a problem for large companies with established IT services and established centralised management, as well as the will and means to add relatively expensive security infrastructure.
TFA is also widely used to secure VPN access and the devices inside a network going over the internet. On the individual level for securing mildly important stuff such as e-mail, Google and Microsoft provide TFA for a number of their services, including e-mail and it works well for the most part. You can even install TFA onto your Ubuntu box and use Google's TFA application if you wish.
So which firms use this neat security tech, then?
So, which web-based services support TFA? Sadly, the answer is not many. Usage tends to be grouped into a few enterprises based around high risk or high cost, or both. Providers include many familiar companies including PayPal, banking sites, stock trading houses and, oddly enough, DHL. Even Dropbox are getting in on the act. The cost of such keys range from £25 to £60 depending on the provider.
Selfies: all good until someone unauthorised gets their hands on them
For the provider there’s the cost of purchasing and licensing tokens, distributing tokens and – in the case of some banks – readers for smart card, pin-pad and biometric entry, and support costs of enrolling customers into schemes and then providing support to those signed up.
The cost factor is being tackled and a lot of cloud and infrastructure providers are starting to furnish users with hardware or downloadable soft tokens. Yubikey, for example, is offering inexpensive keys that can be reprogrammed to support any TFA scheme. ByteMark now offers TFA to their customers as the cost is now small enough to secure an account against compromise when compared to the potential cost of cleaning up after a compromise, as well as any associated chargeback.
The use of smart phones as TFA devices as an alternative to dedicated readers reduces the cost to the service provider compared to proving users with hardware tokens that cost a fortune - especially if you're talking about hundreds of them. Hardware tokens are proving so expensive that even huge Fortune 500s are migrating across to soft tokens, especially after the RSA compromise of 2011. Software tokens are easy to update compared to the hardware based alternatives.
Don't confuse TFA with an infosec magic bullet
But hold on. TFA may make you more secure but it doesn’t mitigate all the risk. Hackers have breached several banks TFA schemes. Admittedly this is done by means other than direct manipulation of the token as well as compromising of smart phones used as soft token
There are other issues, too.
TFA is not a guarantee against having your data slurped. Hackers have at least three techniques that can sidestep TFA.
There’s “man in the middle” - with hackers putting up fake sites that raid the real site once the user has signed in – “man in the browser”, infecting the client’s browser with malware and then injecting HTML into a web page that captures information from the browser’s memory – and there are Trojans, where the hacker piggybacks into a user’s account from an authenticated session.
There are other options available and hard and soft tokens are not the only authentication option.
Other alternatives to the basic passwords include the use of biometric data as a form of token, such as fingerprints, that are becoming increasingly common in mobile devices and phones. These can be paired with a TPM module to enable you to login to your laptop for example.
To my mind there are two issues with the digit. First, it has been proved this security method can be easily fooled with a lifted fingerprint or even what one could term a replay attack, the gummi bear attack. When I played with biometrics for my laptop, it would only work perhaps one in three times.
A lot of the larger data centres now use a combination of biometric data – usually a finger pint - and access card for access. Doing this means that should you lose your access card on a boozy Friday night, no one can just swipe in and make off with some physical bits of your cloud! The something you have aspect of TFA reduces the risk for everyone. We haven’t seen the combination of biometric data and access card used anywhere yet on a PC or to get into a web site.
Neither is biometric widely used: only a handful of laptops use finger prints to get the user in. Less, so web sites.
Another option starting to emerge is authentication-as-a-service. Software-based authentication can be useful. Several sites claim to provide strong security using encryption keys. Many people use them every day without issue, most of the time. A lot of people give software-based-authentication stores a bad reputation. Should the login key be compromised, all your stuff is laid bare and your passwords are “out there”. I use Passeto, a system that lets you generate a secure password for every site and it records nothing. But it’s early days for online services.
At the end of the day, the best security is a balancing act between securing the information and ease of use. It is a difficult balance, but one thing is for sure, passwords as we know them are most certainly on borrowed time. TFA is a solution to a narrowly defined problem at present and subject to what is essentially a catch-22 situation with regards to the wider web.
People will not use the system until it is easy to use (think granny level of ease) and works across a big slice of the internet. Site owners won’t invest in technology until people use it extensively. This is unfortunate because in one step the whole web would become just that bit safer. It’s the chicken and egg scenario.
The password isn’t going away and neither are the humans who use them. Given those facts, the best approach is to log on but verify – use passwords with authentication, courtesy of TFA. ®