Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Lauren's Blog: "Biting the Bullet: It's Time to Require 2-Factor Verified Logins"

From: "Dave Farber" <farber () gmail com>
Date: Thu, 5 Jan 2017 14:03:32 -0500



Begin forwarded message:


From: Lauren Weinstein <lauren () vortex com>
Date: January 5, 2017 at 1:55:30 PM EST
To: nnsquad () nnsquad org
Subject: [ NNSquad ] Lauren's Blog: "Biting the Bullet: It's Time to Require 2-Factor Verified Logins"


     Biting the Bullet: It's Time to Require 2-Factor Verified Logins

https://lauren.vortex.com/2017/01/05/biting-the-bullet-its-time-to-require-2-factor-verified-logins


For years now, security and privacy professionals -- myself 
included -- have been urging the use of 2-factor authentication (aka 2sv,
2-step authentication, 2fa, multiple factor, etc.) systems for logging
into Web and other computer-based portals. Regardless of the name,
these authentication systems all leverage the same basic principle --
to gain access requires "something you know" and "something you 
have" -- broadly defined. (And by the way, the inane and insecure 
concept of "security questions" doesn't satisfy the latter category!)

The fundamental point is that these systems require the provision of
additional information beyond the traditional username and password
pair that have long demonstrated their frail natures as used by most
persons.

Even if you don't engage in notably bad password practices like
sharing them among sites or laughingly weak password choices,
usernames and passwords alone are incredibly vulnerable to basic
phishing attacks that attempt to convince you to enter these
credentials into (often very convincing) faked login pages.
( https://www.youtube.com/watch?v=a6iW-8xPw3k )

The lack of widespread adoption of 2-factor systems has been the gift
that keeps on giving to crooks, scam artists, Russian dictators, and a
long list of other lowlife scum. The result has been what seems like
almost daily reports of system penetrations and data thefts.

Are 2-factor systems foolproof? No. There are a wide range of
technologies and methodologies that can be used to implement these
systems, and they vary significantly in theoretical and practical
security effectiveness. But despite some critics, they all share one
thing in common -- they're all much better than just a bare username
and password alone!

Choices for 2-factor systems include text messages, automated voice
calls, standalone authentication apps and devices, USB/NFC (e.g. FIDO
U2F) crypto keys, and even printable key codes. And more.

With all of these choices, why is there so comparatively little uptake
of 2-factor systems in the consumer sphere (in the corporate sphere
there has been more, but not nearly enough there either).

Why don't most users take advantage of 2-factor systems? There are two
primary, interrelated reasons.

First is the psychology of the problem. Most people just don't believe
in their gut that a breach is going to happen to them -- they feel
it's always going to be someone else. They just don't want to "hassle"
with anything additional to protect themselves, no matter how
frequently we urge the use of 2-factor.

It's much the same kind of "it won't be me" reasoning that leads most
people to not appropriately backup the data on their home (or often
their office) systems.

Of course, once their account is breached or their disk crashes, they
suddenly care very deeply about these issues, and people like me get
those 3 AM calls where we have to bite our tongues to avoid saying
"Well, I told you so."

However, it would be unfair to blame the users entirely in this
context, because -- truth be told -- many 2-factor implementations
suck (that's a computer science technical term, by the way) and are
indeed a genuine hassle to use.

Some require the use of text messages (not everyone has a text message
capable phone, as the Social Security Administration learned in their
incompetent recent aborted attempt to require 2-factor
authentication). Some require that you receive a new authentication
token every time you login (overkill for most ordinary consumers) --
rather than remembering that a given device has already been
authenticated for a span of time. Some are slow. Some are buggy. Some
screw up and lock users out of their accounts.

The bottom line is that a lousy 2-factor system is going to drive
users batty.

But that's not an excuse, because it is possible to do 2-factor in a
correct and user-friendly manner, with appropriate choices for
consumer and business/organization requirements.

By far the best 2-factor implementation I know of is Google's. Their
world class privacy/security teams have for years now been deploying
2-factor with the full range of choices and options I noted above.
This is the way it should be done.
( https://plus.google.com/+LaurenWeinstein/posts/avKcX7QmASi )

Yet even Google has to deal with the "it won't happen to me" mindset
syndrome on the part of users.

This is why I am now convinced that at least the major Web firms must
begin moving gradually toward the mandatory use of 2-factor methods
for users accessing these sites.

Just as responsible websites won't permit a user to create an account
without a password, and many attempt to prevent users from selecting
incredibly weak passwords, we must start the process of requiring
2-factor use on a routine basis, both for the protection of users and
of the companies that are serving them -- and for the protection of
society in a broader sense as well. We can no longer permit this to be
simply an optional offering that vast numbers of users ignore.

This will indeed be a painful bullet to bite in some important
respects. Doing 2-factor properly isn't cheap, but it isn't rocket
science either. High quality commercial, proprietary, and open source
solutions all exist. User education will be critical. There will be
some user backlash to be sure. Poor quality 2-factor systems will need
to be upgraded on a priority basis before the process of requiring
2-factor use can even begin.

It's significant work, but if we care about our users (and
stockholders!) we can no longer keep kicking this can down the road.

The sorry state of most user authentication systems that don't employ
2-factor has been a bonanza for all manner of crooks and hackers, both
for the ones "only" seeking financial gain and for the ones seeking to
undermine democratic processes.

The deployment and required use of quality 2-factor systems won't
completely seal the door against these evil forces, but will
definitely make their tasks significantly more difficult.

We can no longer accept anything less.

--Lauren--
REPORT Fake News Here! - https://factsquad.com
CRUSHING the Internet Liars - https://vortex.com/crush-net-liars





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170105140341:A9B81864-D379-11E6-8C10-F01ED66A7B87
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: