Two-factor authentication is a mess - The Verge

["Dave Farber" <farber () gmail com>]

> Begin forwarded message:
>
> From: Allan Davidson <alland () soundbytesradio com>
> Subject: Two-factor authentication is a mess - The Verge
> Date: July 11, 2017 at 4:24:33 PM EDT
> To: Dave Farber <farber () gmail com>
>
> Hi Dave,
>
> Of possible interest for the list?
>
> Best
>
>
> Allan
> > https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess 
> > <https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess>
> >
> > Two-factor authentication is a mess
> > It was supposed to be a one-stop security fix. What happened?
> >
> > Russell Brandom <https://www.theverge.com/users/russell.brandom>Jul 10, 2017, 9:26am EDT
> > For years, two-factor authentication has been the most important advice in personal cybersecurity — one that 
> > consumer tech companies were surprisingly slow to recognize. The movement seemed to coalesce in 2012, after 
> > journalist Mat Honan saw hackers compromise his Twitter, Amazon, and iCloud accounts, an incident he later detailed 
> > in Wired <https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/>. At the time, few companies offered easy 
> > forms of two-factor, leaving limited options for users worried about a Honan-style hack. The result was a massive 
> > public campaign that demanded companies to adopt the feature, presenting two-factor as a simple, effective way to 
> > block account takeovers.
> >
> > Five years later, the advice is starting to wear thin. Nearly all major web services now provide some form of 
> > two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little 
> > problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery 
> > systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but 
> > the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be 
> > honest about its limits. In 2017, just having two-factor is no longer enough.
> >
> > For much of the last five years, the center of the campaign for two-factor has been twofactorauth.org 
> > <http://twofactorauth.org/>, a site run by Carl Rosengren that’s dedicated to naming and shaming any product that 
> > doesn’t offer two-factor. At a glance, it can tell you which sites offer more than just a password login, and offers 
> > you an easy way to tweet at companies that don’t. Today, the site sends out hundreds of thousands of shaming tweets 
> > a day.
> >
> > Consumers want two-factor. If you don’t offer it, they’ll find a service that does
> > The campaign seems to have worked; nearly every company now offers some form of two-factor. Netflix is the biggest 
> > holdout — “I feel like I should buy a cake or something when that happens,” Rosengren says. Late adopters like 
> > Amazon and BitBucket have caved to demands, and every single VPN or cryptocurrency product listed by the site offers 
> > two-factor. The only email services without it are obscure players like Migadu and Mail.com <http://mail.com/>. 
> > There are still a few problem sectors like airlines and banks, but most services have gotten the message: consumers 
> > want two-factor. If you don’t offer it, they’ll find a service that does.
> >
> > But victory has been messier than anyone expected. There are dozens of different varieties of two-factor now, 
> > expanding far beyond the site’s ability to catalog them. Some send verification codes over SMS text, while others 
> > use email or more hardened verification apps like Duo and Google Auth. For $18, you can get a special USB drive to 
> > serve as your second factor, supported by most major services. It’s one of the most secure options available, as 
> > long as you don’t lose it. Beyond hardware, services can deposit long strings of code that provide an effectively 
> > invisible second factor — provided no one intercepts it in transit. Some of these methods are easier to hack than 
> > others, but even sophisticated users often can’t tell you which is better. For a while, TwoFactorAuth tried to keep 
> > up with which services were better or worse. Eventually, there were just too many.
> >
> > “If it’s hard for us to evaluate the hundreds of two-factor services,” Rosengren says, “I can’t begin to imagine how 
> > hard it would be for a consumer.”
> >
> > The promise of two-factor began to unravel early on. By 2014, criminals targeting Bitcoin services were finding ways 
> > around the extra security, either by intercepting software tokens 
> > <https://www.theverge.com/2014/2/7/5386222/a-string-of-thefts-hit-coinbase-bitcoins-most-reputable-wallet-service%20>
> >  or more elaborate account-recovery schemes. In some cases, attackers went after phone carrier accounts directly 
> > <https://www.theverge.com/a/anatomy-of-a-hack>, setting up last-minute call-forwarding arrangements to intercept 
> > codes in transit. Drawn by the possibility of thousand-dollar payouts, criminals were willing to go further than the 
> > average hacker. The attacks continue to be a real issue for Bitcoin users: just last month, entrepreneur Cody Brown 
> > lost $8,000 through a Verizon customer support hack 
> > <https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac>.
> >
> > Outside of Bitcoin, it’s become clear that most two-factor systems don’t stand up against sophisticated users. 
> > Documents published this month by The Intercept show Russian groups targeting US election officials had a ready-made 
> > plan for accounts with two-factor 
> > <https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/>,
> >  harvesting confirmation codes using the same methods they used to grab passwords. In another case  
> > <https://nadim.computer/2017/05/27/facebook-authentication.html>reported by Cryptocat founder Nadim Kobeissi, a 
> > maliciously registered device let attackers break through a target’s two-factor protection even after the system had 
> > been reset.
> >
> > Not all two-factor is created equal. Here’s a rundown of which varieties are better, and which should be avoided 
> > altogether.
> > Best
> > The most secure form of two-factor is a hardware token. The most popular is the Yubikey 
> > <https://www.yubico.com/product/fido-u2f-security-key/?gclid=CIWxmpjH9dQCFdVKDQod0r8FYw>, which works for Google, 
> > Facebook, and a bunch of other major services. Thanks to the FIDO spec 
> > <https://www.theverge.com/2014/4/15/5613704/the-plot-to-kill-the-password>, it can’t be spoofed even if you stick it 
> > in the wrong computer.
> > Good Enough
> > If you don’t want to shell out for a security key, your best bet is a dedicated app like Authy or Google 
> > Authenticator. They can sometimes have account reset issues, but they’re an easy way to get most of the protection 
> > two-factor has to offer.
> > Avoid
> > SMS has been at the center of a lot of two-factor hacks, most recently as a way to hijack Telegram accounts in Iran 
> > <http://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM>. High-security accounts are already 
> > moving away from it, but a frightening number of services still keep it as an option, giving anyone who compromises 
> > your carrier account an easy way in.
> > In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next 
> > to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier 
> > account — then you’re home free.
> >
> > Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account 
> > that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps 
> > like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account 
> > <https://carpeaqua.com/2017/07/07/hack-the-planet/>. At the same time, carriers have been among the slowest to adopt 
> > two-factor, with most preferring easily bypassed PINs or even flimsier security questions. With two networks 
> > controlling the bulk of the market, there’s been little incentive to compete on security.
> >
> > At the same time, it’s proven difficult to kill off particular types of two-factor even after they’re shown to be 
> > insecure. The National Institute of Standards and Technology quietly withdrew support for SMS-based two-factor in 
> > August <https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html,>, pointing to the risk of interception 
> > or spoofing, but tech companies have been slow to respond. If anything, services are relying more on SMS as Twitter 
> > and PayPal look to tie accounts more closely to phone numbers. It’s less secure, but easier to use. As long as it’s 
> > two-factor, few account holders know the difference.
> >
> > “We’ve seen a check-box approach,” says Marc Boroditsky, who builds two-factor systems for third-party companies at 
> > Twilio, “saying ‘now we have two-factor authentication so we’re okay. Move on.’”
> >
> > The rush to check that box has led to usability problems as well as security problems. Boroditsky points to Apple’s 
> > iCloud system, which came under fire after easily guessed account-recovery questions enabled the mass theft of nude 
> > photos in 2014 
> > <https://www.theverge.com/2014/9/2/6099307/celebgate-attack-leaks-nude-photos-of-more-than-100-celebrities>. 
> > Meanwhile, under a recent Apple policy, losing your Recovery Key and forgetting your password was enough to 
> > permanently lock a user out of their AppleID account, something that caused real problems for some users 
> > <http://www.macworld.com/article/3099208/security/tune-up-your-two-step-recovery-key.html>.
> >
> > In some ways, the two problems feed into each other, with publicized hacks inspiring tighter and harder-to-use 
> > policies that drive more users back to standard logins, thus inspiring more hacks. “Look at how complicated and 
> > messy it is for, say, Apple,” Boroditsky says. “If they don’t take a much more comprehensive approach, they end up 
> > becoming responsible for downstream consequences.” (Apple did not respond to a request for comment.)
> >
> > “People won’t accept more security than they think they need.”
> > Google is one of the few services that lets you actively disallow weaker tokens like SMS, although it’s only 
> > available for G Suite enterprise customers. Under that system, an admin can set the two-factor policy for their 
> > whole organization, banning insecure tokens or forcing all the users on a given domain to use a specific login 
> > method. But that only works when there’s an administrator to set policies and talk users through any resulting 
> > problems. It’s not clear how you make a policy like that work for the billion people using standard Gmail — and so 
> > far, Google hasn’t been eager to try it out.
> >
> > “One of the truths we’ve found is that people won’t accept more security than they think they need,” says Mark 
> > Risher, who manages Google’s identity systems, including two-factor products. “As a large-scale consumer internet 
> > provider, we want to find that right balance.”
> >
> > None of this means two-factor is pointless, but it isn’t the silver bullet that it seemed to be in 2012. Adding an 
> > authentication code hardens the login page, but smart attackers will just find another angle of approach, whether 
> > it’s a carrier account, a preregistered device, or just a customer service department that’s a little too eager to 
> > reset the password. Those weak points are the real measure of how secure an account is, but they’re impossible to 
> > spot from the outside. The result is that, if you’re looking for the chat app that’s hardest to hijack, it’s hard 
> > for even sophisticated users to know what to look for.
> >
> > “The problem is that one-size-fits-all doesn’t work.”
> > As the industry moves beyond two-factor, security is only getting harder to size up. The new focus is on threat 
> > detection, drawing on dozens of ambient signals like device fingerprinting and on-page behavior to determine whether 
> > a given login warrants extra scrutiny. A suspicious enough string of logins might trigger an account freeze or 
> > require a phone call to customer service before the subject can proceed. “The problem is that one-size-fits-all 
> > doesn’t work,” says Boroditsky. “So going to a detection-vs.-prevention model is more likely to succeed in the long 
> > run.” It’s a good way to catch criminals, particularly for companies like Facebook and Google with world-class 
> > machine learning divisions and oceans of data for training algorithms, but it’s nearly impossible to judge from the 
> > outside.
> >
> > The result pushes users back to an old status quo, before the iPhone or even the internet: enterprise admins are 
> > outgunning consumer offerings again, and security is something to be entrusted to experts in a lab somewhere. It’s 
> > not bad news, necessarily: threat detection makes accounts safer, just like two-factor. But unlike two-factor, 
> > there’s no way for users to tell if the system is working or if there’s a stronger system to push for.
> >
> > That shift leaves users in a difficult place. “Get two-factor” is still good advice, but it’s not enough. Worse, 
> > it’s not clear how to fill the gap. What do you tell someone who’s worried about seeing the contents of their inbox 
> > published on WikiLeaks? There’s no simple fix for such a threat, no one step that will keep you protected. The 
> > surprising thing is that, for a few years, it seemed like there was.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170711164317:8F9293CC-6679-11E7-9614-C5F55ACA0FD4
Powered by Listbox: http://www.listbox.com