How Secure is that additional login security?
Not a week goes by without a news story about some large scale data breach, cybercrime, ransomware, or high-profile target being hacked. Although we’re becoming savvier about the ways we keep our data and accounts secure, and service providers are making it harder for hackers, I still see a lot of bad practices and misconceptions about the quality of various security add-ons.
But, first a few definitions:
Username/Password - The ubiquitous username or email, plus a password you pick and may have to change every so often.
Security questions - The standard set of questions like your “Mother’s maiden name,” “Favorite color,” “First pet’s name,” etc.
SMS/Phone codes - A service texts or calls you to provide a code that you can enter in order to log in.
One Time Password - A standard dongle, hardware device, or phone application that displays a one-time code you can enter for access. These often include a ‘cheat sheet’ or special codes you can use once, in the event you can’t find the device.
Push Notification - Most often a mobile device application that asks for verification to allow you to log in.
Device Verification - A broad category spanning additional security that relies on identifying a specific device. It may take the form of a dongle you plug into your laptop or software designed to identify your laptop as your laptop.
Physical Identity - The traditional “Papers Please” form of identity verification. Usually done in person with a trusted individual (such as a Notary) examining the person in question and verifying their identity against a state-issued ID. But, increasingly—thanks to the ubiquity of webcams and conferencing software—this can be done over the web with a high degree of confidence.*
*This should not be confused with “calling the helpdesk.” The helpdesk has historically been a weak point in many security setups, but I won’t go into that today.
Now that we have a common understanding of the various security add-ons, it’s time to…
Think like a (lazy) hacker:
How well do additional factors help protect you? Well, the real question is, “how determined is the hacker who’s trying to get into your account?”
So, the first big question is…What am I trying to protect?
Is it something like a Netflix account? Here, I’m not at all concerned if someone happens to “hack” into my account. If anything, the security features are more to protect Netflix from me sharing my details with everyone I know. I’ll go so far as to freely admit to using the same Username/password combo across nearly all my streaming service accounts (the better to share with my family)
On the flip side, if I’m trying to protect my bank account, or a corporate money transfer system, that’s a completely different story.
If someone found credentials (for sale on the Dark Web) that granted access to my bank account and the only thing standing in the way of my money was a couple security questions, the hacker would be highly incentivized to do some googling to try and guess the answers (Ironically, my first pet was named “Password1234.”)
What about a phone-based code? Here, they’d have to try a bit harder. But, as some recent, high-profile cases have shown, it might be worthwhile to go the extra step of stealing my phone number via a cloned sim card.
“Cloning a sim card?” - Thanks to the widespread rise in shops that provide cell phone plans, there’s also been a rise in unscrupulous folks with access to the tools needed to switch out your phone carrier and/or phone. And, for the right price, they are more than willing to trick my cellular carrier into routing all calls and texts to the hacker’s phone.
Once they’ve done that, they can intercept the secret code meant for me. And, since they’ve stolen my phone number, I’m none the wiser. After all, I’m not getting any notice this is happening.
What about security tied to devices?
Here, the hacker is finally working at a real disadvantage. These devices have built-in security to prevent folks from copying or cloning the credentials they hold.
A “man in the middle” attack could be used to bypass the built-in security. This is where a hacker somehow gets me to log in to their evil website (pretending to be my bank) and they capture the key transmitted and pass it off to the real bank website, but this requires that I’m actively trying to do some banking.
Ditto with applications that perform a push notification. They use my login credentials to hit the bank site, then fool me into approving their login attempt, because I think it’s my login attempt that I’m approving, not theirs.
And then, we get to certificates. You can’t really do a “man in the middle” attack when a certificate is involved, because—long story short—your browser and your operating system are set-up to only give a certificate to the website for which it is assigned. This is also baked into the WebAuthN standard for authentication.
So, certificates are super secure because they’re tied to a specific device.
(Please for the love of copyright, credit Randall Munroe, aka XKCD)
But, as the cartoon illustrates, we’re also getting into fantasyland here. If a hacker is actually stalking you to steal your device… This is less “What factor is right for me?” and more “How many bodyguards do I need to hire?”
It’s worth mentioning that Google’s recently announced quantum computer might render those certificates crackable in just a few minutes…But, until hackers can buy one for less than a few hundred dollars, I wouldn’t worry about it.
Still, of all the additional security out there, anything that is tied to a specific device is going to be the most secure when it comes to the average hacker who most likely is plying their trade from another part of the globe.
Physical Security - This last factor is probably the kiss of death for a hacker. They’d have to show up in person, speak to an actual human being, and come up with a believable fake ID.
Let’s start with the familiar - The good ole username and password combo. This is still a great way to secure your account but it’s become less and less effective; partly because roughly 70% of us can’t be bothered to come up with unique passwords for all sites and services we use; partly because you type them in every time you log in, so there’s always a chance some hacker might intercept them.
And once someone nefarious has them, they’ll either use them or sell them to a hacker via the Dark Web.
Username + Password: B for security, B- for usability
Next up are security questions - As security factors go, these are pretty weak. A small amount of googling, checking Facebook profiles, or public records can determine the answers. They are also a pain to remember. And, it’s one more thing to type in order to access your account.
Security Questions: D for security, C for usability
Then there are text messages (or phone calls, where a computer-generated voice reads you a number). In addition to putting in your username and password, some services will send a single-use code to your phone that you can enter to log in. This definitely helps and has the added benefit of alerting you when someone who isn’t you tries to access your account. Plus, some devices (iOS for example), actually understand when you’re sent a code and offer to fill it out for you.
SMS/Phones: B+ for security, B- for usability
Then there are the dedicated, machine-based factors.
These range from security devices you plug into your computer, authentication applications like OneLogin Protect or Google Authenticator, or even secure certificates (essentially a secure key that’s been installed on a specific machine you used to log in.) These are very secure factors that are tied to a specific thing you own.
They also don’t get an A+ on usability because… well, what happens when you lose the device?
One Time Password: A for security, B- for usability
Push Notification: A for security, B for usability
Device Verification: A+ for security, A for usability
Then there’s the “ultimate factor” - Physically appearing in person (or via a web conference), before an actual human being, and providing concrete evidence that you are who you say you are in the form of a government-issued ID.
Terrifically secure! But, not even remotely user-friendly.
Physical Identity: A+ for security, D- for usability
One thing to consider with any of these additional factors is “What happens if I lose or forget them?” and this is where it’s good to consider alternate factors that can be used to recover from this situation.
Forgot your password? Use your email account or an authentication app to recover it.
Don’t have a trusted device handy? Username / password / email might be sufficient to get in.
Just remember, each of these backup mechanisms “increases your attack surface” - which is just security speak for “more ways into an account”
The most important additional security: Your habits
The good news is all of these additional factors can be paired with something called ‘behavioral analytics.’ Essentially, the system you’re authenticating against can monitor where you typically log in, what devices you use to log in, the time of day you typically log in, and—perhaps most importantly—what you’re trying to do.
If your risk profile is low…You’re logging in from home at 6 PM, same as you do everyday, and checking your account balance. Maybe asking for an additional factor is overkill. Heck, maybe asking for username and password is too much when a simple push notification asking “You want to log in?” is enough.
On the flip side, if suddenly someone is logging in from a foreign country, on a device they’ve never used before, at 4 in the morning, to transfer $100K…The system can simply say, “No. Call us and establish your identity with a web conference and a passport or driver’s license.” And, if that’s not possible, please wait until you can get back to a familiar location.”
Long story short:
- Security questions are a joke.
- SMS is fine… but, a determined hacker can bypass it.
- Hardware devices are pretty good. Although, a really determined hacker could trick you into providing it, or spearphish you into falling for a man-in-the-middle attack. And you better keep your device handy.
- Certificates—Good luck with that, hacker. At this point, you have to steal my device and unlock it. But, I better have my device on hand if I want to log in.
- Actually verifying your identity to a human is one of the best factors. But, it’s very expensive and should only be used as a factor of last resort.
- The future belongs to behavioral analytics paired with the right factors.