LinkedIn is the latest in a long line of high profile Internet services companies to offer two-factor authentication to its user base, joining Twitter, Evernote, Gmail and myriad others. And much like those other services, the move to a stronger form authentication is a reactionary one, coming on the heels of a hack that resulted in the leaking of more than six million passwords just about a year ago.
Inevitable and probably long overdue, two-factor authentication does indeed bolster the security of user accounts and reduce the scale of future attacks against a service, but there is a trade-off in convenience and usability. None of these services will provide an accurate count of how many are actually using what is in most cases a SMS-based PIN as a second form of authentication, because the number is likely relatively low.
“There has to be a balance of how to make it more secure and still easy to use,” said Jamie Cowper, senior director, NokNok Labs, a fledgling authentication company whose CEO Phil Dunkelberger is a founding member of the FIDO Alliance. “SMS ticks the box. It’s the most frictionless way to do this. Most users have a smartphone or a cell phone capable of SMS delivery. It’s something where you don’t have to do a lot of user training.”
While two-factor authentication via hardware tokens or SMS PINs may be a way of life in some corporate settings such as financial services or government agencies, consumers in the U.S. especially have lagged behind. Most UK online banking customers, for example, must use a second form of authentication for certain high-value transactions or if they’re adding a new payee to their accounts.
“Users will absolutely ignore everything they possibly can to make it easier, faster and simpler,” said Michael Sprague, Wave Systems’ VP of web services. “You can tell them to use long, strong passwords, but if you don’t force them to, you will end up with a password called ‘password.'”
Two-factor authentication is not immune from attack either. Hackers have successfully circumvented SMS PINs for some time, the most notable via man-in-the-middle attacks on mobile devices. Zeus in the mobile, or Zitmo, has been a nuisance for some time, especially in Europe, as has the Ramnit malware family.
A Zitmo variant known as Eurograbber was detected in December by Check Point researchers and had already stolen 36 million Euros. Users are lured via a phishing message to install the malware which activate the next time a user logs on to their online bank account. Zitmo injects javascript into their browser that instructs them to supply their mobile number and install a supposed security upgrade that enables the attacker to intercept SMS Transaction Authentication Numbers (TAN) used to access accounts and transactions.
Ramnit too steals one-time passwords, but it redirects them to a money mule, who completes the malicious transaction on the criminal’s behalf.
“You have to sway the consumer with as little friction as possible so that the service is still worth their while,” Cowper said. “You can’t ask people to jump through hoops the way a corporation would. A the end of the day, the web services’ business model can’t support it if people are not logging in.”
Twitter’s decision to deploy two-factor authentication grabbed attention because it came on the heels of a number of high-profile account compromises, most notably an attack on the Associated Press’ Twitter account, reportedly by the Syrian Electronic Army. The SEA sent out a number of hoax tweets about President Obama being injured in explosions near the White House that sent the U.S. stock market temporarily in a downward spiral. In corporate settings where social networks such as Twitter and Facebook are important marketing tools, these accounts are often shared, making two-factor authentication a clumsy option in these cases. Experts expect Twitter to address this issue with some sort of management console or professional account, but the scenario demonstrates a weakness in two-factor that relies on authentication of the user, rather than a device, for example.
The Trusted Computing Group which manages the Trusted Platform Module Working Group is a proponent of hardware-based security such as the TPM which is present in Google’s Chromebook, as well as Windows 7 and Windows 8 computers, but hasn’t enjoyed mainstream adoption. TPM is a chip-based security model that uses cryptographic hashes to determine if there have been any changes made to the kernel and operating system pre-boot, and if so, will return to a previously known good version of the system.
“One reason protecting against boot-level attacks is so important is that if your BIOS or pre-boot environment is infected, no matter what you do to clean it up, things that get that low into pre-boot can re-infect you at any time and nothing the OS level does to clean that up can protect you,” Ari Singer of the TCG told Threatpost. “You will be re-infected every single time. It’s a way for an attacker to get a persistent attack on machine. Typically, this is very difficult to detect.”
Wave Systems’ Sprague said that hesitancy to rely on TPM stems from a basic perception that a PC must be an anonymous, programmable tool, rather than a conduit to the majority of services people access.
“One of the angles we’ve been surprised no one picks up on is the very computer you’re sitting at can be considered a second factor. If you look at other services and networks like cable TV where your cable box has an identity and that’s the thing service is delivered to. With your PC, identity tied to the user,” Sprague said. “With cable, you don’t need a SMS to change the channel, it knows you have HBO.”