Why Two Factor Authentication Isn't Great
Two Factor Authentication (2FA), also known as Multi Factor Authentication (MFA) is a form of authentication that has more than one secret - each secret independent of the others - in the process of authentication.
I’m writing this to collect and organize my thoughts on this, as well as the thoughts others have had on the subject. It seems like every time security is discussed regarding an account, Two Factor Authentication (2FA) is always brought up. Even in the cases where it absolutely will provide no help whatsoever. I'll state now that this is a rough draft and more me dumping my thoughts down into words.
Feel-Goodery is on the rise
I’m starting with this as this seems to be an emotionally driven discussion with people. Those presenting counter arguments are often down voted and ridiculed - not ridiculed with sound argument, but with this desire for feel-goodery - as if someone is insulted to be told things.
I actually use 2FA on a lot of accounts. I just think it’s an extra little piece of security that works well in only limited circumstances, but I make no illusions about how it can be subverted.
The hardest part about having this discussion is properly defining 2FA. There are literally hundreds of ways of doing it and each with their own positive/negative attributes. When people throw out the term 2FA, we can’t tell what they’re talking about.
I found the easiest way to understand this is to understand the process of authentication. Authentication is the means of a server determining that YOU are the person that should have access to whatever. Traditionally this is done with a username (the account being accessed) and a password (the secret that you and the server both know - proving it is you).
2FA is the means of adding in an additional factor, or best looked at, an additional secret - independent of this current verification. There are hundreds of methods for this, but the popular ones seem to be:
SMS Text Message with a secret code that you must present to authenticate
OTP (One Time Password) which is done with a token that gives you a number that changes every 30 seconds
Hardware Key which requires you to physically have an object to authenticate
App Approval which is just getting a notification on your phone and approving/rejecting
2FA is NOT a second password or something like that. The idea is that each factor is independent of the next.
On the surface 2FA sounds like a really good idea. If someone were to get your login/password, well they can’t get into your account unless they have the second factor (which you control). It is very convincing, but it's also a poor way of looking at things. Banks and big business look at security from the perspective of threat models.
You can’t just think of it as a good idea just because it sounds like it. You need to think about how one breaches an account. It’s not like poof someone has your login and password, even though it may feel like that as an end user. They were able to obtain your login and password by some means and that’s important.
It is looking at reality and figuring out how best to work with it, rather than taking some abstract idea that sounds good. You’re trying to determine the means of attack. Whereas 2FA seems to be the universal reaction advise to poof someone has your password.
When you start to have discussions about 2FA and ask what attack are we trying to prevent, you can finally start to get somewhere in understanding how things may work well and may not work at all.
A very common attack people bring up is the notion of a key logger. This could be done by malicious software (malware) or it could be done by someone who has access to your computer. The point is that your key strokes are being recorded and someone gets to see them - exposing your password (secret). With 2FA they still can’t get in.
The reality of this scenario is that your computer is compromised. Someone can pretty much do what they want with the constraints of the software. A key logger is really a very benign piece of software when you consider how far they can take it and the variety of most advanced software out there. They could just take over your session - while you’re logged in. They could compile detailed information about you, which may be enough to reset an account (resetting an account also resets your 2FA).
Another scenario that people use is the reality of a website getting hacked - and data being breached like passwords. If the hackers try to login to your account, they’ll be unable to.
This is an interesting scenario for a variety of reasons. Any website worth anything will store your password as a salted hash. The idea that the passwords are stored in plain text or that a hacker would be able to have near immediate access is highly unlikely. It should take thousands of years to crack, at a minimum. All your important websites (banking) should fall into this category.
If we were to assume the scenario that passwords were easily compromised, 2FA could protect you if you ignore the fact that the system itself is compromised. A hacker could have altered the system, reset details of accounts, or whatever (who knows). The idea that a compromised system is capable of keeping your data secured and at the same time compromised is silly.
This ignores the notion that passwords should not be so easily compromised. If passwords are stored as just hashes and vulnerable to a rainbow attack or salted hashes are compromised quickly - the security of the server is garbage and it won’t matter if you have 2FA or not.
I could go on with examples, but inevitably you’re going to find the same sort of situation arising. There’s always something compromised that provides vulnerability, which leads to vulnerability of the second factor itself. When a password is poof found, 2FA makes a lot of sense, but not when you get into the nitty gritty of how passwords were acquired you realize the weakness elsewhere. I suppose 2FA works well for someone guessing your password, but statistically I’d be more concerned with my laptop catching fire and burning me to death. Also if you use the same password at each site and one is compromised, but you don’t need 2FA to fix that problem.
Lastly, you may not have heard of 2FA accounts being breached. Really, how often do we hear about it period? The truth is that many hacks are hacks of opportunity. All that means is that there was an open door and someone took it. Focused attacks are really uncommon.
The idea of someone hacking your online bank account is sort of funny. It’s not like your account has a button on it to empty account and go directly to hacker. Mine, they can pay bills to reputable businesses. They can email money transfer money, which requires a legit bank on the other end. They can transfer money between linked banks (which are mine - takes business days and a legit bank account to add others). Honestly, there isn’t a lot to gain because the scope is limited and tracked.
What are some things where a hacker could safely and anonymously profit? Bitcoin. I recommend checking out Bitcoin on reddit and various forums. You can hear all the stories of people who had all their money stolen from 2FA accounts. It’ll blow your mind.
The Long-term issue with 2FA
It seems like many people live in a myopic bubble when it comes to the way they look at things. Me me me. When a bank is looking at security, they’re thinking about it for the masses. 2FA might sound like the greatest thing ever to you. You may know how to use it properly and have very measured expectations of it. The reality to a bank is how many people are going to use it? How many people are going to like it? How many people are going to get pissed off? And how many people are going to be locked out?
You’re probably thinking, so what? A little annoyance and a lock out still results in secure accounts. Very true, but this is a big picture item. Users that HATE a system or inconveniences them inevitably become softened in someway.
The one big softening I see, if 2FA becomes mandatory at a bank, is that resetting an account (which resets 2FA) will becomes very easy. You can’t just think of you. I think of my mom. I think about how when she struggles with this that she’ll be forced to call up, reset and poof - an open account.
If she can call up and easily reset her account (just like every basic user should be able to do), than what is stopping a would be hacker from calling up. I think today of how little information I need to present to get my account reset. Some places all I need is my name, address and date of birth. Others might ask me for a few transactions. Or your mother's maiden name. Imagine that, except more convenient.
It needs to be understood the challenges that exist with security. All the various forms of security have pros and cons. 2FA has pros and cons. The variety of types of 2FA have pros and cons. All these pros and cons need to be weighted against the reality of a user base and how much they’re willing to deal with it.
In Canada, people really hate on the banks. Constantly about how they don’t have 2FA. I’ve pointed out many times that I could give people my username and password to all my banks & credit cards and they wouldn’t get into any of them. The main reason is security questions. Again, pros and cons. Types of questions have pros and cons. I don’t really see the need to devise a brand new system when the current one works, 100% in play and most people are used to.
Did you know that, today, we have the capabilities of authenticating with a server without ever sending a password and without the server ever storing information about your password? Wild right. Even if the server was breached, a hacker would be no closer to gaining your password. It’s known as asymmetrical cryptography. Why don’t we use that? Well, pros and cons. In fact, when you look at the mass of users, the cons are huge.
This is the real context of security. It’s the mass adoption of it all.
The whole point of writing this was to collect my thoughts on the subject. My intent isn’t to dissuade someone from using 2FA. Like I stated earlier, I use it. The intent was to show that 2FA isn’t an amazing thing that is the great equalizer against the hackers of the world. It’s value is very limited in what it can do and in many cases will not save you.
I personally think that focus should be on REAL security. Just real deep down honest and proven security.
I strongly encourage you to read 1Password’s discussion on Two factor or not Two Factor - why they haven’t implemented 2FA. 1Password falls into a slightly different category of authentication as it is encrypting data, but it makes good points. Their essential point is that they don’t want to sell their clients feel goodery. Bravo.
UPDATE: 1Password has added in 2FA and caved to the feel goodery mob.