Two Factors are Better Than One, Two Factors Get the Job Done

A discussion of the AP hack and two-factor authentication below the fold for those of you who aren’t interested.

The AP Twitter account was hacked yesterday and the hacker’s message (that the White House had been bombed and Obama injured) caused a momentary stock market panic. This caused Twitter to announce that they’ll support two-factor authentication. What’s that and why do you want it?

Two-factor authentication is based on a password plus something else – that something else could be a smartcard your computer scans, your fingerprint, or a code that you type in from a device that generates codes. For a mass market app like Twitter, it’s most likely that they’ll create a smartphone app that generates a number that Twitter will request whenever a new computer or new app is used to access their service.

I’ve been using Google’s two-factor auth for a few months on my “real” gmail account, and they’ve removed the PITA factor as much as possible for something that’s an inherent PITA. The Google “Authenticator” app that runs on my phone spits out a six digit number every minute. If Google senses that I’m on a different computer, it requests that six-digit number after I supply a valid password. Since you can log in to a lot of services with your Google password, and many of them don’t support two-factor auth, Google allows you to create special “application passwords” for each of those services.

Of course, your phone could lose charge or you might not have it with you. Google also lets you print out a sheet of one-time-use numbers that you can tuck in your wallet.

If Twitter had two-factor auth that functioned like Google, and if the AP were using two-factor auth, the person who hacked their account would not only have to guess their password, they’d also need to have a code that could only be produced by a smartphone app and that was valid for only a minute. This is a lot harder than just guessing a password.

The issue with Google, or Twitter’s or any other sites two-factor auth is that you’ll end up with a plethora of apps and codes to secure all your accounts. There’s an industry consortium called FIDO that’s working on a standard solution which could be shared by many different sites.

If you use Gmail for an account that manages your money, I’d take a serious look at two-factor auth. If you want some incentive, take a look at James Fallows’ account of his wife’s experience being hacked.






39 replies
  1. 1
    nathaniel says:

    Maybe I am wrong, but the problem I have with the two factor authentication is that you can’t share accounts. At least I think this is the case with gmail.

    I am sure more then one person can post on the APs twitter account.

  2. 2
    mistermix says:

    @nathaniel: You can have multiple authorized devices with Authenticator running for Google, so that’s probably true for Twitter, too.

  3. 3
    Poopyman says:

    One of my banks uses two-factor authentication, and allows 2 computers’ IPs/MACs as the second factor, so you can share that way, It’s possible to use a different (third) computer, just a bit more of a pain.

  4. 4
    Gin & Tonic says:

    For the important stuff (i.e. work) I’ve been accustomed to two-factor authentication pretty much forever, and always have my RSA token. I’m glad to see this extending into the consumer sphere, but as a Luddite who doesn’t carry a smartphone, I wish there were accessible alternatives for key generation.

  5. 5
    Gin & Tonic says:

    Also, am I the only one here old enough to remember when “Fido” in computing meant a distributed BBS system? Fidonet anyone?

  6. 6
    Chet says:

    Yeah, two-factor authentication is a major step up in security, and it’s a good idea to use it on your “master” accounts: the one your bank statements and Mint account is linked to, the one that’s your Facebook pw recovery email, the one that your Netflix account is linked to, etc. Understand, though, that two-factor authentication can be defeated by someone older than 40 calling into customer support armed with some public knowledge about you. There’s a significant “grandpa factor” in these security technologies where companies will simply circumvent the protections rather than risk pissing off a customer who doesn’t understand the security implications of doing so. Google, to its credit, has no phone tech support for Gmail so the likelihood is reduced.

    Remember Mat Honan. Two-factor could have saved his (digital) life.

  7. 7
    Chet says:

    @Gin & Tonic: Two-factor keyfobs are out there; my wife has one for her Blizzard account. You push a button and a little one-time keycode shows up on a little LCD screen. I use the iPhone app, myself.

  8. 8
    Eric U. says:

    both google and paypal will send you a text with a code. I think that’s superior to an app

  9. 9
    Raven says:

    @Gin & Tonic: Fuck It and Drive On

  10. 10
    Joey Maloney says:

    @Gin & Tonic: Used to run a FIDOnet board. I still remember waking up at 2:30 in the morning to the modem sounds as the computer (a 386 IIRC, running MS-DOS in 8 MB of memory that I had to take out a bank loan to buy) dialed up various partner nodes and exchanged the day’s activity.

    Now get the fuck off my lawn.

  11. 11
    Sister Rail Gun of Warm Humanitarianism says:

    If you want some incentive, take a look at James Fallows’ account of his wife’s experience being hacked.

    And people wonder why I don’t trust the cloud — any cloud — to hold my data or the data and backups for my office. It’s a great way to have A backup that’s accessible from anywhere, but it will never be my only repository for anything.

    Nor a repository — period — for anything sensitive.

    @Gin & Tonic: No.

  12. 12
    Cassidy says:

    @Raven: That’s what I was thinking.

  13. 13
    MikeJ says:

    @Sister Rail Gun of Warm Humanitarianism:

    Nor a repository — period — for anything sensitive.

    Nothing at all wrong with saving sensitive info in the cloud as long as it is properly encrypted. Properly means encrypted by you before it leaves your computer without relying on a third party for decryption.

  14. 14
    Biff Longbotham says:

    @Gin & Tonic: I think that merely asking about a ‘BBS’ qualifies you for assisted living.

  15. 15
    Sister Rail Gun of Warm Humanitarianism says:

    @MikeJ:

    Nothing at all wrong with saving sensitive info in the cloud as long as it is properly encrypted. Properly means encrypted by you before it leaves your computer without relying on a third party for decryption.

    Which makes the only advantage to using the cloud, the “accessible from anywhere” feature, useless.

    For a backup to fulfill the “offsite out-of-state in case of natural disaster” requirement, yeah, I’ll concede that one. Been doing that with the original cloud, a private FTP server, for years.

    You’ll take my local servers and backups and terabyte hard drives only from my cold dead hands.

  16. 16
    Villago Delenda Est says:

    @Sister Rail Gun of Warm Humanitarianism:

    “The Cloud” is vile marketdroid speak for “someone else’s server”.

    I think it’s handy to have A backup on another person’s server, but you need to have another backup totally under your control, which is properly secured daily in a fireproof safe. Tape is good. Run one every night.

    Sure, it’s a pain in the ass to retrieve data from, but the point is, it’s a contingency, a fail-safe. If the data is “mission critical” you need to take the time, effort AND EXPENSE to secure it.

  17. 17
    Eric U. says:

    @Villago Delenda Est: no such thing as a fireproof safe, as many people have found out to their chagrin. I have never produced anything I couldn’t live without, which probably should make me sad

  18. 18
    catclub says:

    Fallows has not read about the hack that ran through Amazon.

    My bank seems to send a second sessionkey to my email every time. PITA, but safe. Especially a PITA when I have home email not accessible from work and versa visa. I need to be sure which email gets the sessionkey.

  19. 19
    Seanly says:

    @Chet:

    Apparently, these are not foolproof (and by extension any 2 factor system). Our guild on SWTOR required using the keyfob and one member was always going on about how that could be hacked by someone willing to keylog. With enough keylog data, the algorithm could be learned and spoofed. However, my thought was that it’s like any security system – it can’t stop every theif, just makes it more likely for them to choose someone else to rob.

  20. 20
    Villago Delenda Est says:

    @Eric U.:

    Well, ‘fireproof’ is a misnomer…mostly fireproof is more like it.

    The solution to THAT problem is a second tape backup off premises. Is the data REALLY mission critical? If it is, the peace of mind alone is worth the effort.

  21. 21
    Villago Delenda Est says:

    @Seanly:

    Yes, it could be hacked IF you’ve been keylogged long enough. Which means you’re fail at another element of computer security that should be fundamental…run an anti-virius program that also looks for things like keyloggers, other spyware, and malware in general.

  22. 22
    Sister Rail Gun of Warm Humanitarianism says:

    @Biff Longbotham:

    I think that merely asking about a ‘BBS’ qualifies you for assisted living.

    I offended quite a few Microsofties when I gave them my reaction to Windows 8. Everything old is new again.

  23. 23
    Jack the Second says:

    @Gin & Tonic: As long as you carry a non-smartphone, Google has your back. They can send text messages with the code, or call you and speak the code.

  24. 24
    JoyfulA says:

    My husband has no smart phone and does have the Google double-check. Google makes a phone call to him on the land line and says a code, which he types in.

  25. 25
    Villago Delenda Est says:

    @Villago Delenda Est:

    Oh, I might add, that there is such a thing as one of YOUR servers in someone else’s physically different location server farm, which can provide off site backup.

    One of the thing the pointy haired MBA fucktards need to be told (although it’s problematic if it will penetrate their thick Ferengi skulls) is that these backups are NOT there just for covering their ass when one some oopsie of theirs take place where they deleted some key email “by accident”. This is insurance for data that if lost can seriously cripple the enterprise, not for covering for their stupidity.

  26. 26
    Gin & Tonic says:

    @Jack the Second: Not much help when I travel to countries where I could really use the security of two-factor while at some sketchy Internet cafe, but I’ve bought a local SIM to avoid the international roaming extortion racket.

  27. 27
    Sister Rail Gun of Warm Humanitarianism says:

    @Villago Delenda Est:

    “The Cloud” is vile marketdroid speak for “someone else’s server”.

    There was talk of moving all of our data to The Cloud at work. Briefly. Until I pointed out that doing so would mean that any internet outage would mean that no one would be able to work. The office is in a rural part of NC; reliable internet service is a pipedream. Hell, some days reliable electrical service is a pipedream.

    I think it’s handy to have A backup on another person’s server, but you need to have another backup totally under your control, which is properly secured daily in a fireproof safe. Tape is good. Run one every night.

    I use portable hard drives, just because tape drives were an added expense we didn’t need when we first set up the office server. Two portable hard drives with daily and weekly backups, one is always offsite and at least 30 miles away in case of local disaster (fire, lightning strike, etc.). Purged down to one retained per month after six months, with the sixth month burned to DVDs and stored in yet a third place. A single weekly backup maintained on an FTP server on the other side of the country in case of major disaster.

    Yes, I’m paranoid on this subject. Why do you ask?

  28. 28
    Sister Rail Gun of Warm Humanitarianism says:

    @Villago Delenda Est:

    One of the thing the pointy haired MBA fucktards need to be told (although it’s problematic if it will penetrate their thick Ferengi skulls) is that these backups are NOT there just for covering their ass when one some oopsie of theirs take place where they deleted some key email “by accident”. This is insurance for data that if lost can seriously cripple the enterprise, not for covering for their stupidity.

    Gods above and below, yes. I do outsource our mail services. We’re just not big enough to justify the expense of our own mail servers. And I do have a spare portable HD for backing up downloaded email if they choose to. Because of the rampant epidemic of fumblefingers, I prefer to pop the mail into their client and leave everything on the mail servers. Some don’t like that and figure out how to turn it off. They’ve learned that I’m not sympathetic when they then accidentally delete the only copy of something.

  29. 29
    Bitter and Deluded Lurker says:

    @Sister Rail Gun of Warm Humanitarianism: Paranoia is good in this case.

    I’m an avid amateur photographer, so my data of interest is primarily images. I back everything up to an external hard drive (which I’m behind on) and also to DVD or Blu-ray drives (also behind on). I also back up my best and favorite images to cloud storage (currently AWS).

    I also write. I put my encrypted backups on dropbox. (The encryption is admittedly overkill.) I usually have a hard copy on hand

  30. 30
    catclub says:

    @Sister Rail Gun of Warm Humanitarianism: “Yes, I’m paranoid on this subject. Why do you ask? ”

    Does that extend to actually testing the recovery software?

    There always seem to backups, the problem is when they turn out to be gibberish.

  31. 31
    Gin & Tonic says:

    @catclub: Bingo. How often do you recover files from your backup media?

    An oldie but goodie: good backup is cheap, it’s lousy backup that’s expensive.

  32. 32
    Sister Rail Gun of Warm Humanitarianism says:

    @catclub:

    Does that extend to actually testing the recovery software?

    I don’t actually trust backup compression for that very reason. It only takes one bad sector to make it impossible to recover a backup with a reasonable effort.

    The most common use of a backup, in my experience, is replacing a corrupted or accidentally deleted file. It’s a lot easier to do that when they’re backed up uncompressed.

    It’s also why there are so many backups. I’ll eventually find one made before the corruption happened.

  33. 33
    Sister Rail Gun of Warm Humanitarianism says:

    @Gin & Tonic:

    Bingo. How often do you recover files from your backup media?

    Minimum every six months, when I burn the DVDs.

  34. 34

    @Gin & Tonic:

    as a Luddite who doesn’t carry a smartphone, I wish there were accessible alternatives for key generation.

    I don’t have the Google app – they just text me a new code wherever I log in on a different device.

  35. 35
    Jay S says:

    From the Google link in the article:
    404. That’s an error.

    The requested URL /2step was not found on this server. That’s all we know.

    http://www.google.com/landing/2step/ seems to work.

  36. 36
    👽 Martin says:

    If anyone is looking at the rationale of these companies releasing smart watches like Pebble, two factor authentication is a big part of it. Register the device, Bluetooth ensures physical proximity, or provides a code on screen if you’re working off of someone else’s computer. Personally, I find most of the existing two factor schemes to be cumbersome, particularly when you expand it out into the full sphere of places it ought to be used.

    Regarding backups – Mac users, use Time Machine. Get a Time Capsule or external hard drive. It’s dead simple to turn on, dead simple to recover files from, and works great. File recovery presents you with a standard Finder window, or iPhoto window if you’re recovering photos, etc. and a control to move forward and backward in time. As you move backward, the Finder (or iPhoto) updates to show you what your system looked like at that time. Navigate through folders or albums and you’re navigating through your backup. Find the stuff you want to recover and click on it.

    For a full system recovery, go into Disk Utility, go to the Restore tab, select the backup (it should find it automatically off the network or USB) and go. Makes it really handy for setting up a new computer. When you start your new computer, migration assistant will prompt you if you want to migrate from Time Machine. Point it at your backup, and it’ll set up your new computer just like your old one – preferences, home folder, apps, etc. Super easy.

    But you have to have the time machine backup to start with. Go do it now.

  37. 37
    Chet says:

    @Seanly: The algorithm is public; it’s just an AES-128 cypher of the output of a real-time clock synchronized with the server. The “secret” is the seed, unique to each device, and that’s not something you could mathematically reverse-engineer, no matter how many examples of passcodes you collected. The only hacks that work on these one-time keyfobs are social engineering hacks.

  38. 38
    Fax Paladin says:

    @Joey Maloney:
    And we carried our bits in a bucket
    And our mainframes weighed 900 tons
    And we programmed in ones and in zeroes
    And sometimes we ran out of ones…

  39. 39
    Mike Jones says:

    (Disclaimer: I work for Symantec). There is a free (to the end user) app that does the same one-time key generation as the RSA fobs that you can use with any site that uses Verisign
    authentication, which includes eBay and Paypal. Versions are available for iOS, Android, and Windows. I’m certainly hoping for more interoperability among the various two-factor systems that are out there.

Comments are closed.