Saturday, July 9, 2022

There is a better way to handle online logins.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

    Recently, there has been a trend towards attempting to increase the security of online login processes on many websites. I say "attempted" because most of the time, the security they are trying to achieve is never reached. I support the effort, but I urge these companies to re-think their methods because there is a better way forward. For customers and users, our responsibility is to show these companies what we want and also to know what we want rather than taking them at their word.

    The "go-to" technique to secure online logins is to use something called "two factor authentication" or "2FA" for short. There are three main "factors" that a machine can use to determine if you are who you say you are: something you know (PIN/Password), something you physically have (phone/card/key-chain), and something you are (face/fingerprint/voice). Of the main factors, something you know and something you have are the easiest for services to implement and are also the most secure factors. The main issue is that not all systems are equally secure or convenient.

    I will outline the "bad way" and then the "good way" and explain why the "good way" is cheaper (for you and the service), faster (less time to sign in), more secure (self explanatory), and more convenient... at the same time.

    First, the "bad way": In this scenario, the user will typically enter their password, then the service will then send a one-time-code via text message, and then the user must enter the one-time-code within a given time window while the code is still considered valid. The security of this model assumes that the user is the only one who has their cellphone and that the user is the only person with their password. This model assumes that when a text message is sent, the user's phone both will get the message to the user in a timely manner, and that the message will go to the correct user... both of which are false, I will explain why this is the case later.

   Now for the "good way": This model starts the same, the user is asked for their password, and then the service will check if the user has something unique to them as it would in the previous example. The difference is in how and what it checks for. So the user can be asked for a physical USB key or for their phone. By far, the USB key is the fastest, safest, most secure, and most convenient option, but since almost everyone has a phone, the phone is the default option. In this example, the service has shared a code with the user, this code is usually a QR code the user scans into an app like Google Authenticator, FreeOTP, or andOTP, and the app will generate a one-time-code for the user to present whenever the user desires a code. This model does not require the user to have a phone number or internet connection, all they need is a code generated on-demand by a simple app on their phone. Alternatively, the user may have a USB key that will simply blink when the service requests the user to sign-in, the user merely touches the sensor on the key and the process happens in a split-second. This model is much harder to attack since the one-time-codes are generated directly on the user's phone while the "bad way" has to send a code to the user and hope that it gets to them.

    Many people assume their text messages are safe and can therefore be used for authentication, but that is absolutely false. There are several high-profile cases where someone famous has had account breaches because they were using the "bad way" to do two factor authentication. One such person is Jack Dorsey, the (at the time) CEO of Twitter. His account was breached because a scammer was able to divert his text messages to their phone, and thus not only take his account but also prevent him from noticing because he never got the authentication message. Typically, this attack is done via the "SIM Swap" method, the easiest and most effective way to to ask the underpaid worker at a cellphone kiosk to change your SIM card because you lost or damaged your old phone and SIM card. Some employees of these establishments are going to do their due-diligence and check your ID, but some are overworked, underpaid, and just want to get things done so they can go on break... hence they may take shortcuts or cut corners which... well... ask Mr. Dorsey how that went for him. This is also ignoring all the technical attacks that could be used to steal a text message mid-flight using technological means, while these attacks are possible, it's easier to understand how someone can just waltz into a cellphone store and get your phone number assigned to their phone than it would be to explain how an attacker would nab said message mid-flight using more technical means.

    The "good way" relies only on your hardware, you devices that you bought, you control, and you trust. The best method is the USB key because it has been designed to use robust mathematics to protect you from both an attempt to clone your key and also from phishing links since the website's address is used as part of the process.

    If you are a company that is using text message based authentication to reduce your liability, please use the "good way", ask your team to build in support for two standards: TOTP (that is the phone apps like Google Authenticator), and U2F (that is the USB key). There is a strong likelihood that your team understands what those terms are and how to put them into your service so that the user experience will be seamless. I understand that some stubborn users will insist on using their phone number, but every user that takes the option of using an authenticator app or a USB key is going to save you sending costly text messages and is going to have fewer issues which means less time that your support staff has to spend aiding them in setting up their account.

    If you are a user, the same thing as a company applies. Urge you chosen service to use or at least allow the use of the authenticator phone apps (technically called TOTP apps) and/or the use of a USB key (these leverage a standard called U2F or Universal Second Factor). The only reason that a company would insist on using a phone number is either because they do not understand just how low the security is, or they do know that there are better options but they prefer to use the phone number to invade your privacy... more users requesting or insisting on the use of anything other than a text message means more pressure to change which means a more secure internet for all of us.

If the PGP signature lines are something you have not seen before, then check out my post on the subject.

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTdEHZzdRj88+sPHs2DGTsp04R9UwUCYskuCQAKCRCDGTsp04R9
U7fFAP93NsVKpqr7ujVhM4Ab4gu6pmaHZbKh6lRzBMXm1DmbUAEAhj2v90vAucfc
E0bpw14riSHbKWQiUEDxFMNd1VsvxAE=
=bT/g
-----END PGP SIGNATURE-----


How do you start? Start by downloading the free authenticator app. All of them use the same standards as Google Authenticator and Microsoft authenticator, so they all work on the same websites, here are some links:

Apple iOS users: FreeOTP from the Apple App Store.

Android users: Both andOTP and FreeOTP are good options, pick whichever you like better as they both work the same.

The reason I recommend using FreeOTP and andOTP is that they are easier to backup and are more transparent so you do not need to trust the developers to know that they are safe.


If you really want the best security, fastest logins, and worry-free usage, then I suggest a good USB key.

Yubico has a few models that are fairly good, Yubikey 5 NFC and a cheaper model are good options. They also have a quick quiz that will suggest a good model for your needs.

Solokey is another player to watch as their new key is very promising and user-friendly, once they begin selling to retail customers that is.

No comments:

Post a Comment

Latest Post

Steam on Linux Mint Cinnamon

Most viewed