Two Factor Authentication

These days we have to remember passwords for a huge host of web sites and systems, unless of course you just use the same one for every site, bad idea, eggs and baskets spring to mind. Then there is the quality of the password, short and easy to remember passwords are easier for a hacker to guess, whilst on the subject of short passwords please see the table here, If you have any of the ones listed then you should change it now. Complex high entropy passwords are much harder to brute force, but long and complex passwords are hard if not impossible to remember.
Another problem with passwords is that they are static. You may change them from time to time but if you log onto a site and someone behind you makes a note of your password by watching you type or, more likely, if captured by a key logger that person can log on as you. This is not such a problem for low profile sites, but for banks & other financial sites you want to be as secure as possible. I would also recommend running a virus checker frequently to check for key loggers.

When you get money out of your bank you use a  password and card system is known as two factor authentication (T-FA) or (2FA), that is; something you know, your PIN and something you have, your card. Without these two things you can’t get any money out of your bank account.
Another form of authentication are biometrics, something you are. My laptop has a fingerprint reader, to log in I need to swipe my finger and enter a password. Again this is two factor authentication, something I know, my password, and something I am, my fingerprint. Nice thing about biometrics is it can’t be stolen, stolen easily that is and it’s going to be messy.

A couple of years ago my PayPal account was hacked. I had used a very high entropy password but somehow someone still managed to gain access, I was either the victim of a key logger or they got in via some vulnerability of the PayPal system. I will never know. After a bit of research I found that PayPal supported a form of two factor authentication. This is done via SMS on cell phones. When you enable this system; each time you log on with user name & password it sends a 6 digit key (20bits) to your phone via SMS. 6 digits may not seem like a lot but it’s only valid for a few minutes. So in this situation a hacker would not only need to know your user name & password but also have your phone.  I would highly recommend everyone to enable this option. It may make logging into your account a tiny bit slower, but much more secure and where money is involved it’s worth being extra cautious.

The cell phone system is a great idea IMHO as you generally own one and it’s also with you wherever you go. Unfortunately sending SMS messages does cost money and so this sort of system will only be viable for large organisations. What is needed is a cheap 2FA system that would work on all the machines you use. For this to work with a fingerprint then all PCs would have to have a fingerprint reader, most don’t. Or how about a card reader? Even less have this facility. So what has every PC got? Well unless it’s hideously old all PCs have a USB port.

Enter Yubico and there device called the Yubikey. It looks a bit like a waif of a memory stick that can easily be attached to your key chain and therefore with you all the time. It plugs into a USB socket and is recognised as an USB keyboard. This is important as every PC has a USB keyboard driver loaded by default so no software drivers need to be loaded when you plug your Yubikey in, it just works. There is one button on the Yubikey, when you press the single button it types a 44 character key. The first 12 characters are a unique 48bit ID for that Yubikey. The other 32 characters generate a 128bit one time password (OTP).

To log onto my blog I have enabled Yubikey authentication. I need to enter my usual user name & password, then it also requires the password from the Yubikey. I simply plug the key in and press the button, it types the 44 character key into the login screen and I’m in. If a key logger captures all that information and it was used to log in again it would fail. This is because the Yubico password changes each time I log in, it NEVER repeats. So a hacker would physically have to have my Yubikey as well as know my user name & password to successfully log in.

I also use the Yubikey with LastPass. This is a password manager that remembers all your web passwords with one master password and syncs them across all the machines you use. You can therefore have very high entropy passwords for all your sites but only have to remember one password to access them all. The obvious problem is, what if that one master password is captured by a key logger? With the option to also authenticate with a Yubikey then it’s not a big problem as the hacker would also need access to the Yubikey.

You can also use Yubikey with Clavid, the OpenID authentication portal. This open ID then allows you to log onto many other sites a bit like LastPass.

On the version 2 Yubikey you can program a second configuration. This can be a static password of up to 64 characters. This is useful for other applications such as TrueCrypt which does not support the Yubico one time password system. Although this second option is far, far less secure than the OTP method it can be used offline and with any program that requires a typed password. You can set the key to generate a 64 character static password and just press and hold the button for approx 3 seconds to automatically type it out each time.

At the moment there are not many other sites or systems that work with the Yubikey OTP system, some that do are listed here, but I hope it will achieve a critical mass soon and be the de-facto form of 2FA for the net. It’s a clever answer to the problem of security on the net.

Password Policy
How I’d hack your password

Entropy1024

4 Comments

  1. You can also use the Yubikey for two-factor authentication on Windows machines and Active Directory domains. At 1/10th the cost of the market leader, and since the Yubikeys never expire, it’s a big win for small and medium businesses that couldn’t otherwise afford two-factor.

  2. How did you get your laptop login to be 2-factor? Which OS do you use? On Windows 7 my fingerprint reader only works as an alternative to the password, not an additional check. Just curious. On the other hand I would not be sure whether I would want to rely on the fingerprint as a necessity, because sometime typing the password is just so much quicker than waiting for the fingerprint reader to initialize or to scan the finger a few times (because often it doesn’t work on the first try)

    • I have a Lenovo T60 which has a built in fingerprint reader. This works at a BIOS level and is required at boot, before any OS has been loaded/run.
      I agree that if you have a short password then typing it is faster and probably more reliable. However as most of my passwords are 12+ characters of mixed case, numbers & special characters a finger swipe is much faster, even if it fails from time to time 😉
      Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *