Social-Media Trend To Watch: Security That Doesn’t Have To Suck

by Rob Pegoraro on March 29, 2013

Social networks, e-mail services and other Web apps are competing to make logging into their sites more complicated–finally.

Alongside more traditional features like extra storage or a wide range of smartphone apps, their sales pitches have started to cite support for “two-factor authentication,” also known as “two-step verification.” That’s a generic term for asking users to provide some shared secret besides a password; in consumer practice, this extra ingredient usually takes the form of a numeric code sent to a device or produced by an app that only you should be able to use.

It’s not a new idea, even among consumer services.

Google introduced its version back in February of 2011, and Yahoo did likewise in December of that year. But after early attention among security types and the occasional tech columnist, attention faded. Much the same thing happened a year earlier when Microsoft and then Facebook added a lesser security alternative–allowing users to request a single-use code via text message, which they could then use in place of a password.

It took a bout of successful hacking attempts to put this feature into fashion. Last July, a Dropbox employee’s account got “pwned,” leading to the exposure of users’ e-mail addresses. A few months later, a teenage hacker pierced the security mechanisms around Apple’s iCloud to take over Wired writer Mat Honan’s Twitter account and remotely wipe his laptop in the process. In February, Twitter had to reset users’ passwords after its own systems were compromised; a month later, Evernote went through the same drill.

And a growing number of U.S. government offices, law firms and companies have reported break-ins by Chinese hackers.

No further confirmation should be required that the old security routine of telling users to pick hard-to-guess passwords (how often have you seen a site reject your chosen password as too obvious?) and then maybe change them every 90 days (because no bad guy would ever think to put a keystroke logger on a compromised machine to catch each change of passwords) no longer suffices.

So last August, Dropbox began offering two-factor authenticationApple started rolling it out as an option (with one halt to fix a serious security glitch in the first deployment) two weeks ago. And Evernote and Twitter have said they’ll provide their own forms of two-step verification.

At the most basic level, this flurry of activity represents a sensible response to a problem that will only get worse. The more time we spend in one account or another online, the more it becomes an extension of our identity and the greater the potential reward from taking it over–even as unscrupulous hosts in other countries make it ever cheaper to mass-produce malware.

But adding more sophisticated levels of security to consumer services might also bring more competition and accountability to the field.

When things like two-factor authentication were confined to enterprise-IT settings, vendors of these technologies had to operate at a certain distance from the people who use them. They sold them to IT departments, not individual employees; those staffers, in turn, couldn’t fire the IT vendor without firing their employer first.

But it’s a lot less effort to dump a Web-mail or file-storage service if its authentication turns out to be too much of a bother–or if it doesn’t protect your data at all.

I’m already seeing some useful competition and creativity in how services provide these numeric codes. Apple and Yahoo, for example, rely on text messages, with a printed backup code and a security question, respectively, as backup mechanisms. Google’s two-step verification (which I finally turned on last summer) also employs a time-synced Authenticator app that works without any data connection; that can also generate one-time codes for Dropbox and the LastPass password-management service.

But considering that most of these services only require that second verification on logins deemed suspicious, the algorithms they use to make that judgment will matter even more. In that respect, operators of Web services will have to learn from the examples of credit-card issuers that eye the location, scope and timing of each transaction to see if they suggest fraud in the making.

Are people ready for their Web services to learn that much about their tastes and travels? If you’re not, my only advice is this: Spread your online business around, so no one company can know too much about you–and the compromise of any one account won’t hurt as much.

  • https://www.facebook.com/DakinAssociates Shaun Dakin

    I tried to get my family to implement 2 factor. I’ve given up. Grumpy Cat !

  • Mike Leavitt

    Rob, I think it’s probably best not to confuse two-step authentication with two-factor authentication. The former can be as simple as having a password AND a pin; which, when you think about that, is only slightly better than either alone. The latter is often referred to as “something you have and something you know.” So the authentication device provides one and a password in your head (or in LastPass) the other. This is really more secure and is (or should be) getting the attention.

    I used Google two-factor for eight or nine months and then dropped it. For those programs which used it properly (like Gmail) it was just fine; for those that didn’t use it (like Chrome), it was a pain in the butt. I just got tired of fighting with the non-supporting software.

  • mrtt

    There are issues with 2-factor authentication for sure. I developed and support a secure messaging website (ThreadThat dot com). I started by offering two-step authentication. If you opted in, you had to enter a password plus a pin number sent to your mobile device at every login. No one liked it – including me. I then went to a two factor authentication that only kicked in when someone tried to log in from a new IP address. This is more acceptable, but still has a couple issues. First, if you are using TT from behind a corporate firewall, you get an IP address from a pool of addresses. This requires authenticating with a password and pin more often than desired. Beyond that, there is a vulnerability created by linking an email account to the TT account (a common industry practice). The email account is used for password resets among other things. With the recent spate of hackings, this is a real problem. If someone compromises your email account, then they can reset the password of most any account that is connected to that email account. I recently added an option to TT that allows users to disable password resets. I think it is time that all sites offer such an option. If you feel confident you can manage your passwords, then you should not need a password reset option.

    • http://robpegoraro.com Rob Pegoraro

      Thanks for your testimony. You couldn’t limit the two-factor auth to logins outside a particular block of IP addresses? I’ve been surprised to see how rarely Google requires me to enter a code from Authenticator, but I suppose they have some pretty high-end algorithms to decide when a login attempt looks sketchy enough to require the second step.

      • mrtt

        Rob, the reason TT cannot recognize a block of IP addresses is because, to protect your privacy, TT code does not store your entire IP address. It is stored like *.*.123.456. Without the first two subnets to compare to, it is impossible to determine if the IP belongs to a previously visited corporate intranet. I suspect Google (and most other services that offer TFA) record your full IP address for comparison. Some, like Facebook, for example, use cookies. If you try to activate TFA on FB (Settings–>Security–>Login Approvals), FB will tell you that you must allow (and not clear) cookies for TFA to work as intended. There is often a tradeoff, it seems, between user-friendliness and privacy protection.

        • http://robpegoraro.com Rob Pegoraro

          Absolutely–if the service is going to know which logins are suspicious enough to require two-step verification, it has to develop a pretty sophisticated model of how and where you use it. Same way AmEx has to know a lot about your spending habits for its fraud-detection algorithms to work.

  • http://twitter.com/urqui URQUi

    URQUI.com is a FREE (OTP (One Time Password) app for any cell or smart phone. URQUi can be used as a 2FA (2 Factor Authentication) tool. Of course the URQUi server software must be loaded on the server that you are logging in to. The URQUi server software is FREE for use on all not for profit servers. The mobile phone version of URQUi can be downloaded today from the iTunes, Google play or BlackBerry World. Please see our 99 second explainer video at http://www.urqui.com/press

Previous post:

Next post: