Management Assistance Program
The Rise of Two-Factor Authentication and the Authenticators
By Jim Calloway
Recently, many media outlets covered the plight of Stefan Thomas, the man who, as of January 2021, had $250 million worth of bitcoin trapped in his Bitcoin wallet. He secured the keys to the wallet on an IronKey flash drive. I recall in one 60 tips presentation years ago noting the Mission Impossible feature of the IronKey that provides extra security by terminally encrypting the contents of the drive after 10 incorrect password entry attempts. Yes, the data does self-destruct. Mr. Thomas lost the paper with his password written on it and, after a few wrong guesses, now has two password attempts left. In his defense, when he received the 7,002 Bitcoin in 2011 as payment for making an animated video, the value of bitcoin was much less.
His IronKey now is in a secure location, and Mr. Thomas hopes some future cryptographers will one day crack it. I’m not sure you could outline a more severe case of pain resulting from forgetting a password.
There are ways to better secure your accounts without running the risk of locking them up “forever.”
As I’ve noted previously, I believe lawyers should be using a password manager to organize and use appropriate, complex and unique passwords for every login. I still believe that, but now there is more to consider.
PASSWORDS ALONE DO NOT PROVIDE ADEQUATE SECURITY
You read that correctly. Passwords alone are no longer sufficient protection for the most important accounts you log in to.
Originally, it was believed that it sufficed for a user to memorize two different items, the username and password, and log in using those. But now, most websites (and people) use their email addresses for their username. This has the advantage of being something the user won’t forget and the disadvantage of being easily discoverable in most situations.
So, the password is the only remaining “secure” information in the login process.
According to some online security services, 90% of passwords can be cracked in less than six hours. That number sounds high to me, but I have little doubt about the significant risk. Today, there are powerful hacker tools that can test millions of passwords every second. Longer passwords containing characters and numbers are more time consuming to crack. And those who do not use a password manager tend to use the same password for many sites, which means when one account is cracked, the criminals may have the password for many.
So, you need another secure bit of data, another factor.
THE NEED FOR TWO-FACTOR AUTHENTICATION
Most readers are familiar with two-factor authentication (2FA). Hopefully, you are already using this with your bank account and other financial accounts. The more accurate term is multifactor authentication, but I am going to use 2FA in this article just because it is more readable than MFA.
A common shorthand way to describe the additional factor used for 2FA is something you know, something you have or something you are (biometrics). Something we have with us almost all the time is our mobile phone. The most common method of 2FA is by SMS text messaging. When you enter your username and password into a site, the site responds by sending you a code via text message that must be entered to complete the login process. Sometimes this can be done by email, which is also not secure.
This basic form of 2FA means that even if a hacker got into the online service and pilfered all the usernames and passwords, they would still not be able to access your account because they wouldn’t have your mobile phone to receive the required code via text message.
You should already use 2FA for any financial accounts, any online shopping service you have allowed to remember your credit card number, medical portals and confidential client information. If you have social media accounts, using this method will likely mean you will never have to post, “Please do not accept any invitations from me. I’ve been hacked.”
A critical account to secure with 2FA is your Microsoft 365 account. If a hacker steals your password, it grants them the ability to send out emails pretending to be you, view and change your calendar and access all documents you have stored in OneDrive. In many ways, this is the “keys to the kingdom” hack.
But sadly, using SMS text messaging for 2FA, this simple and most common method, is no longer the best practice.
Although I cannot stress strongly enough how much more secure SMS text messaging is than not using any method of 2FA.
SMS TEXT MESSAGE AUTHENTICATION IS MUCH MORE SECURE THAN SKIPPING 2FA ENTIRELY, BUT SMS TEXTS ARE NO LONGER THE BEST 2FA METHOD
Unlike end-to-end encrypted messaging, such as WhatsApp or Signal, SMS is built on an infrastructure with known security weaknesses. Apple’s iMessage is encrypted, but that only applies when transmissions are iMessage to iMessage. So, normally the code is sent via SMS and therefore not encrypted.
The risks of using SMS text messages for authentication are somewhat technical. One risk is your cell phone carrier can be scammed into giving someone else access to your codes. It is easier to “steal” a cell phone number, transferring the account to a new device than one would hope, especially if the bad actors have the number and other personally identifiable information, such as the last four digits of your social security number. A data breach at any employer could easily provide that information. Malware can be unknowingly installed on users’ phones that scans for these SMS passcodes and sends them to a wrongdoer. Interception of SMS messages is another additional insecurity, even if it is uncommon.
Phishing exploits can also trick people into compromising their SMS. Forbes contributor Zak Doffman profiled an Iranian SMS 2FA attack named Rampant Kitten.
Check Point warned of an SMS 2FA attack just last month, “an Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more.” The “Rampant Kitten” operation, attributed to Iranian hackers, intercepted 2FA codes for otherwise secure Google and Telegram accounts. The attack was brutally simple, Check Point told me, an app pushed out to users via social engineering that asked for permission to read SMS messages.
For more in-depth technical information, refer to National Institute of Standards and Technology Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. Section 220.127.116.11, Authentication using the Public Switched Telephone Network, provides, “Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.”
PSTN is essentially the telephone network, wired and wireless.
One should secure all financial accounts properly not only to avoid today’s risks but to prepare for tomorrow’s increased risks.
Using 2FA is very important. The SMS texting method is simple, even if not totally secure, although compromises of SMS seem relatively rare right now. If you have a bank or retirement account you access online, that is a vulnerability. A single compromise could cause some life-altering pain. A 2FA system that doesn’t use SMS is superior, but it is far better to use SMS 2FA than none at all.
WHAT ARE MORE SECURE AUTHENTICATION METHODS?
Some well-known services provide their own 2FA method. Some already provide a method that does not involve SMS text messaging.
If you have a Facebook account, that is a good opportunity to work through setting up 2FA. Facebook has made it very simple. See the Facebook page “Login Alerts and Two-Factor Authentication.” Facebook also provides a code generator that can avoid SMS entirely. See Facebook’s “What is Code Generator and how does it work?” Facebook will only require the code when you log in from a new, different device, so it won’t impact your use in most cases.
Two methods that provide a high level of security with 2FA are authenticator apps and physical tokens.
Authenticators generate codes on your phone or mobile device.
Even if an attacker tricked your cell phone company into moving your phone number to their phone, they would not be able to get your security codes. The data needed to generate those codes remains securely on your phone. It never travels through the SMS text messaging system.
The first thing to know about authenticators is many password managers also include an authenticator service as a part of the subscription. LastPass, in particular, gets good reviews for its application.
Google authenticator is a popular, free and well-regarded authenticator. It is available for both Android and iPhone. It can be used with a broad number of services, including those provided by Microsoft.
Most reviewers recommend Authy. But I appreciate that most Android users will likely use Google authenticator. Similarly, firms committed to Microsoft 365 might decide to use the Microsoft authenticator.
There are certainly many options. See Gizmodo’s “The Best Authenticator Apps for Protecting Your Accounts” and Android Authority’s “10 best two-factor authenticator apps for Android”.
PHYSICAL SECURITY KEYS
I have not used physical security keys for authentication. These are currently used mainly by larger corporations. I do know you are never supposed to store the physical security key in your computer bag, and for most of us, the best option is to store it on our keyring. I also know there will be minor annoyances and major annoyances (“I left all my keys at the garage because my car is getting repaired”) when these security tools are implemented. It’s not a key you want to misplace.
You can find lots of online articles about the various physical keys and key “families.” ZDnet’s “Best Security Key in 2021” is a good starting point at www.zdnet.com/article/best-security-key. Your attention is also directed to “YubiKey, Google Titan, RSA SecureID, and More: Seven Authentication Token Families Compared” from the Plurilock Blog.
At this point, I predict we will mainly see physical security keys implemented by large law firms with IT departments to support them and tech-savvy solo practitioners or small firm lawyers who find managing this type of device to be the simplest solution for those who are not fortunate enough to have an IT department.
ONE SMS WORKAROUND
Some services may require SMS text messaging for 2FA. One way to bypass this insecurity would be to set up a Google Voice phone number and use that for your 2FA because you can secure your Google accounts with 2FA. Then you log in to Google Voice to see the code. That method is probably too inconvenient for many frequently accessed accounts but is certainly an option for financial accounts that are not frequently accessed, like retirement accounts.
It’s time for two-factor authentication. In fact, it is past time. But 2FA will involve a few delays every day. It adds a bit more friction to your life – at least your online life. If all you want to do now is to implement SMS text messaging for your financial accounts, Microsoft 365 account and other accounts containing confidential client information, you will have made a significant improvement with your digital security.
Many will decide it is time to set up a more secure authenticator service or purchase physical security keys. The fact that many have implemented authenticators at this point should reassure you that implementation will not be overly challenging. Hopefully, this article and the sources cited in it will allow you to confidently move forward with your options for implementing 2FA more securely.
Mr. Calloway is OBA Management Assistance Program director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 800-522-8060, jimcatokbar.org or find more tips at www.okbar.org/map. It’s a free member benefit.
Originally published in the Oklahoma Bar Journal — March, 2021 — Vol. 92, No. 3