The Age of SMS-based Two-factor Authentication is Over
Recent password hacks at well-known brands like Evernote, Twitter, and LinkedIn have shined a light on the problem of passwords, and how vulnerable we can be as a result of poor password choices.
The National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce creates national-level guidelines and rules for measurements, and among the many it must keep up to date are some relating to secure electronic communications. Electronic communication security comes in many flavors, with two-factor authentication being a popular, emerging method. Two-factor authentication is one of the best ways to prevent unauthorized access to your accounts, even if somebody manages to steal your password.
SMS authentication “still accounts for hundreds of thousands of authentication requests a day showing no significant change after NIST updated its guidance,” Duo’s Mayank Saha wrote.
Two-factor authentication, or 2FA, adds an extra step to your basic password-based login procedure. Without it, all that is required for authentication is your username and password, making your password your single factor for authentication. Two-factor authentication protects your accounts by requiring you to provide an additional piece of information after you give your password in order to get into your account. In the most common application, an online service will send you a text message with a unique string of numbers and/or characters that you’ll need to enter in order to access to your account.
Adding an extra layer of SMS-based verification to your login procedure is certainly better than relying on a password alone. However, arguments can be made suggesting that two-factor authentication using SMS text messages isn’t two-factor at all. True two-factor authentication requires the user to have two out of three types of credentials before being able to access an account. The three are:
Something you know, such as a personal identification number (PIN), password or a pattern
Something you have, such as an ATM card, phone, or fob
Something you are, such as a biometric like a fingerprint or voice print
Over the summer, NIST, in their latest draft version of the Digital Authentication Guideline, pushed U.S. government agencies to move away from SMS authentication, suggesting that the technology’s use is impossible to verify and easy to intercept. But little appears to have changed, according to a new report from Duo Security, a firm focused on secure access.
SMS authentication “still accounts for hundreds of thousands of authentication requests a day showing no significant change after NIST updated its guidance,” Duo’s Mayank Saha wrote. The drawback of SMS lies in its interoperability—we are able to send a message to a ‘phone number’ without caring if it’s an SMS, MMS or iMessage. Messages sent from a mobile phone might seamlessly switch to an Internet message delivered to a Skype or Google Voice phone number, leaving a backdoor open for hackers and social engineers.
If you don’t already have two-step authentication enabled on your all your accounts, you really need to turn it on for anything sensitive. If you are looking to implement two-factor authentication, the right way, here’s how:
Apple two-factor authentication
Apple’s two-step verification adds extra security to your Apple ID, and will help prevent people from making purchases in iTunes as well as unauthorized access to your iCloud account. To turn it on, log into My Apple ID, scroll to the Securitysection, find Two-Factor Authentication and click Get Started…
In addition to providing a phone number where you’ll receive texts, Apple will also force you write down a recovery key that you’ll need in the even that you forget your password. And write it down, because on the next page, you’ll be forced to prove you wrote it down. These codes, sometimes called backup codes, are important so you can access your account when you’ve lost your phone. [Apple]
Dropbox two-factor authentication
Login to your account and click Settings in the top right corner. Under the Security tab click Enable next to the line item that says Two-step verification Status. From the Security page you can also see which devices and desktop browsers have access to your account already, and revoke access if necessary. [Dropbox]
Facebook two-factor authentication
Login into your account and navigate to the settings page from the drop-down arrow in the top right corner of the page. Under the Security tab click Edit next to the Login Approvalsline. As with other Twitter and Microsoft, you can choose to receive SMS verification codes, or use the Facebook mobile app the verify your identity. For a more robust verification application, be sure to enable the recommended Code Generator. [Facebook]
Google two-factor authentication
Two-step verification on Google will protect you across all of Google’s many services as well as with that use APIs to pull in Google data.
While logged into your Google account, click your avatar in the top right corner of any Google page, and navigate to your Account. At the top of the following page click Security, and then click Enable next to 2-step verification.
Note that because you probably use your Google account with lots of third-party apps like Hangouts, you’ll need to create an app-specific password for each of them. So if you want to log in to a new phone, or enable a new calendar application, you’ll need to head back to the security page, click on App passwords, and let the system generate a key for every app you’d like to link. You only get to see these passwords once, so if you need to enter one again for whatever. This is also where you disable apps that you no longer use or trust.
Also, make sure to setup some backup codes. Don’t get locked out of your email just because you left your phone at home.
Additionally, you can use the Google Authenticator app to generate codes for your account as well. That setup is a little more complicated so follow the preceding link to Google’s detailed instructions. [Google]
By now you’ve probably recognized that enabling 2FA on your accounts are very similar in procedure. There are plenty of other services that you’ll want to set it up for. Two Factor Auth offers a comprehensive list of websites and whether or not they support two-factor authentication. Go ahead and get to it, before some opportunity-seeking hackers get to your data.