This article is more than 1 year old
Got your NUDE SELFIES in the cloud? Two-factor auth's your best bet for securing them
Infosec made simple: 2FA, its good points and bad points
So which firms use this neat security tech, then?
So, which web-based services support TFA? Sadly, the answer is not many. Usage tends to be grouped into a few enterprises based around high risk or high cost, or both. Providers include many familiar companies including PayPal, banking sites, stock trading houses and, oddly enough, DHL. Even Dropbox are getting in on the act. The cost of such keys range from £25 to £60 depending on the provider.
Selfies: all good until someone unauthorised gets their hands on them
For the provider there’s the cost of purchasing and licensing tokens, distributing tokens and – in the case of some banks – readers for smart card, pin-pad and biometric entry, and support costs of enrolling customers into schemes and then providing support to those signed up.
The cost factor is being tackled and a lot of cloud and infrastructure providers are starting to furnish users with hardware or downloadable soft tokens. Yubikey, for example, is offering inexpensive keys that can be reprogrammed to support any TFA scheme. ByteMark now offers TFA to their customers as the cost is now small enough to secure an account against compromise when compared to the potential cost of cleaning up after a compromise, as well as any associated chargeback.
The use of smart phones as TFA devices as an alternative to dedicated readers reduces the cost to the service provider compared to proving users with hardware tokens that cost a fortune - especially if you're talking about hundreds of them. Hardware tokens are proving so expensive that even huge Fortune 500s are migrating across to soft tokens, especially after the RSA compromise of 2011. Software tokens are easy to update compared to the hardware based alternatives.
Don't confuse TFA with an infosec magic bullet
But hold on. TFA may make you more secure but it doesn’t mitigate all the risk. Hackers have breached several banks TFA schemes. Admittedly this is done by means other than direct manipulation of the token as well as compromising of smart phones used as soft token
There are other issues, too.
TFA is not a guarantee against having your data slurped. Hackers have at least three techniques that can sidestep TFA.
There’s “man in the middle” - with hackers putting up fake sites that raid the real site once the user has signed in – “man in the browser”, infecting the client’s browser with malware and then injecting HTML into a web page that captures information from the browser’s memory – and there are Trojans, where the hacker piggybacks into a user’s account from an authenticated session.
There are other options available and hard and soft tokens are not the only authentication option.
Other alternatives to the basic passwords include the use of biometric data as a form of token, such as fingerprints, that are becoming increasingly common in mobile devices and phones. These can be paired with a TPM module to enable you to login to your laptop for example.
To my mind there are two issues with the digit. First, it has been proved this security method can be easily fooled with a lifted fingerprint or even what one could term a replay attack, the gummi bear attack. When I played with biometrics for my laptop, it would only work perhaps one in three times.
A lot of the larger data centres now use a combination of biometric data – usually a finger pint - and access card for access. Doing this means that should you lose your access card on a boozy Friday night, no one can just swipe in and make off with some physical bits of your cloud! The something you have aspect of TFA reduces the risk for everyone. We haven’t seen the combination of biometric data and access card used anywhere yet on a PC or to get into a web site.
Neither is biometric widely used: only a handful of laptops use finger prints to get the user in. Less, so web sites.
Another option starting to emerge is authentication-as-a-service. Software-based authentication can be useful. Several sites claim to provide strong security using encryption keys. Many people use them every day without issue, most of the time. A lot of people give software-based-authentication stores a bad reputation. Should the login key be compromised, all your stuff is laid bare and your passwords are “out there”. I use Passeto, a system that lets you generate a secure password for every site and it records nothing. But it’s early days for online services.
At the end of the day, the best security is a balancing act between securing the information and ease of use. It is a difficult balance, but one thing is for sure, passwords as we know them are most certainly on borrowed time. TFA is a solution to a narrowly defined problem at present and subject to what is essentially a catch-22 situation with regards to the wider web.
People will not use the system until it is easy to use (think granny level of ease) and works across a big slice of the internet. Site owners won’t invest in technology until people use it extensively. This is unfortunate because in one step the whole web would become just that bit safer. It’s the chicken and egg scenario.
The password isn’t going away and neither are the humans who use them. Given those facts, the best approach is to log on but verify – use passwords with authentication, courtesy of TFA. ®