The Flaw in Secure Logins
You've probably experienced two-factor authentication (also known as "two-step verification") when logging into certain websites. In addition to your username and password, many banks and other online services now send you a text message with a code that you must enter to verify your identity. But there's a gaping hole in that extra layer of security. Here's what you need to know...
The Secure Way to do Two-Factor Authentication
I've discussed two-factor authentication previously in my article IMPORTANT: An Extra Layer of Security. If the topic is new to you, I suggest you read that article first.
Sending a second authentication code via text message (SMS) is frowned upon in the latest edition of the Digital Authentication Guideline published annually by the National Institute of Standards and Technology (NIST). While the guideline is not legally binding, all U.S. government agencies follow it, and eventually most private developers and users of authentication technology fall in line. NIST warns agencies that SMS will be banned outright in the near future, so the days of SMS being used for login verification are numbered.
The problem is that the SMS protocol utterly lacks security. Most phones display text messages even when the phone is locked. So if a hacker has your phone, he doesn’t even need to unlock it to get that second key to your bank account. (Presumably, the hacker already has your password and username; hundreds of millions of such credentials are on sale all over the Web.)
To make matters worse, the SS7 protocol that enables phone traffic to pass between carriers is fatally flawed. See my article, Is Someone Listening To Your Calls? for details on that. The holes in SS7 enable hackers to implement “man in the middle” traps. Text messages are not encrypted during transit. So it's possible to intercept an SMS code sent by your bank, use it to hack your account, and pass the code on to you so that you never suspect anything is wrong… until you try to get into your supposedly double-locked account, where the hacker has already changed the password.
Two-factor authentication (2FA) via SMS is pretty common because it is so easily implemented, and because most people carry a phone that can receive text messages. But its security flaws have been known for years, and some online services are already moving to more secure 2FA methods.
A Better Way to Implement 2FA
I also strongly recommend that you see my articles on How To Get Your Free Credit Report and 10 Tips for Identity Theft Protection.
Facebook’s mobile app uses something called Code Generator when its members turn on “login approval,” the social network’s term for 2FA. Code Generator creates 6-8 digit codes that can be used as second authentication factors to log into the Facebook app, even when cellular or Internet connectivity is unavailable.
Google Authenticator is an app for Android, iPhone, and Blackberry devices that does much the same things as Code Generator; its code is changed every 30 seconds, making last minute’s code useless to hackers. And it's not just for Google services. Authenticator can provide verification codes for Wordpress, Dropbox, and many other logins. It should go without saying that if you're going to use an app like this on your phone, a lock screen password is a must.
Other 2FA methods, such as biometrics (thumbprint and other physical characteristics), are not as easily implemented as SMS. They also have their own flaws; one team of security researchers successfully replicated a politician’s thumbprint from an enhanced video of his appearance on a news program, and used it to hack his phone. Two-factor authentication schemes, using SMS and other methods, have been hacked at Paypal, Wordpress, Google, and Instagram.
For now, at least, specialized 2FA apps like Authenticator and Code Generator are on the rise. If you have a smartphone, you can download an app that is much more secure than an SMS-based scheme. Apps are more convenient and cheaper (usually free) than separate dongles or eyeball scanners.
If your banking, medical records, or other sensitive online service offers only SMS-based 2FA, it's still better than nothing. But definitely add a lock screen password, and change your settings so text messages are not displayed when your phone is locked. And ask when a more secure method of login verification will become available.
Do you use two-factor authentication? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 13 Sep 2016
|For Fun: Buy Bob a Snickers.|
Best Chromebooks for Back-to-School
The Top Twenty
Geekly Update - 15 September 2016
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- The Flaw in Secure Logins (Posted: 13 Sep 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved