Click the comments link on any story to see comments or add your own.
Subscribe to this blog
26 Aug 2017
A recent article in the New York Times Dealbook column reported on phone number hijacking, in which a bad guy fraudulently takes over someone's mobile phone number and used it to reset credentials and drain the victim's account. It happens a lot, even to the chief technologist of the FTC. This reminds us that security is hard, and understanding two factor authentication is harder than it seems.
The usual definition of two-factor is to pick two different items from a list of security types:
A mobile phone is something you have, but the number assigned to that phone is not, more like something you rent. Just about every account that has two-factor authentication can use a phone as one of those factors, but there are a lot of different ways to use the phone that have very different security profiles, particularly when you consider the ways they can fail if your phone breaks or is lost or stolen.
One common way is to send a text message with a one-time code you enter when you log into the account, or occasionally a voice call that reads the number to you. That fails if someone hijacks your phone number but is fairly robust if your phone breaks or is stolen. Assuming you set a password or lock pattern on your phone, incoming texts usually show that there's a text waiting, but not the contents of the text. Recovering is straightforward, get a new phone and move the number to it. (If the phone broke, this can be as simple as moving the SIM card to a new phone.)
The other approach is to use the phone itself to generate one time codes, using what's known as as Time-based One-time Password Algorithms (TOTP.) Some businesses such as my bank provide their own apps to generate the codes, but most use a standard scheme defined in IETF RFC 6238. The best known standard TOTP programs is Google Authenticator and Microsoft Authenticator, but there are many others. If you lose the phone, again the phone password protects against other people getting your codes, but recovery is a pain since once you get a new phone, even with the same phone number, you have to install the TOTP program anew and reset all the accounts that used the old TOTP program.
Except actually you don't. The usual way to set up a TOTP is that the business shows you a QR code on your laptop or desktop screen which the TOTP program scans. A TOTP isn't so much something you have as something your phone app knows. For each account that uses a TOTP, the app uses a fixed key contained in the QR code, which you can generally also get as a string of letters if you don't have a camera to scan the QR code. Since the TOTP algorithm is standardized, you can put that fixed key in as many places as you want. When I set up a new TOTP code, I scan it on my phone, my tablet, and I put letter string in a file I keep offline. So if I lose my phone I can use the tablet to log in, and when I get a new phone I can enter the key strings into the TOTP app on the new phone and the accounts to which they're linked are none the wiser.
So this means that even though TOTP code generator seems like something you have, it's really something your app knows, or if you're good at memorizing random character strings, something you know, too.
The other common technique is to send e-mail, which you read on your phone, or anywhere else you read mail. Sometimes the e-mail has a one-time code, but more often it's for password resets. Mail accounts, particularly if they're at free providers, are if anything easier to hijack than phone numbers. Large providers have entire departments to deal with account recovery, and staff that spend much of their time trying to figure out which recovery requests are real and which are hijacks. If your account is at a paid provider, it's probably somewhat more secure (they have a pretty good idea who you are if you pay with a credit card) but even so, any support desk can be the target of a social engineering attack to steal your account.
None of this is to say that two-factor authentication is a bad idea, but it does say that you should think about how valuable your accounts are and protect them accordingly. If I had a really valuable account protected by TOTP, I'd consider using a device that only runs the TOTP application (an $20 used phone would do, preferably not activated) and put it in my safe deposit box, along with a printout of the TOTP key. For accounts that have those inane recovery questions, my high school mascot is uoxuxtxehwkhaaulyxthtwppx, my mother's maiden name is vbtupbslwoxkkbdkxasvezppq, and my favorite color is exbuqkgcihzgmemnyrghyctmx, also printed out and put in a safe place. You get the idea.
My other sites
© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.