Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Wrong Ways and Right Ways to Implement Two-Factor Authentication

    Written by

    Wayne Rash
    Published August 4, 2018
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      I was on the phone with the credit card company, trying to determine whether the Visa card I carried could be used during my upcoming trip to Cuba. But first, the agent at the card company said that they had to be sure that I was really who they said I was. I’d already signed in on the phone, but they wanted a second factor. 

      At first I was comforted to know that the bank was employing two-factor authentication (2FA). But then came the question that changed everything. “Can you please tell me your cell phone number so I can send you the secret code?” 

      I told her, knowing that the question demonstrated that the bank was only interested in the appearance of security, not actual security. After all, I could have given the agent any number, including the number of a burner phone in the hands of a criminal intent on misusing my credit card. In reality, this was not two-factor authentication at all. 

      It seems that a number of companies are now moving to two-factor authentication with varying degrees of success. They know that they have to implement something beyond passwords to really authenticate people, but in many cases they’re unclear on how to make it work. Right now, a favorite way is to send an authentication code to a mobile phone via text messaging and either ask the user to type in the code or to say it to someone over the phone. 

      For this to be secure, the company trying to do the authentication has to already know the user’s mobile number. Having the user tell which number to use adds nothing but a feeling of security, rather than actual security. 

      But even when done properly, using SMS messaging for two-factor authentication isn’t necessarily as secure as it appears to be, as the social networking site Reddit discovered this week. Apparently, the bad guys were able to intercept the authentication codes from one or more Reddit employees and then used their credentials to break into the system, and collect some user credentials from long ago. 

      As breaches go, this wasn’t major. But as security researcher Brian Krebs points out in his security blog, Krebs on Security, it demonstrated the limits of SMS based authentication. It also demonstrated the limits of one-time passwords, which is essentially what some forms of 2FA actually are. Krebs says that many companies simply don’t bother. 

      “When you start talking about one-time passwords or time-based one-time passwords, it becomes sort of an alphabet soup,” Krebs explained in an interview. “So they don’t do it even though they know they should.” 

      Krebs explained that using SMS messages to provide authentication for companies that are trying to use 2FA has its own set of challenges. Those messages can be intercepted, which is what may have happened with Reddit. 

      But he said that cyber-criminals will also do SIM (subscriber identity module) swapping, in which a bad guy will create a phony SIM card with the victim’s mobile number and use that to receive text messages with authentication codes. 

      He said they can also call the victim’s carrier and simply port the number to another phone that’s in their control. This may require some social engineering to convince the Wireless customer service person on the phone to go along with it, but he said it happens frequently. 

      Fortunately, there are ways to make phone based authentication reasonably secure. One way that Krebs suggests is to use app-based authentication. These authentication apps run on a smartphones and in some cases also on desktops or laptop computers. They include GoogleAuthenticator, LastPass Authenticator, Microsoft Authenticator and Authy. 

      A better solution for 2FA is a security key, such as the YubiKey from Yubico, which is widely supported by companies ranging from Facebook to the U.S. Government. There’s a YubiKey available that meets FIPS 140-2 security standards. This is real 2-factor authentication. 

      There are other types of 2FA that don’t use your phone at all. Examples include passwords plus biometrics or biometrics plus a token such as a smartcard. The rule for 2FA is that real authentication requires something you have and something you know, or in some cases something you have and something you are. 

      So when you place your employee ID badge in a slot at the entrance to the machine room in the data center and then place your hand on a palm print reader, that’s good two-factor authentication. 

      This does not mean that you shouldn’t use SMS messages for authentication, but you do have to know their limitations and you have to make sure that you’re not being stupid. 

      This means that if you’re going to send the second factor, it needs to be to a number that you already have, not one that you’re asking for at the time. There also needs to be a time limit before the number expires. But for this to work, you need to find a way to get the mobile number used for authentication directly from the person you’ll need to authenticate, such a by having them show you their phone in person. 

      It’s especially important that you know that some forms of authentication probably aren’t secure enough for really important information, as Reddit found out. It’s better to find another way, even if it’s not as convenient.

      Wayne Rash
      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a content writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×