Remember last year’s well-publicized leak, which exposed some celebrities’ nude photos? The story not only made some individuals’ day (and probably night), it turned to be a very educating precedent.
For instance, it made many people realize that their pet’s name is not the safest password, and two-factor authentication is not meant exclusively for IT geeks, but for any Swarovski-adorned iPhone owner as well.
The photos, which made quite a noise last year leaked from Apple’s iCloud service where the copies of images made with Apple devices, were stored. Hackers employed the simplest way of breaching the service, using a combination of phishing and brute force. To make up for the failure and protect its users, Apple enabled two-factor authentication (or 2FA) on iCloud and urged its customers to use it at all times.
— Kaspersky Lab ME (@KasperskyME) June 10, 2014
However, 2FA in iCloud, as well as in Gmail, Facebook and many other web services, is optional. The majority of people prefer to skip it, as it is inconvenient and the mentioned majority does not have time for this.
At the same time, it is very easy to lose control over your email or social media profile, even if you are not Kim Kardashian or Kate Upton. The consequences can be devastating, especially if your work at an Internet company.
Two lock are better
The majority of people think of two-factor authentication as of the system sending one-time passwords in text messages. Well, it’s the most prominent method of 2FA for web services, yet it’s by far not the only one.
In general, 2FA is like a door with two padlocks. One of them is the traditional login-password combination, and the second could be anything else. Moreover, if two padlocks are not enough, you might employ as many as you like, but it would make the process of opening the door much longer, so it’s good to start with at least two.
Passwords sent via SMS are a comprehensible and relatively reliable way of authenticating, which is not always handy. Every time you’d like to access a service, you’d need to first have the phone at hand, and then wait for the SMS to come through, and then enter the digits…
Should you make a mistake or enter the code too late, the procedure is repeated. If, for instance there is congestion on the carrier’s network, the SMS might be delivered late. As for me, it could be really annoying.
— Kaspersky Lab ME (@KasperskyME) November 18, 2014
If you don’t have coverage (which is frequently the case when you travel), that means no password for you. You might lose your phone, after all, and being unable to leverage other means of communication in a situation like that is even more frustrating.
To cover you in such cases, many web services like Facebook and Google, offer other options. For example, they offer a list of one-time keys which you can preemptively compile, print out and store somewhere safe.
Five ways to protect your private photos with two-factor authentication #privacy #security #2FATweet
Moreover, 2FA with one-time codes delivered via SMS might be enabled not at all times but only when someone logs in from an unknown device. It’s your call, so decide on your option, based on how paranoid you are. The method is the same for any apps tethered to your account, like email clients. Once you feed them a specially generated password, they will be satisfied with it for a long time.
So, unless you are logging in from a new device every day, SMS-enabled 2FA is not a big deal. Once setup, it works ok.
ID on a smartphone
If you are a frequent traveler, a smarter way to enable 2FA would be a special app. Unlike SMS, this method of authentication functions offline. A one-time password is generated not on a server but on the smartphone (however, initial setup will require Internet connection).
There are a number of authentication apps, but Google Authenticator can definitely serve an industry standard. Besides Gmail, this program supports other services like Facebook, Tumblr, Dropbox, vk.com, WordPress and more.
— Google (@google) October 3, 2013
Should you prefer a feature-pack app, try Twilio Authy. It’s similar to Google Authenticator but has a couple of useful options.
First, it allows you to store certificates in the cloud and copy them to other devices (smartphones, PCs, tablets and many other platforms, including Apple Watch). Even in case of your devices being stolen, you still have control over your account. The app requires a PIN every time it’s launched, and the key could be revoked if your device is compromised.
Second, Twilio Authy makes your life easier when you start using a new device, unlike Google Authenticator.
One key to rule them all
The aforementioned solutions have one big flaw. If you are using the same device to log in and receive SMS with one-time passwords or deploy an app generating 2FA keys, this protection seems to be not that reliable.
A higher level of protection is provided by hardware tokens. They vary in shapes and form factors and could be USB tokens, smart cards, offline tokens with a digital display, but the principle is essentially the same. In essence, they are mini computers, which generate one-time keys on demand. The keys are then entered manually or automatically — for instance, through a USB interface.
— Yubico (@Yubico) April 16, 2015
Such hardware keys do not depend of network coverage or a phone or anything else; they just do their job no matter what. But they are purchased separately and some people find it hard not to lose one of these tiny gadgets.
Usually such keys are used to protect web banking services, enterprise systems and other important things. At the same time, you might use an elegant USB stick to secure your Google or WordPress account, provided the thumb drive supports open FIDO U2F specification (like the popular YubiKey tokens).
Present your implants!
Traditional hardware keys provide a high level of security, but are not very convenient to use. You could be sick and tired of having to plug in a USB drive every time you need to access an online service, and it cannot be plugged into a smartphone.
It would be much easier to use a wireless key, which is delivered via Bluetooth or NFC. By the way, this is possible in the new FIDO U2F specifications presented this summer.
A tag, which would serve to identify the legitimate user, can be deployed anywhere: in a keychain, a bankcard, or even in an NFC chip implanted under the skin. Any smartphone would be able to read this key and authenticate the user.
— Kaspersky Lab (@kaspersky) February 26, 2015
One, two, many
However, the overall two-factor authentication concept is so yesterday. Major services like Google and Facebook (silently) use multi-factor analysis to ultimately secure access. They assess the device and the browser used for logging in, as well as the location or usage patterns. Banks use similar systems to spot fraudulent activities.
So, in the future we are likely to rely on the advanced multi-factor solutions, which provide right balance between convenience and security. One of great examples illustrating this approach is Project Abacus, which was presented at the recent Google I/O conference.
— Kaspersky Lab ME (@KasperskyME) June 24, 2015
In the new reality, your ID will be confirmed not only by a password rather than by a collection of other factors: your location, what you are currently doing, the manner of your speech, your breath, heartbeat, whether you use cyber-prosthetics and alike. The device to sense and identify these factors would be, predictably, your smartphone.
Here’s one example. Swiss researchers use surrounding noise as an authentication factor.
The idea behind this concept, which the researchers call Sound-Proof, is very simple. Once you try to access a certain service from your computer, the server sends a request to an app installed on your smartphone. Then both the computer and the smartphone record the surrounding sound, transform it into a digital signature, encrypt and send to the server for analyzing. If they match, it serves a proof that it’s a legitimate user trying to access the account.
— Popular Mechanics (@PopMech) August 18, 2015
Of course, this approach is not ideal. What if a culprit is sitting right next to the user in a restaurant? Then the surrounding noise might be practically the same. So, there should be other factors to prevent him from compromising your account.
All in all, both Sound-Proof and Abacus are meant for tomorrow’s security. When they are commercialized, the threats and challenges in information security are likely to have evolved as well.
As for today’s reality, just make sure to enable 2FA. You can find instructions on how to do it for the majority of popular services on web sites like Telesign Turn It On.