Every website/service in the world wants us to install their app or their 2FA application. Lets talk about Authentification.

https://en.wiktionary.org/wiki/authentification

The process of making, or establishing as, authentic.

We are not going to discuss the fine details of identification versus authentication or the “Something You Know, Have, or Are”. You probably know this already, or simply go and read Wikipedia.

Instead I’ll try to refute some dogmas you’ve probably heard over the years. Here we go:

Biometric authentication should never be used

Consider what biometric are, no matter if you use fingerprints, iris imaging or facial recognition.

In security terms the data you collect from a scanner is “fixed data”. As in: the pattern that you get from a fingerprint is encoded and if your fingerprint matches that of the stored pattern, then you’re in. The principle applies to the ratio between your eyes and nose (facial recognition) and iris.

That means a couple of things:

• If you use this data as a password (identification), then you can never change your password. What are you going to do? Wipe your fingerprints with acid? (actually being done by criminals)
• If you get into an accident, and loose your finger, you can’t log in anymore
• If the hardware that is doing the scan is not under your control, then the security in worthless

I can’t emphasize enough: Using a fixed string for both the username and password that can’t be changed is terrible security! (this is what biometric authentication does). It is as if you are saying as a system: “Just give me your loginname, no password is needed”.

It is often trivial to bypass this security. Researchers have unlocked systems with silicon fingerprints, or by simply waving an facial image in from of the camera. And this is when then hardware is not compromisable by the attacker. In the case were the hardware is under control of the attacker a simple replay attack is enough.

So is there something we can use biometric information for? Yes, biometric information is a sane way of specifying the username. So yes, it can be used as a user friendly way of not having to remember a username.

But don’t rely on it for security. The following xkcd says it all:

https://xkcd.com/538/

This is a clear example of using attack trees https://www.schneier.com/academic/archives/1999/12/attack_trees.html

Enumerate all of the possibilities of accessing the required target, and go for the one with the lowest costs.

This is why you should never want to use Biometrics as a car key.

The cheapest way to access the asset from the perspective of the attacker is to simply cut off your finger. I don’t know about you, but I would rather hand over my car key, then lose my finger.

Then there is the legal stuff, which means that law enforcement in the US can force you to unlock your phone with your face, but they can’t force you to supply your key.

But the fundamental flaw of biometrics is that a fixed string should never be used as username AND password.

Your fallback password recovery is as secure as your login and password

Remember all the ‘fallback questions’ if you forgot your password? Say you have a service with a login and password, which also has fallback questions if you forgot them or can have a link sent to a email-adres.

This means that you don’t have one way of login in, with recovery, but that you have 3 ways of loging in:

• login and password
• login with security questions
• login through email

From the attackers perspective all of them are equivalent, and the attacker can simply use the one that is most convenient.

If the fallback is more secure then the default (login and password), then why bother with a login and password at al?

In fact, most sane services are starting to acknowledge this, and have decided to simply not use a login and password, but simply allow you to login with either the email-adres and the code they sent you through the mail, or a phone number and a code they sent you though SMS.

This should be applauded, since it completely cuts off the 2 most insecure options, namely the (weak, often reused) password and the security questions which have a very low entropy (they can often be deduced and are also prone to be forgotten).

If your fallback security is secure enough, and can’t be forgotten, then why not make it the default? Combined with long lived cookies, this is actually workable for everybody.

2FA is mostly security theater

As stated above: If you have a good way of identification accounts, then why bother with other options?

No, SS7 attacks are only possible if your Tel-co provider is not doing it job (it’s impossible in most civilized countries). And yes, email is for all intends and purposes secure. If somebody allows their email account to be hacked, then they can also be hacked by a password fallback attack.

So if you claim that email or SMS can be intercepted, then you should not be using it as a fallback either, but almost all 2FA systems allow exactly that.

MS claims that 2FA accounts are very much less likely to be hacked, which is true, but the study they point to has one big flaw:

• The study was done when only “sophisticated users” (IT people, highly security conscious people) were using them. These same people were already using random generated password, and were less prone to fall for fishing attacks. Often they already had a need for the highest level of security. Comparing human right activists operating in China with your grandmother, and concluding that your grandmother is more likely to be hacked is a clear example of “selection bias”.
• Also: they don’t compare the different ways to do 2FA. There is no real reason to assume that using MS Authenticator is more secure in practice then using email or SMS for 2FA

There are other problems with the current hype of 2FA authenticators. In no particular order:

• Big auth providers (Microsoft, Google, Facebook) are trying to use them to lock people into their ecosystem for market-share reasons, not security reasons
• It is not reasonable to demand that people use a android or Apple phone to access crucial services. Any 2FA system should at least only use open standards, such as email and SMS. The demand that people have to use one of the 2 big mobile OS’es and one of the big 3 auth providers (or their apps) is unreasonable and bad for national security.
• 2FA only makes sense when the controlling device is not the same as the accessing device

The last point deserves its own paragraph.

2FA only makes sense when the controlling device is not the same as the accessing device

Remember when we were all browsing the internet on either a desktop or a notebook computer?

If your Windows notebook has a trojan, then receiving a security code on your extremely limited Nokia makes sense.

Your dumb phone was almost unhackable because of its limited functionality. The smaller the code-base, the less likely that there is a bug in the code. The more limited the features, the smaller the attack surface. And if you only use it to send SMS’es and call, then you can’t be exploited by malicious code on the internet (most phones didn’t even have internet connectivity).

The unspoken premises of 2FA was: “You have 2 devices, one in which you work, which can be hacked, and a completely unrelated other dumb device which is unlikely to be hacked”

Today this is no longer the case. Our phones can be hacked. They are also linked to accounts that are the same on the notebook and the phone.

But the most obvious thing to point out is: WE ARE USING THE SAME DEVICE FOR ACCESSING THE SERVICE AS FOR RECEIVING THE 2FA CODE.

It means that if the phone is hacked, then for 95% of the world population that is it, because they do most of their browsing and accessing of the services on their phone.

Turtles all the way down

Most services nowadays actually already use email as a fallback to ground their account.

But if one uses email based identification, then how do you secure this email account? The good news is that it is much easier to manage a strong password sentence for a single account than having to manage/remember them for all those services out there.

But you can’t really provide password recovery fallback to another message service. The buck has to stop somewhere.

One way is to ground to bank services.

• European banks support iDIN. This is part of an effort by the EU to setup banks to act as identity providers.
• Banks themself require account-holders to visit a physical office and present strong identification (a European ID or a passport)
• For credit card users a 0,0001 cent withdrawal can be done, while the statement contains a code for password recovery

Another way is to use a notary system in which the account holder is forced to use a notary who has to check the identity and vouches for the account holder. This way the identification is again grounded in state based identification.

Alternatively the email provider can use the information provided by the account holder to contact them through several different channels, to verify that the person requesting the reset is actually the real user. A email provider I worked for actually did this. They called the person on previous provided phone numbers, checked information on bank statements, and would if necessary even sent somebody to their door to verify that the password reset was legit.

Or be layzy and simply use SMS as fallback.

Security dongles

Security dongles might be more secure, but if the main OS is compromised, this does not help you.

They also have the big problem that they need a fallback in the case of lost or destroyed dongles. So what is the fallback? Email? SMS?

The offline authenticators used by banks are actually really secure, so I would recommend using those if high security is required.

Final thoughts

The xkcd.com//538 is pointing to the un-escapable next chapter. If one option becomes harder the next weakest link will be used.

The last phishing attacks I’ve seen don’t try to get a login or password, but simply try to get you to grant permission for a malicious application to do things on your behave. This because attackers don’t care if they get your credentials, as long as they get access. Passwords were simply the lowest hanging fruit.

Soon we will enter an age in which your grandma has no idea of how to access her account, but hackers will have no trouble doing so ;-) .

Conclusion

I’m critical of the current wave of 2FA applications. They keep passwords in the loop, use proprietary protocols and applications to force people into surrendering their access to these applications and don’t provide security against the most obvious attacks while creating friction and taking away choice.

I’m in favor of using logins based only on email and with security codes sent to this mail. This way you can even decide on which device you want to receive those codes in ways you can’t with SMS based codes. It’s cost free, without lock-in, respects the user and is based on open protocols.