Showing posts from March, 2020

MFA Post 7: Other Contact Mechanisms (Email, Phone,...)

  In addition to sending codes via SMS some service providers may send codes via other contact mechanisms, such as email, phone, or various chat applications. These mechanisms are very similar to SMS: they are mechanisms to deliver a code to a user. Usually the code is 6 digits.  The security of these mechanisms varies and depends on a large variety of factors that are largely outside the scope of the mechanism itself. Email, and some of these other ones, are very often used as a possession proof for password reset as well. The assumption is that if you have access to the email account you must be the customer who registered an account with that email address. However, this creates a security dependency. The security of the account you are resetting the password for depends completely on the security of the email account. Sadly, most people do not protect their email account to the extent that would be prudent if you are going to make the security of your retirement account dependent o

MFA Post 6: Push Notifications or Approval Mode

  The factors we have discussed so far, SMS and OTP have some interesting disadvantages. SMS is not delivered securely and can be intercepted. OTP requires a certain amount of cognitive load that could hamper adoption. Study after study has shown that ease of use is a crucial factor in adoption. A study by Weir et al in 2009 showed that users deliberately chose a less secure solution that was considered more usable). (“User Perceptions of Security, Convenience and Usability for Ebanking Authentication Tokens”,   Computers & Security , February 2009, ) In a push (pun intended) to make MFA consumable and easier to use, a relatively novel concept was invented: push notifications or approval mode. In this system, after the user enters a username and password, or in some implementations, just a username, they receive a prompt to approve the authe

Coronavirus and Information Security

  Like a whole lot of other people, to help prevent the spread of COVID-19, you may be either working from home or helping ensure others can, or both. Like a lot of people you may also be searching for information and resources to help cope.  Unfortunately criminals realize that we are doing this. Whether they are doing it to advance the interests of a nation state or to make money, they are taking advantage of the situation, the fear, and confusion caused by the pandemic. I thought it might make sense to put together some pointers for how to protect the digital lives of you, your loved ones, and those whom you are protecting. Phishing As with every other crisis, criminals are using the pandemic to try to entice people into clicking on phishing emails. They use all the same tricks they always use. They try sending email from anyone who may be trusted, like the Department of Health and Human Services, or Johns Hopkins University, which is tracking the outbreak.  Legitimate organizations

MFA Post 5: Time-based One-Time Passwords (TOTP)

  TOTP was designed to address some of the disadvantages of HOTP. Like HOTP it was standardized using an RFC (6238) and was adopted as an open standard by the Initiative for Open Authentication (OATH). You will sometimes hear TOTP referred to as OATH-TOTP, meaning it is using the standard OATH implementation (not to be confused with OAuth, which is not the same thing).  Where HOTP derives the uniqueness of the code from the seed and the counter, TOTP derives uniqueness from the seed and the current time. This means TOTP relies on time synchronization and clocks. In a stand-alone hardware token without a network connection to receive time the clock sync is provided when the token is initialized. Hardware tokens have their own internal clocks, powered by a battery. Some hardware tokens, like those using a USB, Bluetooth or NFC form factor can receive clock sync from a computer when they need it, meaning they do not need batteries and internal clocks. NFC clock sync only works when the NF

MFA Post 4: One-Time Passwords

  One-time passwords are very similar to SMS codes, with one major exception: they are generated by or with the user and verified by the server, not sent to you in an SMS message. Most people think of these as generated by an application, and speak of them colloquially as “Google Authenticator Codes” because that’s one of the primary apps that generate them. However, there are many many more implementations and there are two primary algorithms. In this post I will describe HMAC-Based One-Time Passwords (HOTP). Next time I will describe Time-based One-Time Passwords (TOTP).  HOTP Hashed Message Authentication Code (HMAC) Based One-Time Passwords, or HOTP, is an open IETF standard (RFC 4226) for generating one-time passwords based on a cryptographically computed hash. Hashes are extraordinarily useful, and this standard simply uses them for generating the same value in two places. HOTP generation is based on several parameters: A hashing algorithm - often SHA-1 but it could be anything A

MFA Post 3: SMS Codes

  When most people encounter multi-factor authentication it is through SMS codes, a type of possession proof that relies on possession of a phone tied to a known phone number. These are short text messages sent to your phone with a numeric code that you are supposed to type in addition to your password to log in. The codes are (hopefully) random, and (hopefully) only valid for a short period of time. Typically, they are six digits, but some implementations use words or codes of different lengths.  SMS Codes are by far the most common implementation of MFA, likely because it is easy to implement and works with something most people have already: a mobile phone. When these first started becoming wide-spread one of the advantages was claimed to be that they worked without a smartphone, but at this point very few people have a phone that can receive SMS codes but that cannot run an app, so that advantage has disappeared. Nevertheless, SMS codes remain widespread.  Advantages SMS codes are