Two-factor authentication: A Rick the Toolman episode.
By Rick Howard
May 16, 2022

CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.

Two-factor authentication: A Rick the Toolman episode.

Listen to the audio version of this story.

What a mess. I opened up my trusty password manager app this morning to fiddle with the settings on one of my accounts. I’ve been using LastPass for about five years now to manage all of my personal, family, and professional online account relationships. My experience is probably similar to yours. During that five year stretch, LastPass has accumulated over 500 passwords of mine. Admittedly, some of those accounts were one-and-done relationships, meaning I used the account once and never touched it again. But still, that’s a lot of passwords to remember. And since we’re sharing, some of those passwords aren’t that good. I'm not admitting to having any “12345s” or “iloveyous” in there, but some of them, let’s just say, don’t meet the requirements of the NIST (U.S. National Institute for Standards and Technology) “Digital Identity Guidelines” special publication.

And it isn’t like I don’t know that some of those passwords are bad. I mean, LastPass flags them with helpful warnings like, “You know, that password is really dumb” or “You haven’t changed this one in like 15 years, you might consider upgrading, you incompentant poseur. Oh, and by the way, it’s really dumb too.” Ok - Those aren’t actual LastPass error messages, but when I read them, that’s the guilt I'm hearing in my head. And yes, I get imposter syndrome just like everyone else.

I'm just saying that if a 30-year-security veteran, like me, can’t come up with NIST-certified passwords for all the accounts I need to do business with on the internet, when I know better, then what hope does my 80-year-old mother-in-law, hanging ten on her iPad as she surfs the web, have with hers? There’s got to be a better way.

It turns out that there is. It’s called two-factor authentication or multi-factor authentication and the concept has come a long way since it was invented back in the mid-1980s. That means that it’s time to break out the Rick-the-Toolman toolbox, and figure out how it works today.

Two-factor authentication history.

As I mentioned in the Single Sign On (SSO) essay, we have Dr. Fernando Corbato to thank for the invention of the password when he was a student at MIT in the early 1960s. It was a stopgap measure to prevent users on a mainframe from poking around each other’s files and to limit mainframe computer time. Fun fact: Corbato stored the passwords in a text file which probably provoked one of the first computer hacks ever. Allan Scherr, working on his PHD at the time, found the unprotected text file, stole passwords from the other students, and was able to grant himself more computer time. You have to love those MIT nerds.

In those early days, password authentication was weak but it wasn’t a major problem. Computer use was limited to government projects and academic R&D. There weren't a lot of people using networked computers back then. But by the 1980s, with the ARPANet slowly morphing into the internet, the computer user population started to grow and the community needed more robust authentication methods for important systems. 

In the mid-1980s, Security Dynamics Technologies was the first company to create a hardware token device that created one-time passwords (OTPs) for authentication . And in 1995, AT&T patented the idea of two-factor authentication. They said that to identify an authorized user, a system needed to check at least two of three factors: something they have, like a smartphone, something they are, like a fingerprint, or something they know, like a password. But the early systems were clunky, hard to manage, and only used in environments that needed the most security.

But, when the smartphone started to emerge in the mid-2000s, that started to change. All of a sudden everybody had a second factor in their pocket. That led to all kinds of innovation.

Types of two-factor authentication (2FA).

Back in 2017, Chris Hoffman wrote an excellent piece at the How-To Geek website regarding the various forms of two-factor authentication. Let me just summarize how they work here and then we can talk about how secure they are after.

SMS Verification: Internet troll, raceBannon99, wants to log in to audible.com. The website sends a text message with a one-time code for raceBanon99 to use. raceBannon99 then enters the code into the audible.com website to gain access to his account.

Email Verification: This is similar to the SMS Verification method except that the second factor is email and not the text messaging system.

Authenticator Soft Tokens (Like Google Authenticator, ID.me, Blizzard’s Battlenet, and LastPass): Authenticators use an Internet Engineering Task Force (IETF) algorithm to generate one-time codes called Time-based One-Time Passwords (TOTPs) . Rick Howard, cybersecurity executive, wants to log into his G-Suite account. G-Suite asks for a one-time code. Howard opens his Google Authenticator application on his smartphone and looks up the listing for Google. He has several listings to choose from like LastPass and The Cyberwire's HR application. The algorithm is standard so Google’s authenticator application can be used to log into other company’s apps like Microsoft or Amazon. He notices that for each listing there is a countdown. About every minute, the Google Authenticator app generates a different code to use. Howard tries to remember the six-digit code and enters it into the Google login screen before the timer winds down.

Push Authentication (from Google, Apple, Microsoft, and Twitter): Unlike SMS Verification, Google’s Push Authentication system uses no codes. raceBannon99 is summoned to his mother-in-law’s house to fix some tech issue with the iPad. While there, he needs to log into his Gmail account to retrieve some information. Google doesn’t recognize the mother-in-law’s iPad as a registered device to raceBannon99 and pushes a notification to him via the Google Application. raceBannon99 opens the Google Application on his smartphone and pushes a button that says, “Yes, I am indeed raceBannon99.” That all takes way more time to explain than it does to do, but in the end, raceBannon gets access to his Gmail account on his mother-in-law's iPad. Apple’s version is similar but it’s not tied to an application. It uses the operating system and it does send a code.

Universal 2nd Factor (U2F) Authentication: U2F is an open standard that improves and simplifies 2FA by using Universal Serial Bus (USB) or NFC (near-field communication) devices. Howard, security executive, wants to login to LastPass to access the corporate passwords. He enters his userid and password, and then LastPass asks Howard to insert his physical authentication USB key into the laptop (in this case, Yubico’s Yubikey). He touches the button on the outside of the physical key and LastPass grants access. 

The way this works is that the USB key creates a public/private key pair for each website like LastPass. The user’s browser verifies those keys to allow the user to gain access. This eliminates the possibility of bad guys using spoofed websites to steal credentials. 

There are versions of this that can work wirelessly either over Bluetooth or NFC. NFC is a protocol that helps two devices communicate wirelessly when they are placed right next to each other (the range is about 4 inches) like using your mobile device to validate your boarding pass in airports. Devices with NFC hardware can establish communications with other NFC-equipped devices as well as NFC “tags.” NFC tags are unpowered NFC chips that draw power from nearby NFC devices. 

How secure is two-factor authentication (2FA)?

Right off the bat, on a simple linear scale, using 2FA is way better than simply using USERID/Password pairs. If I were to put all the authentication methods in this essay as rest stops on a hundred mile road between the two great cities of “OMG, this is not secure at all” to “Nirvana - We’ve solved security,” the USERID/Password pair rest stop would be just a mile out of OMG, just slightly better then having no credentials at all. All the rest of the methods would be rest stops down the road towards, but never quite reaching, Nirvana. 

The Email verification rest stop would be about 25 miles out on this journey. It’s 75 miles away from Nirvana because it doesn’t exactly qualify as a second factor. An email account is unique to a user (like a password) but you can access it from anywhere. It’s not something you have on your person or some kind of biometric. So, having two password-like factors is better than one, but not by much.

The SMS verification rest stop would be about 30 miles down the road toward Nirvana. It’s slightly better than email verification because it's tied to a second factor, but bad guys have demonstrated in the real world three different ways to intercept these codes. The first is called SIM swapping. They socially engineer your phone company into moving your phone number to their bad-guy phone; the same swapping process you're going to use next year when you buy that new iPhone 14 model. Every time you try to login, the SMS code would be sent to the bad guy’s phone instead of yours and they could then use it to log in to your account. The second demonstrated-in-the-wild way is when certain nefarious governments intercept SMS codes through their normal signals intelligence collection process, in other words, spying. And the third way is when the bad guys compromise the victim’s SS7 telephone network and reroutes the code to their bad guy phone. SS7 is the Signaling System 7 standard that defines how public switched telephone networks (PSTN) exchange control signals. Having said all of that, SMS verification is way better than parking at the rest stop of USERID/Password pairs but still many miles from Nirvana. It’s probably fine for run-of-the-mill internet use, like logging into the library. But if you have material information to protect, or if you’re a spy, steer clear of SMS authentication.

The Authenticator Soft Token rest stop is located about 75 miles down the road. It’s pretty good, a long way away from OMG but close enough to Nirvana that you can see the great city in the distance. It’s still susceptible to man-in-the-middle attacks if the user is tricked into entering the code into a bad guy controlled phishing site. The attack sequence is easier to do than, say compromising the victim’s SS7 network, but definitely in the skill set of the modern day cyber criminal. In order for it to be reliable, the attacker has to grab the code and log into the account before the authenticator changes it. Timing is critical but doesn’t make the attack impossible, just more difficult.

You will find the Push Authentication rest stop at the 80 mile marker slightly closer to Nirvana than the Authenticator's rest stop. Still, victims have observed bad guys sending notification flooding attacks to their phones. If potential victims are busy or are not paying attention, they might click the button to verify their identity just to clear the message, never realizing that they just authorized a bad guy into one of their accounts. 

The U2F Authentication restop is the last waystation before the Nirvana exit ramp. If you have serious security requirements compared to just surfing the net, this is the way to go. The downside to the USB security key solution though is the likelihood of somebody like me losing the key, which I will absolutely do because I'm an idiot. I'm more excited about the future possibilities of the NFC (near-field communication) solutions. I'm less likely to lose my phone than I am to lose a USB key. The problem today though is that the solution is not widely adopted yet and still maturing. FIDO (Fast Identity Online) is the standards body that is pushing U2F authentication technologies. In the 2021 Hype Cycle Chart for Identity and Access Management technologies, Gartner puts the FIDO Alliance’s efforts as still traveling down the trough of disillusionment and estimates 2-5 years before it reaches the plateau of productivity. 

Two-factor authentication history.

Call me crazy, but I don’t think that the number of passwords that LastPass will be managing for me in the next decade will go down. With the Internet of Things growing wildly and 5G networks just over the horizon for common use, the volume of accounts we will all have to manage in our personal and professional lives will just continue to grow. Authenticator Soft Tokens, Push Authentication and U2F will be in our lives for the foreseeable future. And maybe, somewhere along that road between OMG and Nirvana, we might just get rid of Dr. Corbato’s stop measure from the 1960s altogether.

Identity and Authentication timeline.

1874

  • William Stanley Jevons, in his book, “The Principles of Science,” introduced the idea of asymmetric encryption by noticing that for any large number, you can’t easily know what two numbers multiplied together will produce it.

1960s

  • Fernando Corbató introduces the use of passwords.
  • Robert Morris, while working at Bell Labs, invented storing password hashes to replace storing cleartext passwords on Unix systems. He based his system on preliminary work by Roger Needham.

1960s - 1970s:

  • Computer administrators used Access Control Lists (ACLs) mechanisms to limit access.

Mid-1980s

  • Security Dynamics Technologies was the first company to create FOB hardware with a one-time password (OTP) for authentication.

1988

  • The Kerberos v4 protocol was first publicly described in a Usenex conference paper. 

1993

  • Tim Howes, Steve Kille, and Wengyik Yeong develop LDAP.

1995

  • AT&T patented two-factor authentication in 1995.

Late 1990s

  • Taher Elgamal — an engineer at Netscape — developed the original Secure Sockets Layer (SSL) protocol, which included keys and server authentication.

2000

  • Windows Server 2000 released, the first release of Microsoft Active Directory.

1999

  • Microsoft introduced a product called Microsoft Passport that was soundly rejected by the internet for many reasons but mostly because it was proprietary.

2002

  • Sarbanes Oxley: Held companies liable for bad access control.
  • SAML V1.0 became an OASIS standard.

2005

  • Brad Fitzpatrick develops the first generation OpenID authentication protocol.

2006

  • First managed identity services.

2007

  • The second-generation OpenID specification (OpenID v2.0). 

2010

  • First Identity as a Service in the cloud.
  • OAuth was released as an open standard as RFC 5849, and quickly became widely adopted. 

2011

  • OpenID had become an also-ran, and, Wired declared that "The main reason no one uses OpenID is because Facebook Connect does the same thing and does it better. Everyone knows what Facebook is and it's much easier to understand that Facebook is handling your identity than some vague, unrecognized thing called OpenID." (Facebook Connect turned out to not be a world-beater either, but at least people knew what Facebook was.)
  • Motorola added a fingerprint scanner to the ATRIX Android smartphone.

2012

  • OAuth 2.0 released; widely criticized for multiple reasons but also widely used.
  • A number of commercial companies, like PayPal and Lenovo, formed the FIDO Alliance, which stands for Fast Identity Online, with the purpose of developing a passwordless authentication protocol. By 2013, Google, Yubico and NXP joined the Alliance and brought with them the idea of an open, second factor authentication protocol. By 2015, The Alliance announced support for contactless transport over Bluetooth and Near Field Communication (NFC).10

2014

  • OpenID Connect was released, which reinvented OpenID as an authentication layer for OAuth. 

References.

18 MAY 2020

CSOP S1E7:: Cybersecurity first principles: zero trust

31 AUG 2020:

CSOP S2E7:: Identity Management: a first principle idea.

07 SEP 2020:

CSOP S2E8: Identity Management: around the Hash Table.

  • Hash Table Guests:
  • Helen Patton - CISO - Ohio State University (2)
  • Suzie Smibert - CISO - Finning
  • Rick Doten - CISO - Carolina Complete Health (2)
  • Link: Podcast (21)
  • Link: Transcript
  • No Essay

9 MAY 2021

CWX: Street cred: increasing trust in passwordless authentication.

  • Guests:
  • Nikk Gilbert, Cherokee Nation Businesses CISO (2)
  • Gary McAlum, former CSO at USAA (5)
  • Wolfgang Goerlich, Advisory CISO at Duo Security / Cisco (Sponsor)
  • Link: Podcast (50)
  • Link: Transcript
  • No Essay

16 MAY 2021

CWX: Zeroing in on zero trust.

  • Guests:
  • John Kindervag, Cybersecurity Strategy Group Fellow at ON2IT 
  • Tom Clavel, Global marketing director at ExtraHop (sponsor)
  • Link: Podcast (52)
  • Link: Transcript
  • No Essay

17 MAY 2021

CSOP S5E5: New CISO Responsibilities: Identity

  • Hash Table Guests:
  • Jerry Archer, Sallie Mae's CSO (4)
  • Greg Notch, the National Hockey League's CISO (2)
  • Link: Podcast (53)
  • Link: Transcript
  • Essay: None

A Developer's History of Authentication,” by Workos.com, 5 September 2020.

A Review of the Evolution of Multi-Factor Authentication (MFA) Technology,” by Alexandra Daragiu, TypingDNA, 16 July 2019. 

Digital authentication: The past, present and uncertain future of the keys to online identity,” BY COREY NACHREINER, GeekWire, 22 September 2018 

Digital Identity Guidelines: NIST Special Publication 800-63-3,” by Paul Grassi, Michael Garcia, and James Fenton, National Institute of Standards and Technology (NIST), June 2017

Digital Identity Guidelines: NIST Special Publication 800-63B,” by Paul Grassi, James Fenton, Elaine Newton, Ray Perlner, Andrew Regenscheid, William Burr, Justin Richer, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong, Kristen Greene, and Mary Theofanos, NIST, 2022. 

FIDO Alliance - Open Authentication Standards More Secure than Passwords.” FIDO Alliance, February 18, 2022.

Google and Microsoft Debut: Replacing Passwords with FIDO2 Authentication,” Brett McDowell, David Bossio, and Sam Srinivas, RSA Conference 2018, 30 April 2018. 

History of FIDO Alliance - FIDO Alliance.” FIDO Alliance, October 19, 2021.

How Secure Are the FIDO U2F Tokens?” by Philipp, Information Security Stack Exchange, 22 October 2014. 

The Best Hardware Security Keys for Two-Factor Authentication,” by Stefan Etienne, 

The Verge, 22 February 2019. 

The Different Forms of Two-Factor Authentication: SMS, Authenticator Apps, and More,” by Chris Hoffman, How-To Geek,8 June 2017.

The Evolution of Multi-Factor Authentication,” by Rose de Fremery, The LastPass Blog, 22 December 2021. 

What Is a Time-Based One-Time Password (TOTP)?,” by Kelley Robinson, Twilio.com, 2015

What Is NFC (near Field Communication), and What Can I Use It For?” by Chris Hoffman, How-To Geek, 23 September 2016. 

Which Authentication Method Is Most Secure?,” by Beyondidentity.com, 2021. 

U2F Devices (FIDO Security Keys) as a Reliable Security Option for Your Software.” Alphaservesp.com, 2022. 

U2F Explained: How Google and Other Companies Are Creating a Universal Security Token,” by Chris Hoffman, How-To Geek, 27 January 2017.