Two-Factor Authentication
A Primer MARK STANISLAV 

SO WHAT ACTUALLY IS TWO-FACTOR AUTHENTICATION? ‣ Factor classes ‣ What you have (e.g. a phone, a hardware token) ‣ What you know (e.g. a password, a PIN) ‣ What you are (e.g. your fingerprints, your retina
 ‣ Two-factor means utilizing two classes, together ‣ (Hardware token + Password) or (Fingerprint + a PIN) or (retina scan + a phone)
 ‣ By requiring different factor classes, an attacker has a really hard time to actually compromise a system implementing two-factor ‣ An attacker may steal your password but did they steal your hardware token? ‣ An attacker may steal your debit card, but did they also learn your PIN?
 ‣ Different threat scenarios call for different implementations... 

Other Than For Proactive Security, Why Do I Care? PCI DSS 3.0 Requirement 8.3 requires two-factor authentication for remote access by personnel and third-party vendors accessing PCI environment systems.
 HIPAA HITECH Implementing two-factor authentication is required for granting remote access to systems that contain EPHI.
 Avoiding Breaches or Protecting from Breach Fall Out Are you one of the 150 million people who had details stolen during the Adobe breach? What about the 6 million from LinkedIn? 

HELPFUL LEXICON ADDITIONS & GENERAL POINTS ‣ Two-factor authentication may be more generically referred to as “multi-factor” (2+ classes) or a type of “strong” authentication ‣ Two-factor is often abbreviated as 2FA, TFA, or T-FA ‣ Multi-factor is often abbreviated as MFA ‣ Two-Step Verification (2SV) is a common phrase to see used ‣ Using a password + PIN does not count as 2FA/MFA ‣ This isn’t as apparent to most people as you’d probably think it should be :) ‣ Cryptography is heavily involved in most two-factor authentication ‣ We’ll be talking about 2FA in the context of computing usage such as logging into a VPN for work or logging into your WordPress site 

ALGORITHMS AND OPEN STANDARDS ‣ Initiative for Open Authentication (OATH) is an industry collaboration to create standards around authentication, such as two-factor ‣ Hash-based One Time Passwords (HOTP) became a published standard (RFC 4226) in December, 2005 ‣ Time-based One Time Passwords (TOTP) is an extension to HOTP and became a standard (RFC 6238) in May, 2011 ‣ TOTP is important because it adds a time-window to the generation of the password. This is different from HOTP where there’s no “time- out” for a created password to be utilized ‣ With TOTP the password will only be valid for about 30 seconds; this is bad for an attacker! ‣ TOTP is very common to see utilized by services that build their own two-factor solution 

ADDITIONAL DETAILS ON HOTP AND TOTP ‣ Some services that are utilizing TOTP for two-factor are: ‣ Google, Dropbox, Amazon Web Services, Facebook, Microsoft, Stripe, DreamHost, and LastPass ‣ By utilizing TOTP, these services allow for anyone else to build an application or token that can be compatible with their service ‣ The OATH Toolkit (http://www.nongnu.org/oath-toolkit/) easily allows you to do this ‣ Unlike, HOTP, a device/application that utilizes TOTP needs to have a valid time source to be able to functional properly ‣ This prevents many hardware tokens from being able to be a TOTP device for obvious reasons ‣ HOTP/TOTP both require to have a secret key in order to generate their one time passwords ‣ This secret is known by both the token and the server in order for verification to function 

TOTP AND THE MOBILE APP ‣ Because of the need for an accurate clock source, mobile applications are a very common place to see TOTP functionality ‣ The most well known TOTP enabled mobile app is probably Google’s Authenticator but others exist, too! 

HARDWARE TOKEN MADNESS ‣ If you’ve used two-factor authentication at work, you’ve likely used a token like the ones below from RSA, Vasco, VeriSign, or Cisco ‣ Hardware tokens have been the most common form of second factor (a password/PIN being the first factor) since SecurID in 1984 ‣ Kenneth Weiss, who’s company first made RSA’s SecurID, claims he coined the term “two-factor” ‣ Hardware tokens generate a number, every 60 seconds usually, based on either a proprietary algorithm or HOTP, most commonly ‣ RSA is one of the only proprietary hardware tokens on the market anymore with many companies adopting HOTP for their tokens ‣ OATH-compliant tokens will use one of the OATH standards 

SMS AS A TWO-FACTOR TRANSPORT ‣ If a service rolls their own 2FA and doesn’t utilize TOTP to do so, they’ve probably done it with SMS passcode delivery to your phone ‣ SMS is very well understood and available on almost anyone’s phone ‣ Having SMS requires no extra hardware for a user to carry ‣ However, SMS does cost money for some people and if you travel internationally you may not have any cell service to receive codes ‣ Some services that are utilizing SMS-only for two-factor are: ‣ Linked In, 37 Signals, Blockchain.info, ManageWP, Bank of America, JP Morgan Chase, and Citibank ‣ Other services (such as Twitter) allow SMS as an option for two- factor but also provide at least one other way to do authentication 

PHONE CALLS FOR TWO-FACTOR AUTHENTICATION ‣ By calling an account phone number, two-factor authentication can easily occur whether you have a mobile phone or landline ‣ Either the system will simply ask you to “Accept” the login or will tell you to enter a PIN that is robotically provide to you via the call ‣ Unlike SMS, most people with a phone won’t have any extra fees ‣ This system is very common historically and utilized for one-off verification of someone’s ownership of a given phone number a lot ‣ Versus a mobile application, though, having to pick-up a phone call and then type a slowly-read passcode into your system is annoying ‣ What happens if you’re abroad? Or have Internet but no cell signal? 

OTHER FORMS OF A SECOND FACTOR ‣ Mobile applications utilizing “push” notifications (like Duo Security) ‣ Requires data service but no need for cellular signal for a call or SMS which is a HUGE positive ‣ Geographic location of a person to authorize authentication ‣ Confused deputy attack: If a criminal has your username and password, and you’re at your cubicle with your smartphone (your geolocation identity) they can still login as you... whoops! :) ‣ Biometric data, probably from a smartphone or tablet ‣ Apple’s Touch ID is currently unavailable to developers to utilize but this could be a big deal soon ‣ Smart cards ‣ Generally has the same downsides as a token that you have to remember it and losing it would be a huge problem until you can get a new one from your tech person ‣ Very common in the government space, such as the Common Access Card (CAC) 

QUICK COMPARISON OF TWO-FACTOR METHODS Attribute Token SMS Call TOTP Mobile Doesn’t require an Internet connection to function X X X X Allows you to skip 2FA based on location X Works via a cell phone X X X X Works via a land line X Doesn’t require entering a pass code to login X Doesn’t require remembering “extra” hardware X X X X Won’t cost extra money to use each time X X X Can’t be tricked by an attacker in most cases X X X Clearly, there are pros/cons for each! 

THE REALITIES OF MODERN TWO-FACTOR AUTHENTICATION ‣ The method of two-factor authentication you may want to use at any given time probably is based on many variables ‣ Each method of two-factor has upsides and downsides, it’s up to the platform to make it as easy as possible to live your life with 2FA ‣ Any two-factor solution that doesn’t allow for many potential methods per person is a bad idea ‣ Some forms of two-factor authentication may be more easily attacked by a criminal than others; may not affect “everyday” user ‣ Services that are implementing their own two-factor authentication features are typically iterating the feature set ‣ e.g. Twitter started as SMS-only and now also provide a “push”-based mobile feature as well ‣ We’ll likely continue to see many new 2FA platforms come along! 

HOW DO YOU ACTUALLY UTILIZE A TWO-FACTOR PLATFORM? ‣ With RSA, you’ll have a physical server on your company’s network that will be a central point to handle authentication requests that come from an employee’s software/hardware tokens ‣ With Duo Security, or other “cloud” services, you will have an account hosted within the platform’s servers from the Internet ! ‣ Either way, you have to typically install a software modification or write code that will handle the 2FA functionality for an application ‣ Many two-factor providers provide “stock” integrations that allow for their platform to work with existing software (e.g. SSH, VPN) ‣ Also, some providers give a development kit and/or API to leverage 

END-USER CONFIGURATION; VARIES BY METHOD LinkedIn - SMS Only 37 Signals - SMS Only Facebook - TOTP/SMS 

A FEW WORDS ON CRYPTOGRAPHY AND TWO-FACTOR ‣ TOTP/HOTP generation utilize cryptography to generate codes ‣ HMAC-SHA-1 is utilized for HOTP ; HMAC-SHA-{1,256,512} may be utilized for TOTP ‣ “Push” mobile applications use public-key cryptography to function ‣ With an RSA key-pair the phone keeps the private key and the provider is given the public key ‣ These methods also require a secret to be utilized which in the case of a hardware token is a “seed” value that provides a unique output when used with the token’s specified algorithm ‣ This was a problem when RSA was compromised in 2011 and had to send out 40 million new tokens 
 http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/ ‣ The good news is, your two-factor platform or library should handle all of the complexities of cryptography for you... whoo hoo! 

LET’S REVIEW A FEW DETAILS! ‣ Q: What are two popular OATH standards used for 2FA? ‣ A: Time-based One Time Passwords (TOTP) and HMAC-based One Time Passwords (HOTP) ‣ Q: What is another name for two-factor authentication? ‣ A: Multi-factor authentication. Also, two-factor authentication is a form of strong authentication. ‣ Q: Is using a password + a passcode sent to your phone 2FA? ‣ A: Yes! The password is what you knew and the passcode was available by what you have. ‣ Q: What algorithm is generally used in a hardware token? ‣ A: HOTP because it doesn’t require a synchronized clock source to function properly ‣ Q: How can a mobile application be used for two-factor? ‣ A: Multiple ways... HOTP/TOTP passcodes ; “push” authentication ; geofenced locations