How secure is your account with two-factor authentication codes

by Eugene Shablygin, on Wed 08 May 2019

It is always important to use the right tool for the right task. The surgeon’s finest knife is ineffective when used for cutting down trees, and the lumberjack’s best axe would be disastrous if used for surgery. This isn’t a difficult concept to understand -yet today most of us are forced to do just that. Nearly every time we need to identify ourselves online with username and passwords, we’re forced to use the wrong tool for the job -and this is a problem. Some might pass it off as a risk, but the data and statistics are clear -by failing to adapt and continuing to operate this way the consequences are inevitably disastrous.

Today’s headline is yet another case in point: “Hackers steal over $40 million worth of bitcoin from one of the world’s largest cryptocurrency exchanges”. This is nothing new -indeed, nothing surprising. By now we could even say well expected. Why? It is quite predictable:

“Binance said the hackers ran off with over 7,000 bitcoin and used a variety of attack methods to carry out the “large scale security breach” which occurred on Tuesday. They also managed to get some user information such as two-factor authentication codes, which are required to log in to a Binance account.”

Serious accidents are very rarely the result of a single failure. Like in aviation, disasters are usually caused by a chain of multiple events, errors, omissions and mishaps. To prevent further accidents, all of these causes should be addressed. Unlike the aviation, the online world is not really regulated. This allows companies (not all, but the majority) to keep making the same mistakes over and over again.

Let’s address one cause, which is applicable to more than 4/5 of all security breaches, can be easily fixed, but still remains the huge security hole in most systems: Traditional login with usernames and passwords, followed by traditional “two factor authentication”.

How can you spot this problem? It is very easy -there is no need to dig too deep. If a login screen shows you the input field “username” – that’s it. You are in trouble. That’s “the hole in the wall, which invites in thieves,” as an old proverb says.

To be a little bit more specific – ANYTHING which contains human readable data (“something you know” in authentication lingo) should NEVER be used as identification or primary verification factor. NEVER.

“Something you know” is fine for secondary, tertiary and higher step factors, along with biometrics, geolocation, time fencing and other tricks. However, if you really want to stay safe from the bad guys who are trying to steal your money, influence your elections, crash your stock or unveil your little dirty secrets – avoid entering “something you know” until the system verifies you with “something you have”. Not other way around.

Starting with something you have is nothing new, and most of us have used some pretty old and well known solutions. For example -an ATM will never start the process by asking you for your username and password -you must first insert your debit card. When going through airport security, TSA won’t start the process by asking you to tell them your name -they want to see your ID card and boarding pass.

There are also some excellent and innovative solutions which go under-utilized precisely because consumers don’t demand them from the businesses and governments they interact with. For example Smartcard IDs are far more secure against counterfeiting than traditional ID cards, and have the valuable benefit of allowing cardholders to use them for securely authenticating online (by leveraging certificates generated and stored in secure elements). Another approach is with the use of properly designed mobile authenticator apps, which aren’t built on the broken foundation of usernames and passwords, but instead leverage right factor authentication by starting the process with something you have. These smartcards and mobile apps can even be designed to compliment each other in order to provide flexibility depending on the use case and context of the login. When properly integrated with correctly developed and implemented PKI infrastructure or secure distributed data storage, these login mechanisms can prevent losses caused by those who “managed to get some user information such as two-factor authentication codes”. It is an easy way to save money, time and headaches.

With today’s technology, using the right tool for the right job is easier than ever. Identifying ourselves online with “something you have” is the most obvious, convenient and secure approach available to us. With an obsolete approach like usernames, passwords and traditional two-factor authentication, you might be better off just using that axe on your computer …at least then nobody else would be able to use your own data against you.