Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

[Podcast] Password Expert Per Thorsheim On Life After Two-Factor Authentication

Data Security

 

Leave a review for our podcast & we'll send you a pack of infosec cards.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Based in Norway, Per Thorsheim is an independent security adviser for governments as well as organizations worldwide. He is also the founder of PasswordsCon.org, an annual conference that’s all about passwords, PIN codes, and authentication. Launched in 2010, the conference invites security professionals & academic researchers to better understand and improve security.

In part one of our conversation, Per explains why we continue to use passwords, the difference between 2-factor authentication and 2-step verification, as well as the pros and cons of using OAuth.

Naturally the issue of privacy comes up when we discuss connected accounts with OAuth. So we also made time to cover Privacy by Design as well as the upcoming EU General Data Protection Regulation(GDPR).

Click here for part two.

Transcript

Cindy Ng
Recently, I had the pleasure to speak with an independent security advisor, Per Thorsheim, on all things passwords.

Based in Norway, he is the founder of Passwords Con, the world’s first and only conference about passwords. It’s a gathering of security professionals and academic researches from all around the world where they discuss ways to improve security worldwide. Thank you, Per. Let’s get started.

So, a very important question, so, lots of security experts have warned us the dangers of passwords, but why are we continuing to use it?

Per Thorsheim
Well, it’s cheap to use from a business perspective. There are many cases where we don’t have a business situation where, you know, there’s no point in using anything else than passwords. They are available in every single system we use, and if you want something else, it’s going to be more expensive. And who’s going to pay for that?
Cindy Ng
A lot of people are using password managers to manage all our different accounts for all our different sites. And there’s also two-factor authentication which can be tiresome. You suggested that there’s life after two-factor authentication. Can you tell us a little bit more about that?

Per Thorsheim
Yeah, you know, we have National Security Awareness month here in Norway, just like in the US, in all of October. And a very important message that we have been bringing out in all possible channels over the past month is to use two-factor authentication. And basically what that is, is that in addition to having a username and password, you would have a code that you need to enter that you will get from a key from a text message or something similar. Maybe you have a couple of codes written down on a piece of paper that you have to type in, in addition to your password. That’s two-factor authentication.

Now, what I mean about life after two-factor authentication is that every step that we add into the process of authenticating, you know, how to figure out that you are the correct person logging into our system, takes time. And by adding a second factor, it will take you, in most cases, a little bit extra time to be able to log in. For some people, that’s okay. For some people, it’s a disruption. It’s annoying, and what I’ve been thinking about, you know, by saying, “life after two-factor authentication,” is, “What happens today when, in my case, I have, like, 400 accounts on different services all over the internet and at home and at different, you know, banks and insurance companies and so on? What happens today that I’m actually using two-factor authentication with all of those accounts?”

I’m just imagining to myself that that’s going to be very annoying. It’s going to take a lot of time. Every time I have to log in to any kind of service, I have to type in username, I have to type in my password or pass phrase, and then I also have to look at my phone to receive a text message or find you know, that dumb piece of hardware dongle that I forgot at home, probably, and type in a code from that one as well. So from a usability perspective, I’m a little bit concerned, maybe even a little worried about what’s the world going to be in a couple years when all the services that I’m using today are either offering or even requiring me to use two-factor authentication?

Now, from a security perspective, adding this kind of two-factor authentication’s a good thing. It increases security in such a way that in some cases, even if I told you my password for my Facebook account, as an example, well, I have two-factor authentication. You won’t be able to log in, because as soon as you type in my username and password, I will be receiving a code via SMS from Facebook on my phone, which you don’t have access to. Now, without that code, you will not be able to log in to my account. The security perspective of this is really good which is why we recommend it. From the usability side, I’m a little bit concerned about the future.

Cindy Ng
What’s the difference between the two-factor authentication and the two-step authentication, in terms of increasing usability?
Per Thorsheim
Two-step verification process is what I consider to be a good trade-off between good security and good usability. With two-step verification, which is what Facebook and Twitter and Google does in most cases, is that you will do the initial setup process of your account and an initial setup of your two-factor authentication procedure, like, once, to log in, using the Facebook app on your phone, on your iPad. Maybe you’re using the browser on your computer. And you do this authentication with username, password, and entering the additional code once per device or per app that you’re using or maybe for each and every single web browser on different computers that you may be using.

And as soon as you’ve done that, Facebook will remember the different browsers and apps you have used, and then, you know, they are already pre-approved. So then next time you log in, you only type in your username and password, which reduces complexity and time for you. But still they remember your browser, so they see that, “Oh, yep, that’s Per logging in from a browser that he had already used before, so we know that this browser probably belongs to Per. And as long as the username and password is correct, he gets access to his Facebook account.” The two-factor authentication process, I would have to enter that additional code every single time I log on, and that’s the difference between the two-step verification and the two-factor authentication.

Cindy Ng
What if I decide to delete my cookies?
Per Thorsheim
Well, then it’s all gone. Then you have to do the setup process again, and this applicable to when you’re using your web browser. But if you are using the official Facebook app for iOS or for Android, as an example, these features are built into the application. In that setting, it’s not just a standard cookie. There’s a little bit different security built into the app. But, of course, you can do this on the app as well to basically delete your cookie.
Cindy Ng
You would essentially have to do a risk analysis on yourself to figure out what the trade-off is in that regard.
Per Thorsheim
Yeah, absolutely. You know, when I go traveling abroad, I go to many different countries, and some of them may be, well, should I say, a little less democratic and a little more hostile, perhaps, than others. So I do my personal risk analysis on wherever I go, do I need a strong PIN code? Do I need a strong password? Should I be using two-factor authentication? And this is a risk analysis, and it’s also trade-off for the usability. I’m just like, I guess, everybody. I want security to be good, but I’m not willing to sacrifice too much of the usability in order to keep up good security, because then I will probably stop using the service if I’m forced to be compliant with all kinds of security requirements all the time, when there’s, you know, from my perspective, no point in doing so.
Cindy Ng
Let’s also talk about other security options, such as O-auth. Tell us a little bit more about the pros and cons of using that as an option to log in.
Per Thorsheim
Well, it solves many problems, especially in terms of usability. I can go to an online store here in Norway, and I’ll want to purchase myself a new computer, or maybe I would like to order tickets to the movie theater to go with somebody to watch a movie, as an example. And instead of having to sign up for an account, I can use what we call a social login, where they are using O-auth in the background, and you basically sign up using your Facebook account. Now, this is, from a usability perspective, it’s very easy to do.

The privacy concerns about this is the fact that Facebook will be getting access to information like you went to the movie theater, and they will maybe be able to find out which movie you actually went to see and how many tickets you’ve purchased. I don’t know. Maybe they can. And the movie theater, they will also get information from Facebook about me, who I am, my age, my gender, maybe some other pieces of information as well. And in my opinion, the movie theater shouldn’t be asking me, you know, who I am or anything. You know, I want to see a movie. I’m not going to make any trouble for them, and I’m going to pay for the tickets, and that’s it. There are lots of privacy concerns about this, at least from my perspective. And I am a little bit concerned that most people, they don’t really realize how much information they actually give away about themselves when they are using this kind of authentication to all kinds of services around.

Cindy Ng
You’re really speaking to data minimalization, which is part of the “Privacy by Design” guideposts, to collect what you really need, not collect every single thing. When you go see the movies, they don’t need to know every single friend that you have on Facebook, for instance.
Per Thorsheim
Yeah, and, of course, from science modeling perspectives, I can see that they actually have an interest in knowing this about you. But, you know, the movie theater, they don’t give me a discount when I provide lots of personal information about myself, compared to those who just purchase a ticket and pay in cash. And they remain completely anonymous, so to speak, for the movie theater, while I’m paying the same price, but at the same time I also give them information about my age, address and phone number, email address, gender, a lot of pieces of information as well. In one way, I would say that, well, if they would give me a discount, maybe I would be interested in giving away more personal information about myself.

It’s going to be interesting when the GDPR actually comes into law. I still do have my concerns about GDPR. I mean, it’s a EU law, so that will be implemented in different countries in the EU and also in Norway. I mean, we are actually not actually a member of the European Union, but still the GDPR will be put into our laws and regulations as well. And the most important aspect of GDPR, in my opinion, is that if you are a service provider of any type, and you suffer a data breach of personally identifiable information about, you know, users, especially if that information is sensitive – that is, regarding sexuality, health, criminal records, political activity, religious activity, membership in worker unions, as an example – the GDPR says that the company or organization in question can get a fine up to 4% of their total global yearly revenue.

And, you know, you look at the numbers of Apple and Microsoft and Google, of how much revenue they make in a full year, and then, you know, 4% of that amount is going to be the maximum fine for one single data breach. That’s a lot of money. Today, data breach laws here in Norway, as an example, will give you a fine so small that anybody can pay it without any problems at all. So this is a game-changing regulation that is coming into law for the European Union. How it will be interpreted in courts, and how big those fines will actually be, that is going to be very interesting to see from starting in somewhere in 2018.

Cindy Ng
Yeah, it’ll be a challenge to see how they can enforce it when US companies do business in Norway or any of the EU countries.
Per Thorsheim
Well, absolutely. I mean, there have been attempts to set up agreements between European Union and the US, as an example, for Cloud services from Google, from Apple, from Microsoft and so on that will regulate how US companies are to handle data about European citizens and also whether the US government can get access to that data or not. And these are, as far as I know, still ongoing discussions, of course, but there are also laws and regulations and agreements already in place on this. That applies, again, to how US companies are handling data about European citizens stored on computers in Europe.
Cindy Ng
Let’s talk about hardware. What do you think about things like the YubiKey and the RSA Tokens. How effective is having hardware in…
Per Thorsheim
Well, from the risk analysis perspective, it’s a good thing. If I give you an app that you will use on your phone that will provide you with codes that you need to log in, somebody would either have to steal your phone. They could eventually trick you, talk you into giving them the code from your app by, you know, calling you and say, “Hey, this is from Microsoft Support in India, and we are calling to make you aware that you have some problems with your account. We need to verify your account by having you read up the present token number that you have on your phone at the moment.”

But, in general, from a risk analysis perspective, having a hardware token is good thing, security-wise. And it’s much better than using just an app or receiving a text message by SMS, because an app is a piece of software that may have vulnerabilities, and SMS messages are also being sent, essentially, in the glare. And we know from assessing vulnerabilities in the worldwide user networks that they can be interrupted, and they can also be sent through hostile servers, where an adversary can read them in plain text and then get access to your account. If you have a handheld device, maybe with a, you know, small screen and doesn’t have any connectivity at all, it just generates a new code every 30 seconds or 1 minute or 5 minutes, like RSA Secure ID. It’s much harder for an attacker to get access to those codes. They would either have to trick you, or they would have to steal comments in that physical token from you.

Cindy Ng
It’s interesting how social engineering can happen with hardware that’s supposed to protect us too.
Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.