May 26, 2016
Failures of Two-Factor Authentication
How can an organization become less secure by attempting to be more secure, such as through two-factor authentication? Let me tell you.
How can a bank — or any organization — become less secure in its attempts to become more secure? Let me tell you.
Security must do two things: protect and enable. If your security doesn’t enable people to do what they have to do, they will inevitably circumvent it, creating all sorts of exception conditions as they do. And that is the path to perdition (and hacking).
Security often fails because people who design security are much better at throwing up roadblocks than they are creating pathways.
This month brought yet another story chronicling the theft of millions of passwords by hackers, once again highlighting the importance of implementing “not-just-password security” at places that really matter.
See also: The Need for a Security Mindset
But I’m about to turn off two-factor authentication for my bank, right at the moment when everyone seems hell-bent to turn it on. Why? Because it doesn’t make me safer if it doesn’t work; it just prevents me from accessing my money.
Tangled in red tape
I’ve run into classic red-tape headaches with my bank recently as I try very hard to use its two-factor authentication scheme.
A quick review: Two-factor authentication adds a strong layer of security by requiring that two tests be met by a person seeking access — a debit card and a PIN code, for example, representing something you have and something you know. Online banks and websites are slowly but surely nudging everyone toward various forms of two-factor authentication because it really does make life harder for hackers.
Most of these two-factor forms involve the use of smartphones, as they have become nearly ubiquitous. Log onto a website on a PC, and a confirmation code is sent to your phone — something you have (the phone) and something you know (the password). Simple but elegant, and far harder for bad guys to crack.
It’s great — when it works. But what about when it doesn’t?
Consumers get new phones all the time. If the code is tied to the physical handset, the code doesn’t work any longer. What then?
It turns out that this can be a very vexing problem.
I’ve been a USAA banking customer for decades. The financial services firm has ranked atop customer satisfaction surveys seemingly forever, and for good reason; it really does take good care of members.
At least it did, until it tried to implement two-factor security. A Symantec app loaded onto your smartphone offers a temporary token — a six-digit code — that changes every 30 seconds. The token is tied to the physical handset. Only a person who knows your PIN and can access the token on that handset can log onto the website.
Sure, it’s a tiny hassle to pull out the phone every time you want to log on to the website, but that’s a fair price to pay for security.
New phone, new problems
However, the hassle becomes immense when it becomes time to change handsets. So immense that I couldn’t fix my login and access my bank for 24 hours. And that’s happened to me twice in the past year. Why? Chiefly because USAA isn’t set up to deal with the problem of new handsets.
The real problem came next.
People change phones roughly every two years, so this new handset problem must come up often enough. Yet it’s obvious USAA operators aren’t ready to handle the problem when consumers call. Each time I reached an operator, I had to spend a lot of time explaining the problem. On the first call, the operator merely changed my mobile application login settings after putting me on hold for minutes. When I protested, she said she had to transfer me to a special department — and then the phone went dead.
After a second call, where I again waited, the operator was sympathetic but put me on hold quickly and wasted a lot of time trying to set me up with a new phone number. It took awhile before I could convince her that “new phone” meant “new handset” not “new number.” We eventually agreed that all I needed was someone to turn off two-factor and issue me a temporary password so I could go in and re-establish the connection between my handset and my account. But after another long hold and transfers to two other operators, I was told they were having trouble issuing temporary passwords and was asked if I could call back.
See also: Best Practices in Cyber Security
I’ve left out many steps in this saga. At each stage, I was subject to strict authentication questions. That’s fine; I was asking for a new password, after all. But at the end of my fruitless journey through tech support, when I asked if I could somehow get express treatment when I called back just to find out if I could get a temporary password, I was told, “No.” So, next time, I will have to, once again, convince a primary operator who I am, that I am having token problems and that I need a temporary password.
My experience last time was similar, so I know I’m not just the victim of bad luck.
The last time this happened, I was sure to give the operator who finally liberated my account some specific feedback: There needs to be a tidy process for dealing with people who get new handsets. Obviously, that hasn’t occurred. So, the first thing I will do when I can access my account is disable the token. While I am afraid of hackers, I’m more afraid of not being able to access my money because my bank has poorly implemented a security solution.
Leaving the country? Good luck!
USAA is hardly the only firm having trouble dealing with two-factor issues. Independent security analyst Harri Hursti told me about the foibles consumers face when dealing with two-factor authentication that relies on text messages.
“The moment you start traveling, all bets are off. Text messages over roaming are far from reliable — they either are never delivered, or they experience regular delivery delays over 10-15 minutes,” Hursti said. “Basically, in order to do banking when traveling internationally, you need to start by turning all security off. And yet you are knowingly getting into an increased security risk environment.”
Gartner security analyst Avivah Litan says these kinds of issues not only threaten adoption of two-factor security but actually create more pathways for hackers.
“Two-factor, in this case, actually weakens security rather than strengthens it,” Litan said. “I always tell our clients that their security is only as strong as its weakest link, and when they disable two-factor authentication on the account, they likely ask the account holder to verify their identity by answering easily compromised questions, which any criminal who can buy data on the Dark Web has access to. So not only does two-factor authentication without proper supporting processes annoy and greatly inconvenience good legitimate customers, it also does little to keep the bad guys out.”
Perhaps this problem isn’t that common yet, as uptake on two-factor is still relatively small. But with each password hack, more people will turn on two-factor authentication. If companies blow the implementation, consumers will just as quickly turn it off again.
Protect and enable, or we’re all at greater risk.
This piece was written by Bob Sullivan.
More related stories:
As U.S. switches to EMV payment cards, fraudsters exploit still-open loopholes
Convenience of mobile computing comes at a security cost
Small banks, credit unions on front lines of cybersecurity war