More on Two-Factor Authentication

Recently I published an essay arguing that two-factor authentication is an ineffective defense against identity theft. For example, issuing tokens to online banking customers won't reduce fraud, because new attack techniques simply ignore the countermeasure. Unfortunately, some took my essay as a condemnation of two-factor authentication in general. This is not true. It's simply a matter of understanding the threats and the attacks.

Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security, the era of passwords is over.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

What two-factor authentication won't do is prevent identity theft and fraud. It'll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We're already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

Security is always an arms race, and you could argue that this situation is simply the cost of treading water. The problem with this reasoning is it ignores countermeasures that permanently reduce fraud. By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.

Credit cards are a perfect example. Notice how little attention is paid to cardholder authentication. Clerks barely check signatures. People use their cards over the phone and on the Internet, where the card's existence isn't even verified. The credit card companies spend their security dollar authenticating the transaction, not the cardholder.

Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they'll stop advocating stronger authentication measures and the sooner security will actually improve.


This essay previously appeared in Network World as a "Face Off." Joe Uniejewski of RSA Security wrote an opposing position. Another article on the subject was published at SearchSecurity.com.

One way to think about this -- a phrasing I didn't think about until after writing the above essay -- is that two-factor authentication solves security problems involving authentication. The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn't help.

Posted on April 12, 2005 at 11:02 AM • 14 Comments

Comments

Peter de RooijApril 12, 2005 12:32 PM

I am not sure I agree with your final paragraph: the (current) basic problem that is exploited is the complete lack of protection against replay. I would call that an authentication system problem.

In fact, when implemented correctly, 2-factor auth and one-time passwords (or anything that is not subject to replay) can plug that hole to a large extent, and thus can be fairly effective against many current attacks (phishing) and make trojan attacks and MITM less effective and more complex. For example, AFAIK most European banks authenticate you at log-in *and* for each transaction. Make that replay resistant and phishing or key-logging becomes useless; MITM or trojan attacks becomes harder (the MITM or trojan can only replace a transaction, not add one).

I do agree that in the end, true transaction auth (rather than individual auth) would be needed to for better protection against active attacks (e.g., MITM and trojans). The (next) authentication problem may well be just that. But with replay-resistant authentication (and re-auth) of the individual and clever protocol design you can already throw up quite a barrier. (E.g., use the SMS or a challenge to the token to throw in some transaction data?)

That is, of course I agree with you that 2-factor auth is nowhere near the panacea it's often made out to be. But I also agree with Joe that fixing one big problem, even partly, can be quite useful!

Jury still out?

Adam LangleyApril 12, 2005 12:46 PM

Brute forcing getting you down? Use a slower hash function.

Very simply one can roll back the clock on computing power but using very slow hash functions. (Which can be constructed by iterating current hash functions.)

If your hash function takes 0.25 seconds to verify then 100 computers will need nearly a week to brute force a six letter, all lowercase password.

Of course, people will still write them down and choose poor ones etc. But it's false to assert that faster computers make passwords any worse.


AGL

ArikApril 12, 2005 12:48 PM

@Israel

That's because the CC companies do not care about the security of their transactions. All they care about is that the following applies:

L

where L is the amount lost due to fraud, I is the money CC holders pay as insurance against fraud, and F is the amount the CC company invests in fraud prevention.

As long as they can legitimately charge the customers (i.e. us) enough I, they have no incentive to improve the security of these transaction beyond the point where the above equation still holds true.

-- Arik

rcmeApril 12, 2005 12:50 PM

"People use their cards over the phone and on the Internet, where the card's existence isn't even verified. The credit card companies spend their security dollar authenticating the transaction, not the cardholder."

Hmm... Seems that the credit card companies also spend their dollars assuming most of the "risk" associated with credit card transactions.

I would doubt that credit card holders would be so "loose" with their credit cards if they were 100% liable for fraudulent purchases. Credit cards "work" today because the credit card companies and banks hold card holders liable for only $50 (or even less) of a fraudulent transaction. If this wasn't the case, I would expect there would be far fewer Internet and other credit card transactions, esp. those where the transaction is authenticated but the user is not (or to a lesser degree).

Unfortunately, the same can't be said for identity theft. I haven't seen any banks come forward to say that they will assume all the financial risk associated with "identity theft" for their customer's, if their bank accounts get cleaned out.

Until all types banks accounts (i.e. debit, checking, savings, etc.) have the same types of financial liability guarantees as credit cards, I doubt the problem will go away.

So, I am not clear exactly how having just transaction authentication, without stronger user authentication, (or banks assuming more financial risk), is going to solve the problem of identity theft.

bpApril 12, 2005 1:41 PM

“……..identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions.��?

“The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn't help.��?

These two statements make no sense to me. Consider identity theft. Someone discovers your social security number, and maybe a few other items of personal information about you. The person then applies for a new instant credit account using your name and SSN. The creditor (say an online merchant) uses your SSN to access your credit report. If it looks good, “you��? get the account. Of course, “you��? isn’t you at all, but an imposter. The creditor simply assumes that whoever knows a few items of personal information about a particular person (in this case, a SSN) must truly be that person. So here we have an example of identity theft enabled by an assumption that someone who knows something about a particular individual is, in fact, that individual. Would someone like to argue that this is not an authentication failure?

But maybe the creditor is a bit more thorough. Perhaps the creditor subscribes to a Choicepoint service that provides personal information about individuals. The creditor then asks a question or two that only you are supposed to know the answer to. For instance, what kind of car do you drive, etc. If the identity thief is worth his salt, he will already have determined this information by tricking a data aggregator service into giving him access to his victim’s information. And we’ve seen that data aggregators like Choicepoint can be tricked. This is an example of an identity theft enabled by a failure of adequate identity authentication on two counts: authentication of “legitimate��? customers of a data aggregator service, and authentication of the person applying for a new credit account.

Of course, if someone gets your bank account login ID and password through phishing, pharming, or something else, they can then access your account. The password is supposed to “prove��? that whoever knows it is the true owner of the account, but in this case, that assumption is wrong. Again, another failure of authentication.

These examples just illustrate that the security of our identities and bank accounts often depends on nothing more than keeping secret the very same information that data aggregators compile and sell for profit to customers who can then turn around and use the information for criminal purposes. So how can anyone argue that the current attacks on financial systems are not caused by a failure of authentication? Bruce had an earlier post in which he stated that “to reduce the risks associated with identity theft, we have to make identity information less valuable.��? That is exactly right. But how do you make identity information less valuable for committing identity theft and other fraud? Seems to me the answer must lie in stronger forms of authentication. Authentication of people using nothing more than information they know is simply inadequate. It may well be that each transaction with a bank needs to be separately authenticated, but it first needs to be ensured that the correct person, and not a fraudster, is facilitating those separate authentications.

piglegApril 12, 2005 8:54 PM

As in the earlier essay, Bruce doesn't present any empirical data for any of the claims he's making, which makes it difficult to seriously discuss them.

- "We're already seeing fraud tactics that completely ignore two-factor authentication... The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn't help." I don't know what "current wave" he's talking about. If he's referring to online banking fraud, all attacks I am aware of do exploit authentication vulnerabilities.

- "The credit card companies spend their security dollar authenticating the transaction, not the cardholder." Do they? How? The one time when I became fraud victim, the company wouldn't have noticed anything although the card used had been officially cancelled! In the end, I guess they don't care because they pass the risk to the vendors. Moreover, haven't you heard what the British card companies have recently been doing? They have clients authenticate themselves by PIN codes. P-I-N a-u-t-h-e-n-t-i-c-a-t-i-o-n. Who would have guessed that?

The main problem with this essay is the mixing up of online fraud with identity theft. Initiating a fraudulent online transaction with a stolen or guessed password isn't the same as identity theft, and identity theft needn't have anything to do with online transactions. So the statement that two factor authentication doesn't prevent identity theft is rather trivial. But it can prevent online fraud, and that's what it should.

JurgenApril 13, 2005 3:29 AM

... authenticate transactions and not the indivudual... How do you expect to do that ..??
C'mon Bruce, you're known for better reasoning than this..

And you disclaim two-factor authentication because it doesn't implement the switch from indivudual authentication to transaction authentication? How can one blaim a technical solution for not being applied correctly?
And, most importantly, transaction authentication using two-factor authentication *does* exist, moreover is widespread in Europe. Only provincial myopia can overlook that. I wonder why European banks that use that, have no problem whatsoever with phising / identity theft ...

JbaApril 13, 2005 3:40 AM

Re: Credit card signatures

It's a common misconception that your signature on the credit card should be compared against the one you sign on the slip.

This is incorrect.

The signature on the credit card is only there as a proof that you agree to and acknowledge the terms of use for the credit card. It seals the contract between the card holder and the card issuer. Nothing else.

But Bruce's example do actually have some merit. In some countries with stricter control than the US of the use of credit cards, a photo ID is required together with the credit card. The name and signature on the photo ID is then compared to the the name of the CC and the signature you're writing on the slip. In theory, that is. In practice, you'd be lucky if a clerk would check the names and that the photo is somewhat similar looking.

561-208-8286April 13, 2005 8:02 AM

Hi, you say "Passwords just don't work anymore." I have our systems configured to lock out bad password attempts for an hour. I realize this approach could lead to Denial of Service, but it allows our users to use relatively simple passwords without fear of compromise. So far, no DOS. Doesn't everyone do this?

NyarlyApril 13, 2005 1:47 PM

@AGL, re: stacking hashes

My gut reaction is that stacking any cryptographic primitive algorithm is not guaranteed to even maintain the level of their properties. For instance 2DES is worthless, worse than single DES.

For a hashing function, it seems likely that a hash's output domain will contain some colliding inputs. Over repeated iterations, the hash would tend to collide more and more often, until at some point every password is equivalent, since they all end up hashing to the same value.

Perhaps there's a compromise position. Since the time to perform a brute force is O(nT), where n is the size of the secret domain, and T is the time it takes to check a guess, it is possible that there exists a number of iterations that increases T enough that the resulting reduction in n still results in an long time. Intuitively, such a compromise should exist, granted that n diminishes linearly with T. My guess is that n diminishes geometrically or exponentially, though.

TomApril 17, 2005 12:36 PM

If you look at phishing and Trojan attacks, these rely on capturing log-in information and then the attacker replaying the (static) data at a later date. Many banks also require users to authorise creation of a new beneficiary, or a new third party payment using a further level of security (e.g. additional n digits from a password). If two-factor authentication is deployed by banks, the devices won't just be the simple one-time password tokens which are commonly used for remote access to corporate networks, they'll most likely also include challenge-response capability, as well as functionality to sign meaningful data elements for new beneficiary set up.

jApril 19, 2005 4:22 PM

In Britain, as in many other places, the financial services industry has apparently recognized that online banking must be secured by something stronger than a password. The Association for Payment Clearing Services (Apacs) is developing specifications for stronger methods of authentication for online banking. See the article at

www.thisislondon.co.uk/news/business/articles/timid399830?source=

Unfortunately, rather than strengthening their authentication procedures, American banks will probably be quoting Bruce Schneier as to why two factor authentication won't work.

JasonNovember 30, 2005 10:17 PM

Fundamentally, same security principles can be applied in both traditional and on-line transaction world. I think some of the security challenges in on-line transaction world are: user authentication, reverse authentication, user/agent association and end-to-end communication. As a technical tool, two-factor authentication solves user authentication issue to a degree. However, the whole security system can still be defeated if other areas are attacked. In security games, each tool has its limitation and is useless if not used properly or no adequate process is in place.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..