How not to do two factor auth

Two factor authentication – the practice of requiring more than one key to the safe. Every sensible service provides the option these days. But not all do it the proper way.

Rest of the post covers the ground about passwords in general and why two factor auth is a good idea. If you are familiar with the topic, you may find the article boring. You may skip to the last couple paragraphs safely. If you have never heard of two factor auth, continue reading.

Let’s look at the common implementations. We need two keys unlock. The first one’s usually a password.

Lets back up a bit. Why do we need two keys? That’s easy to answer – To make it difficult for a thief to break the lock. Until a few years ago, Passwords alone did okay-ish. But the thieves learned. They used phishing and social engineering to fool users and extract the passwords out of unsuspecting users. Its something similar to showing you a lock that looks like yours. If you fall for the trick and present your key, I make a copy and use it on the real lock.

Since the keys are strings of letters, numbers, and symbols, and people have difficulty remembering lots of them, they usually use the same password everywhere. Or use qwerty or something similar, an easy to remember one. If I have a million locks to pick, and I like to pick as many locks as possible, I can either try all keys on every lock one by one or try the most likely keys on every lock. The second method is easier. Usually by few orders of magnitude.

Now we come to dictionary attacks and brute force attacks. Dictionary attacks use a list of probable passwords and try simple variations of them. Brute force attacks try every possible key on the lock.

And the service providers weren’t idiots. They started rate limiting. You can only try n keys in a minute, or something similar. Trust me when I say that with proper rate limiting in place, brute force and dictionary attacks can take hundreds of years.

But wait, there’s an issue we haven’t addredsed yet. What if people use the same password at multiple sites and the other site was somehow compromised? It happens. A lot. So you now need to protect yourself from the idiocy of others. That’s a bit tough.

And then, it dawned on the experts. Passwords are a bad practice. Too late to fix. The idea of passwords became so natural to the average joe that he’d call you crazy if you told him that passwords are bad. A lot of users are, um, let me put it this way. Security-illiterate. Lots of them. You see, the main issue here is the stupid users. Force them to use strong passwords and you see post it notes on desktop with the passwords. You can’t easily educate them either.

So now comes the beautiful idea. What if we don’t just ask for something the user knows (password), but we also ask that they show us something only they can have.* Enter two factor auth.

A one time password sent to your mobile, or requiring a confirmation on your mobile for every login, or requiring you to present a difficult to forge certificate or special hardware generated secret token, lots of possibilities. But not everyone gets it right.

There is a tradeoff between convenience and security. The trick is to find the fine line that is secure enough but not very inconvenient for the user.

Twitter allows you to require confirmation on mobile for every web based login. To break this lock, the attacker needs both your password and your mobile.

But what if your mobile app doesn’t work or you lose your mobile? Allowing a recovery means the recovery path should atleast be as strong as the actual path. Else any sensible attacker choses recovery, the least secure path. It’s a lot of additional work. But not providing a recovery means that users may get locked out of your service.

I’m surprised I wrote such a lengthy article on my mobile. Allow me to wind it up. I’ll revisit the topic later.

You probably guessed it by now. Twitter’s recovery mechanism seems to be prohibitively tough. Submit a support ticket and wait. I never expected twitter to make such a blunder. People do lose mobiles. Give me some sensible recovery mechanism please..

Find below last tweet in the conversation that prompted this article.

P.S: Writing wordpress articles on mobile sucks. A little.

Evolution not presented in strictly chronological order. I tried to simplify things, may have over done it. Comment your views below.


2 thoughts on “How not to do two factor auth

  1. Hmm, you managed to talk a lot without saying much. Better not bore readers with too much background information and details (Use links or relevant quotes instead?).

    Done with the commentary. 2-factor authentication is most useful for your everything-is-linked-from-here email account. Even if any other service is compromised, you can still get your access back via your email account. So, secure them as much as possible.

    I agree that the mobile phone plays a crucial part in 2-factor auth. More than what anyone is comfortable with. My disaster day plans goes something like this: If I lose my phone, I attempt to find the backup-code (available for Google services, WordPress, GitHub and maybe others) and use it to login, disable 2-factor auth, etc. That’s because I am reliant on the Google Authenticator.

    There is one other theoretical way. To get back your phone number (most telenetwork providers let you get the number back if you provide the right documents) and receive a security code via SMS. That way, you let yourself various way of digging out of the rabbit hole.

    Now, apply the commentary to my comment.


    • Hmm, yours is concise. I was trying to cover some background. People who are familiar with the stuff do get bored. To please audience with some background, i must not write everything from mobile where its hard to get relevant links. And stop running around, too. I’ll give it a try sometime this week directed at the knowledgeable folk.


Comments are closed.