2FA: Why a Separate Wearable Device is Better Than Your Smartphone?

Multi-factor authentication (MFA, sometimes simplified as ‘two-factor’ or 2FA) has proven to be an effective tool for enhancing security of online accounts. However, enabling MFA or 2FA does not mean your account is automatically secure

Knowing your important passwords means owning your life. In the United States, 7% of the adult population have experienced identity theft. Over 100 million Americans had their online identity exposed by hacking customer databases of their service providers or government agencies.

The situation is quite similar in Europe and even worse in Eastern Europe, where no exact statistics are available. The reason: issue of identity theft is not a priority for local regulators.

Identity theft is not the only crime that walks hand in hand with hacked passwords and compromised online accounts: credit card fraud, blackmail, privacy invasion and illegal wiretapping all occur frequently throughout the world.

Multi-factor authentication (MFA, sometimes simplified as ‘two-factor’ or 2FA) has been proven to be an effective tool for enhancing the security of online accounts. However, enabling MFA or 2FA does not mean your account is automatically secure.

Militaries and the nobility have used MFA for centuries. For example, in the Three Musketeers by Alexandre Dumas, d’Artagnan receives a ring from Queen Anne of France in addition to the spoken instructions he needs to use to communicate to the Duke of Buckingham in order to warn the Duke that Cardinal Richelieu and Milady de Winter are plotting to kill him.

The Three Musketeers illustration by John Millar Watt (1895 — 1975)

The Three Musketeers illustration by John Millar Watt (1895 — 1975)

The modern use of MFA for securing computer records and online accounts originated in the banking sector, the typical example being cash withdrawal from an ATM, which requires having a banking card and knowing your PIN.

Man using ATM machine. Image by Pixabay

Man using ATM machine. Image by Pixabay

In the early 2000s banks, online stores and services introduced a telecom version of 2FA based on SMS containing a one-time password (OTP). Now this is synonymous to 2FA itself. Recently mobile applications (e.g., cross-platform Google Authenticator) brought carrier-independent 2FA to mobile phones using TOTP and HMAC software algorithms.

Screenshot of Google Authenticator on Android Smartphone

Screenshot of Google Authenticator on Android Smartphone. Image by AskUbuntu via StackExchange

So, why still bother with old-school hardware authentication tokens that require carrying yet another tangible object around?

In this post we will try to explain why a hardware second factor solution is still a good option in some cases and will guide you through the features of our flagship product, the Hideez Key, which makes hardware MFA an effective and easy to use solution for such cases.

 

External device is a true second factor, in fact — one of the multiple factors required to feel secure in modern cyberspace

In times when online criminals and governments can bypass even two-factor authentication, trusting your second factor to the same device you want to protect is not the best solution. The well-known three pillars of two-factor authentication are what you know (i.e. password or PIN), what you have (i.e. banking card, digital token or other physical object) and what you are (your biometric data like fingerprints, iris or eye veins, the manner you type on your keyboard, soundwave pattern of your voice or heartbeat, etc.).

Customers who use software-only 2FA limit themselves to only what they know, i.e. their permanent password or passphrase and a one-time password (OTP) or PIN which is… just another password after all. This means a computer professional or criminal who somehow got control over your client device or has an ability to see what is on your screen (think of CCTV or hidden security cameras inside modern office buildings) can bypass such software-only 2FA.

In fact, given all the threats of the modern world we recommend our customers to move forward from conventional 2FA to more complex MFA with biometric data being the primary factor playing the major authentication role with all the other auxiliary factors required only to prove the authenticity of the confirmation message issued based on the biometric data. Here the ease of use starts playing the key role.

 

If set and used properly, the external MFA device offers better reliability compared to a telecom OTP

Since the late 2000s, OTPs delivered via SMS became a very popular authentication method in banking and then spread to online services like email, social networks, cloud storage, etc. There, OTPs are easy to use. However, their reliability depends on a number of factors.

First of all, the customer needs to be sure that the mobile network used to deliver the OTP is sufficiently protected. There are numerous publicly reported instances of hacking of the A5 encryption algorithm which 2G GSM networks use. 3G security was also compromised in 2010. We found no reliably confirmed public reports, showing successful breach of the encryption used by 4G standards. Nevertheless, we do not rule out such a possibility, as in the current security environment successful network penetration methodology usually is not disclosed but sold to interested parties.

Secondly, SMS OTPs are vulnerable to government wiretapping and this might be an issue for countries experiencing problems with freedom of speech and other basic human rights. Each 3G and 4G standard has mandatory instruments built in for authorised government law-enforcement agencies to access SMS servers of mobile networks operating within the jurisdiction of the law-enforcement agency. Moreover, it is possible to intercept such SMS OTPs while the victim of an attack is using roaming in such a country.

The Lives of Others (German: Das Leben der Anderen) movie by Florian Henckel von Donnersmarck (2006) featuring Ulrich Mühe (1953 — 2007) as Stasi Hauptmann Gerd Wiesler

The Lives of Others (German: Das Leben der Anderen) movie by Florian Henckel von Donnersmarck (2006) featuring Ulrich Mühe (1953 — 2007) as Stasi Hauptmann Gerd Wiesler. Motion picture still by Tasteofcinema.com

Unlike telecom operators, 2FA token hardware vendors currently have no obligation to disclose their technology to the government in most countries, as this might have adverse effects on banking security and government communications themselves. This does not mean that governments cannot target hardware 2FA technology, but the legitimate means for doing so are very limited.

 

Bluetooth MFA is Reliable Like USB Token and Convenient Like SMS 2FA

A Bluetooth-based external MFA device gives the same level of protection as a properly maintained USB hardware token, while offering the convenience of SMS-based OTP or mobile apps like Google Authenticator

While USB-based hardware tokens for 2FA are very reliable and efficient, if used properly, they require the customer to insert them into the USB slot of his device each time he needs them. This creates accidental destruction risks. Remember that USB stick with important documents which you broke with your leg while sitting down? It also incentivizes the customer to leave the stick ‘right in the slot’, thus making the second factor enabled by this stick vulnerable to hacking.

Hideez Key combines the reliability of the hardware second factor with the ease of use of a wireless communication protocol. The Customer does not need to plug the device in anywhere, she just needs to keep it in her pocket or on a keychain close to her body.

hideez-and-euro-coin

Hideez Key size dimensions in comparison to a €2 coin. Image copyright by Hideez Technologies

Unlike other Bluetooth-based ‘unlock your computer’ devices, Hideez takes sniffing and MITM attacks seriously. We use additional safeguards on top of the standard Bluetooth bonding. These safeguards improve the initial key exchange and make unauthorised sniffing and other signal interception techniques more difficult to perform with our devices.

Interception of Bluetooth traffic on a client device by malware might also be an issue, but we solve it by adding additional safeguards to the crypto key exchange, an enhancement that we will discuss in upcoming posts for this blog.

 

How Does the Device Know its Owner?

Another critical vulnerability of any hardware second factor is the same as it is for any physical key or access token — the software assumes that the person presenting the physical token for authentication is the rightful owner. However, what if the second factor device was lost or stolen?

Hideez Key uses eye veins biometric data developed by EyeVerify to solve this issue. A customer can setup biometric authentication for a number of scenarios.

Our team is currently working on a simple artificial intelligence solution for continuous identity confirmations. This solution will require the customer, after opting in, to perform periodical eye scans several times a day. It should not be a very demanding task for the customer, a typical eye veins scan takes up to 10 seconds to complete and it can run in the background, for example, when the customer reads a news feed on his smartphone. However, this will create a new dimension and new opportunities in terms of ambient security.

Eyeprint scan using EyeVerify software library on iPhone 6S

Eyeprint scan using EyeVerify software library on iPhone 6S. Courtesy of EyeVerify

In case the customer loses access to her Hideez Key for any reason, she can also use My Hideez service to unlink the Hideez Key from her account. This will prevent unauthorized use of a Hideez Key which was lost by its legitimate owner.

 

Syncing over Bluetooth is safer than syncing via the Cloud or Wi-Fi

Knowing your password at the right moment is no less important than keeping it secure. Various mobile platforms like iCloud Keychain, LastPass, Dashlane, SafeInCloud and others offer internal and standalone password managers with cross-device synchronization features.

While all of these solutions have excellent reputations and don’t have confirmed security breaches, they are still using the Internet to synchronize data between the various customer devices and this means there is a potential vulnerability.

In case of a device with a local wireless connection (Bluetooth 4.2 LE in case of Hideez Key) there is no such vulnerability. Customers can use our external hardware password vault as a medium for syncing passwords between various Bluetooth-enabled devices without using an Internet connection or involving the associated risks. As we discussed earlier — our team mitigates sniffing and other wireless-related risks by additional encryption layers on the transport layer and inside the application.

 

Wrapping up

While software-based MFA is becoming increasingly popular and is better than nothing, the current cybersecurity environment requires truly distributed MFA. Only hardware solutions can offer this.

Still, hardware solutions must provide ease of use combined with reliability to minimize the risk that a customer might decide to take the easy option and compromise his second factor by leaving the USB stick inside the USB slot or using a ‘1111’ PIN for end user identification on the second factor device.

Bluetooth devices for MFA ensure the desired ease of use. However, they also create an additional risk of signal interception by specialized radio equipment and do not protect against the risk of data interception by malicious software, installed inside the paired device.

Bluetooth-based MFA solutions give customers an additional benefit of wireless syncing between the customer’s various devices without requiring the Internet as the medium for such syncing.

If engineered with diligence and properly maintained by its end user, a Bluetooth-based second factor device offers ease of use and an industrial level of protection.

 

Author: Gennadiy Kornev

Marketing and Product Advisor of Hideez Technology, content distribution systems architect, project manager, tatko

No Comments

Leave a Comment