Word Notes 8.15.23
Ep 156 | 8.15.23

two-factor authentication (noun)


Rick Howard: The word is: Two-Factor Authentication

Rick Howard: Spelled: Two-factor, as in 2 completely different technology forms and authentication, as in granting resource access to a person, device, or software object.

Rick Howard: Definition: An authentication process that requires two different factors before granting access.

Rick Howard: Example sentence: In the 2011 hack of the company RSA Security, APT 1 hackers stole the seed values for the RSA SecurID token product, the two‐factor authentication device that was used by tens of millions of users in government and military agencies, defense contractors, banks, and countless corporations around the world.

Rick Howard: Origin and context: In the 1960s when computers started to become an essential tool for big business and government, the late great Dr. Fernando Corbató, one of computing's founding fathers, introduced the idea of using passwords to grant access to mainframe computers and limit computer time to individual users. Unbeknownst to him, Corbató provided a long list of cyber ne'er‐do‐wells a never‐ending attack vector to break into computer systems. In fairness though, passwords didn't start to really break down as an authentication system until the internet started humming for online transactions circa the mid‐1990s. But by the 1980s, with the ARPANet slowly morphing into the Internet, the computer user population started to grow, the community needed more robust authentication methods for business critical systems.

Rick Howard: In the mid 1980s, Security Dynamics Technologies was the first company to create a hardware token device that created one-time passwords (OTPs) for authentication. By 1995, AT&T patented the idea of two-factor authentication. They said that to identify an authorized user, a system needed to check at least two of three factors. Something they have, like a smartphone, something they are, like a fingerprint, or something they know, like a password. But the early systems were clunky, hard to manage, and used only environments that needed the most security. It wasn't until the smartphones started to emerge in the mid 2000s when that situation started to change. All of a sudden, everybody had a second factor in their pocket that led to all kinds of innovation in terms of various two factor authentication methods. If I were to put all the authentication methods as rest stops on 100 mile road between the two great cities of “OMG, this is not secure at all” to “Nirvana! We’ve solved security,” the user ID password pair rest stop would be just a mile out of OMG, just slightly better than having no credentials at all. The email verification rest stop would be about 25 miles out on this journey. It's 75 miles away from nirvana because it doesn't exactly qualify as a second factor. An email account is unique to a user like a password, but you can access it from anywhere. It's not something you have on your person or some kind of biometric. So having two password like factors is better than one, but not by much. The SMS verification rest stop would be about 30 miles down the road toward Nirvana. It's slightly better than email verification because it's tied to a second factor, but bad guys have demonstrated in the real world, at least three different ways to intercept these codes. Still, it's way better than using only a user ID password pair. It’s probably fine for run-of-the-mill Internet use, like logging into the library, but if you have material information to protect or if you're a spy, steer clear of SMS authentication.

Rick Howard: The Authenticator Soft Token rest stop is located about 75 miles down the road. It's pretty good even though it’s still susceptible to difficult man-in-the-middle attacks, timing is critical but doesn't make the attack impossible, just more difficult. You will find the Push Authentication Rest Stop at the 80 mile marker slightly closer then the Authenticator Soft Token Arrest Stop. Still, victims have observed bad guys sending notification flooding attacks to their phones. If potential victims are busy or are not paying attention, they might click the button to verify their identity just to clear the messages, never realizing that they just authorized a bad guy into one of their accounts. The UTF Authentication Arrest Stop is the last way station before the Nirvana exit ramp, mile marker 95. If you have serious security requirements compared to just surfing the net, this is the way to go. The downside to the USB security key solution, though, is the likelihood of somebody like me losing the key, which I will absolutely do because I'm an idiot. Fast Identity Online (FIDO) is the standards body that is pushing U2F authentication technologies. In the 2021 hype cycle chart for identity and access management technologies, Gartner puts the FIDO Alliance’s efforts as still traveling down the trough of disillusionment and estimates two to five years before it reaches the plateau of productivity.

Rick Howard: Nerd reference: Dr Corbató stored the passwords in a text file, which probably provoked one of the first computer hacks ever. Allan Scherr, working on his PHD at the time, found the unprotected text file, stole the passwords from the other students, and was able to grant himself more computer time. You gotta love those MIT nerds.

Rick Howard: Word notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. We're privileged that N2K and podcasts like Word Notes are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at N2K.com and thanks for listening.