It’s a staple of the Hollywood thriller: a hacker in an inexplicably darkened room guesses a password and gains access to some clandestine operation’s inner workings. But unfortunately for anyone concerned about their online security, this isn’t a flight of fancy. It’s happening all the time, in bedrooms, on trains, in hotel lobbies – anywhere with access to the net. That’s because an alarming amount of supposedly secure information is protected by little more than a combination of keyboard characters which everyone, in theory at least, has access to.
Of course, there’s a spectrum of password strengths ranging from “qwerty” to long strings of randomly generated characters, but most of us, for the simple fact of having to remember not one but dozens of passwords, will often inadvertently choose something that’s actually relatively easy to crack – sports teams, kids’ names, numbers, birthdays, addresses and so on.
A recent study found that the top 10,000 passwords were used by 98.8% of users to access their accounts; in other words, you could try a known username with each of these 10,000 and it’s highly likely that you’ll gain entry. With modern technology at the disposal of criminals, billions of passwords can be tried out in hours.
This is where two-factor authentication (2FA) comes in.
The principle behind 2FA is this: while the chances of a criminal having theoretical access to one means of entry (i.e. a password) are present and measurable, the chances of having two different but mutually essential forms (especially an object) are vanishingly small.
It is generally accepted that there are three authentication factors in use:
We’ve been used to two-factor authentication since the 1960s in the form of ATM bank cards. A PIN or a debit card alone cannot grant access to an account, but both are required. If they have a weakness it’s that cards can be cloned and fingers on keyboards can be observed; criminals go as far as installing false fronts on cash machines to record both.
Business has also been familiar with two-step authentication for some time. Staff have been issued with dongles, bracelets and cards that need to be physically inserted into terminals to grant access to sensitive areas of buildings and IT systems alongside a password, so that even a stolen dongle will offer only limited access, especially if the theft is reported swiftly. The weakness here, though, is the human weakness for losing and forgetting things rather than criminal intent.
But today, there’s “something you own” that probably only leaves your side when it’s in your gym locker – the mobile phone. So ubiquitous are these devices that we’ve conditioned ourselves to pat our pockets when we leave the house just to make sure we’re carrying them.
That human weakness of forgetting and mislaying – though by no means eradicated from the gene pool – are much less likely if the second factor is the mobile phone.
Google and Microsoft are major advocates of two-step authentication to access their online services. Although they’re not mandatory (yet), they’re strongly recommended. Both versions have apps that can be put on your device that generate random 6- or 7-digit numbers when they are called upon (i.e. when users try to log into a Google or Microsoft service).
Because the numbers time out after a minute or two, there’s no long-term value in looking over someone’s shoulder when they enter them.
The systems also take into account loss, forgetting, flat batteries and network problems by asking for other agreed channels, for example a second phone number, which can be called automatically by the system and have a spoken passcode transmitted.
Apps aside, there’s another feature of all mobile phones have – SMS messaging. (Remember, non-smartphones still account for about 20% of the UK mobile market.) This means of communication is an effective way of providing 2FA to customers, and it’s one that has been widely accepted by banks.
All banks (or their third-party service providers) need is a customer’s mobile phone number, and anyone logging in on a banking website can require a code sent to their phone as a means to gain entry to the account. Since every SIM is unique, only the person in ownership of the phone with that number will gain access.
Banks may choose which aspects of their service require SMS 2-factor authentication depending on the level of security required. For example a simple username/pass combination could be used for checking a balance, but 2FA can be used to withdraw cash or set up a standing order. Customers might also be given the option to opt in to 2FA for none, some or all of the services they want access to.
A drawback of mobile 2FA is that it is dependent upon the integrity of several elements:
Mobile phones’ weakness is that they can drop out where there is no mobile connection, which is in a surprising number of situations, but especially underground, inside large buildings and when there’s a large demand. Moves are afoot to deliver SMS and calls over WiFi networks. For example the EE phone network has started rolling out a service which for the first time has allowed customers living in remote parts of the countryside (albeit with internet/WiFi) and those using the London Underground (which was recently WiFi-enabled) to make calls and receive texts via their SIM, not just with a Skype or instant messenger-type service.
A second issue has been the pause between requesting a 2FA SMS and receiving it. Most consumers have a tolerance of a few seconds before getting frustrated. After 30 seconds they start to wonder whether the SMS will be sent at all and after a minute will probably retry. This is particularly frustrating when the first SMS does then arrive but the code has been cancelled by the second request. This problem is usually down to inefficiencies in the bank’s or the SMS service provider’s infrastructure, or the communications between them. Usually there are technical ways of remedying the situation, but sometimes a brand new, efficient system is required.
In both cases above, the situation can be remedied by allowing a third means of access to the customer to be used as a backup.
Some security experts have raised concerns about the cloning or swapping of SIM Cards, diverting the SMS messages to the cloned/swapped SIM in the criminal’s phone without the knowledge of the user or the bank. There are measures which can be taken to detect and counteract this threat, such as using SIMs’ or phones’ unique digital “fingerprints” or detecting geographically distant uses over impossibly short timespans, but it is all too often overlooked.
But weighed against the potentially disastrous consequences of a criminal gaining access to banking, business or security systems, the drawbacks mentioned above are in most cases beatable. The good news is that 2-factor authentication systems are constantly improving, and are almost certain to become second nature over the coming decade, and that will inevitably mean more reliability, buy-in and security safeguards.
As 2FA becomes the norm, consumers might actually end up being liable for losses if the option of 2FA is made available but they refuse to use it. Similarly, companies who do not offer 2FA to consumers could be held responsible for data breaches. Technology and potential litigation could be triggers of universal two-factor and multiple-factor authorisation.