Enterprises and websites are increasingly adopting, if not requiring, the use of two-factor authentication. But as numerous high-profile attacks have demonstrated, two-factor authentication systems are not foolproof, says Ryan Lackey, a principal in the security practice at distributed-denial-of-service attack defense firm CloudFlare.
At his "Two Factor Failure" briefing during the recent Black Hat Europe conference in Amsterdam, he demonstrated a new type of attack against the time-based one-time password algorithm, or TOTP, security tokens used by numerous services, including Google Authenticator.
To date, many two-factor and two-step authentication systems have been defeated by malware, or bypassed by attackers, Lackey points out in an interview with Information Security Media Group. One recent example involved high-profile iOS users' personal photographs, which were backed up to Apple's iCloud. Hackers were able to obtain the images, in part, because Apple's two-step verification system wasn't being used to restrict access to the iCloud backups.
"The iCloud hack raised a lot of questions both about Apple security in general and about two-factor authentication," Lackey says. "Right now, there are a lot of systems that have two-factor on their front door, for the regular user authentication path, but they skip two-factor for account recovery, for administrative procedures - anything that's sort of an infrequent operation."
In this interview with Information Security Media Group, Lackey discusses:
- Apple: The lessons to be learned from the spotty implementation of Apple's two-factor system;
- Biometrics: The benefit of Apple's Touch ID and other biometric technologies for improving the security of a two-factor authentication system;
- Soft tokens: Some potential methods for strengthening the next generation of software tokens;
- Hardware: The ways a new generation of multi-function hardware security tokens could be made attractive to enterprise users, despite the cost;
- Bitcoin: The impact that the Bitcoin movement could have on two-factor authentication systems; and
- Sharing: The importance of creating systems that support multiple user accounts, and how two-factor authentication can help mitigate the risk of passwords being shared.
Lackey is a product engineer for security at CloudFlare, which earlier this year acquired CryptoSeal - a cryptographic hardware, software, and network services provider - for which Lackey served as CEO. Previously, he founded HavenCo, an offshore data haven based in the North Sea off the coast of England. He has also helped run several communications, networking and IT services firms in Iraq from both inside and outside the Green Zone in Baghdad.