Security

How passwords can wreck your two-factor authentication

Patrick Lambert shares a friend's experience with having his iCloud and Gmail accounts compromised. Make sure you know the gaps in two-factor authentication and app-specific passwords.

Passwords are used everywhere to access online services, and even though security researchers know that this type of authentication is almost as bad as it gets, it's the default way we all access our online accounts, and attempts to change that fact with other measures (two-factor authentication, biometrics, etc.) are always met with a lot of resistance. Apathy is often the source of this resistance, but there's also the fact that every company wants to use their own solution. Facebook and Twitter have their OAuth based authentication APIs, PayPal uses the Verisign system, Google has its Google Authentication, Blizzard provides its own dongle, and so on. Users would end up carrying a keychain filled with dongles and tokens if they were to take advantage of all these initiatives.

The chink in two-factor authentication

Then there's also the fact that the Internet is filled with legacy code, and implementing a new authentication system will always hit a brick wall when it comes to older code that simply does not support these newer options. This is why Google offers application-specific passwords in order to allow these apps to still work even when you turn on two-factor authentication. Just this week, a researcher revealed that this password option was actually much more vulnerable than could be imagined. Simply by using a bit of hacking knowledge, one could extract enough information to reuse these passwords over and over again. So while the company was claiming that this generated password would only be usable from a single app, this was not exactly the case.

This particular vulnerability has been fixed by Google, but it remained open for almost a year before code was pushed to close the hole. And even with this fix in place, it does not change the fact that it's still using a password, which leads us to a tale of a compromised iCloud account. One particular techie I know, someone who knew the risks of passwords and the ways he could protect his digital life, ensured that his Gmail account was indeed using two-factor authentication. Unfortunately, he also had an iPad and wanted to access his Gmail messages on the iOS mail app. This app, like almost all email clients out there, does not support two-factor authentication. So he had to generate an application-specific password in order to do so. After entering the password on his iPad, and making sure it had a lock pin on it, he felt very secure that this one particular event would not compromise his email account.

The iOS gap

Unfortunately, it turns out that his iCloud account was not as secure, and one day he found out that his Apple password had been compromised. Whether it was because of password reuse, brute force attacks, or simple guesses from someone targeting him in particular, we may never know. But the point is that his iCloud account was now in someone else's hands. Our victim was not too worried however. He never used his iCloud account for much, and had made sure that no harm could be done with that password. So after recovering his account and changing the password, he put the whole incident in the back of his mind. However, he had forgotten one crucial fact. By default, an iPad will keep a running backup of all of your data in iCloud, as long as you are running iOS 6. This includes things like documents, photos, and settings. In those settings are passwords, and the hacker was smart enough to download the backup to another device while he or she had access to the compromised account.

Still insecure

So while his Google account was using two-factor authentication, and his iCloud password did not grant any kind of access to Gmail, because of this backup, the hacker was able to restore his iPad settings, and access contacts and emails from his Google account using that application-specific password. The victim ended up only finding about this after the fact, when the damage had already been done. While it had not seemed like such a big deal to create a password for one mail client, it turned out that this specific password was not so specific after all. And this is really the crux of the problem. A password can never be made secure regardless of how many checks you add. It's still just a simple string of characters, and if it gets out of our control, a motivated hacker can find a way to get what they want.

So what's the solution? In the long run, security researchers are right, a user name and password is a terrible way to authenticate. We have to move away from that using things like two-factor authentication. The Google Authenticator is actually an amazing piece of technology. It uses very simple mathematical formulas to ensure that the code your authenticator shows to you will be impossible to obtain any other way than if you have the exact same serial number than the server does. This means as long as you hold on to your smartphone or security dongle, no one listening in or breaking into some other account will be able to bypass this security. And because it uses open protocols, it's incredibly easy for any developer to implement this type of authentication in their own apps. The problem is that because of legacy code, companies have no choice but to implement workarounds. This may be unavoidable, because while it may be your responsibility if you forget your password, there are many situations where you can lose a phone or authenticator by no fault of your own.

There is no magic bullet when it comes to security. All we can do is add layers that will hopefully make accounts more secure. Of course, some of those layers are sometimes stupidly complex and serve no good security use, but that's another story. Still, it's with tales like these that we can remind ourselves no security is perfect, and that it's always good to go back and make sure we're doing all we can to ensure our digital life is safe. Because as years go by, more of ourselves end up being bits, and a safe is no longer what holds our most precious goods anymore.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

5 comments
leissoo
leissoo

Actually there are some crazy Estonians who are working on a solution for all the password problems. Besides that their solution doesn't need users private information like OAuth or OpenID and it can act as Virtual Identity Card You can check it out here: www.keylessid.com

Prof_Electric
Prof_Electric

One cannot isolate the problem or encourage awareness with misinformation. "So while the company was claiming that this generated password would only be usable from a single app, this was not exactly the case." Google never said you [i]couldn't[/i] use it for more than one applicaiton. They said you [i]shouldn't[/i]. They said it wasn't designed to be used for more than one app--hence the "application specific" part of it. That does not, however, compensate for these the fact one could reverse engineer the passwords. With so many anecdotes and news stories about iCloud accounts being hacked, I am left to wonder why people still use them. That said, it's still only a mediocre solution (at best). @l_e_cox: The problems in society are caused by relative social disparity, which in turn are the result of artificial and real scarcity and a lack of any effective system for resource life-cycle management. In other words, it all boils down to economics. Also, making the individual responsible for their online security is only effective once that individual is aware of the importance of this responsibility. Since the majority of Internet users are not aware, don't understand, and/or don't care, a solution such as a virtual wallet is ineffective. It comes down to education. Such a solution is more beneficial to those who would seek to gain access to a high profile individual's data (because such an individual would likely be less intersted in anyone else)...as one could attack the individuals "wallet" without collateral damage. Breaking down the proprietary borders between authentication and authorization sites is the first and most troublesome step to resolving the bulk of technical security problems. End the end, it's still about economics and education.

l_e_cox
l_e_cox

I think we need to look at this whole subject in some new ways. There are several aspects to this: 1. What gets stored on network servers. 2. How important it really is to keep some data protected or secure. 3. What we can actually do about crime on this planet. We are reaching the limit on how much crime can be tolerated in society without it caving in. There are ways beyond psychology and ordinary justice systems to understand the destructive urge of certain members of the population and how to get it (them) under better control. 4. Putting individuals more in control of their own data with truly innovative, decentralized security systems, such as storing the most personal data only in a personal "wallet" that a person is responsible for keeping safe and using whenever he needs access to personal data stored on internet servers. Part of the problem is that governments and companies want to keep so much personal information about citizens and customers in their own central databases. We need to take a good hard look at whether this model is really necessary to run a government or a business and whose interests it actually serves.

eric_s
eric_s

along with the Google Glass project. The possibility of "remote stalking" and knowing "for sure" that you are away from home are just two quick thoughts. We will need to drop legacy software/apps/thinking and move to a new level of security. Brave new world - here we come.

C-3PO
C-3PO

"Strange game, the only way to win is not to play."

Editor's Picks