I’m several months late to this party, but I just saw Marcel’s post on Google’s two-factor authentication with a smartphone.
He’s right. It works until someone steals your phone. Once someone steals your phone, you’re in a world of hurt. It’s just a compromise, until we find a way to do two-factor authentication the right way.
The right way is with a smartcard, issued by some sort of central authority.
I once worked somewhere that you couldn’t access a computer without a smartcard. You inserted the card, typed a PIN, and bam, you were in. We had certificates loaded on our e-mail servers that corresponded with certificates on our cards. We could e-mail back and forth and encrypt messages almost effortlessly, using the certificates stored on our cards, so we could talk about anything proprietary that we wanted, and nobody outside the organization would ever know. And if we ever attached a file, we were prompted for the PIN again, so it would digitally sign it. It made the sender think twice about it–and impossible for a rogue program to send something and spoof us–and it gave the receiver a great deal of confidence that the attachment was legit.
It took a little getting used to, but now that I don’t work there anymore, I miss it. It was really nice.
Just imagine if we all had that. If my accountant needed a financial document, I could send it to him and not worry about it, because we could encrypt it so only he could ever read it. I could digitally sign any document he sent me, and completely avoid going to his office. I could have exactly the same kind of digital relationship with my banker, my real estate agent, and anyone else. My employer could send me my tax returns and pay stubs via e-mail, since it could be encrypted and digitally signed.
Digital theft and fraud would become much more difficult because e-mail communication would be encrypted. You could intercept it, but it would be gibberish.
But the best thing of all: No more passwords. Web sites could authenticate against the certificate on the card. It knows who I am, because I have the certificate and I entered the PIN correctly. We would never have to remember a password again.
That means no more stolen e-mail accounts and passwords, closing that vector for fraud too.
The problem is, who could issue the card? One possibility is the government. The improved national security and decrease in crime would probably pay for the cards and then some, but in today’s political environment, can you imagine the outrage? The government issuing licenses to use a computer? How do I know the chip on the card isn’t recording everything I do and sending it to Washington?
The idea would be dead on arrival. There are too many arguments against it. I don’t think many of the arguments are very good, mind you, but I wouldn’t want to be the one advocating the program, even though I think smartcards are something we desperately need.
A coalition of Internet providers could do it, but do they really stand to gain much from it? When a crime happens over their infrastructure, they aren’t the ones paying for the investigation, and they don’t have any liability. If someone intercepts my e-mail, I can’t sue AT&T, so what obligation does AT&T have to make my e-mail secure?
A coalition of Internet companies with a lot to lose–think companies like Google, Facebook, Amazon, Ebay, Yahoo, and Microsoft–could do it, but that won’t happen until they stand to gain enough from it.
That’s the problem with businesses doing it. Before they can justify spending $100 per customer to issue a card, they have to be sure they’ll get $300 worth of savings or new revenue per customer if they do it.
People could just buy the cards on their own and use them, but that doesn’t do me any good if the people I talk to and do business with don’t all have cards, and if the web sites we all use don’t recognize the cards. It would be like being the only person in my social circle with a telephone. I have this cool gadget, but no way to use it.
So in the meantime, we have to live with kludges like two-factor authentication via cell phone. That’s something almost everyone has.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
One thing that helps if your phone is lost or stolen is that you can download a list of temporary pass codes from Google. You can print the list out and store them at home, or somewhere else you can get to with some ease. If you loose the phone, you can use the pass codes to log in using Google’s two-step verification. Also, instead of using text messages if you have a smart phone, you can download the Google Authenticator app (it’s available for Android, but I’m not sure about iOS). While it won’t help with a lost or stolen phone, you just have to fire up the app and punch in the code that it displays. The code changes every 60 seconds. I’ve been using the Authenticator app for a few months now and it works well. I also have a set of backup codes stashed away just in case I loose or wash my phone.