Two-Factor Authentication with a Smartphone

Passwords are now depleted. We used them too much and we need something else. That's my feeling since a few years.
I just hit upon the article by Randall Stross "Doing the Two-Step, Beyond the A.T.M." among the New York Times news. The article first compares using a PIN code to using a password, just like I did some time ago. It then goes into suggesting the generalization of two-factor authentication with the help of a smartphone. Clearly, there's a need and a market here.

Whatever the solutions that will come up in the next years, they'll have to face the following challenges:

1. Be user-friendly enough.
2. Be applicable both for individual use and for corporate use (at least, integrate in BYOD processes).
3. Allow for safe backup methods in case you lose one of the two factors, for instance, a stolen smartphone.
4. Allow for Single Sign-On : avoid user-side repetitions.
5. Allow for federation : avoid server-side repetitions, like maintaining similar lists of users in multiple applications.
6. Allow for automated patches/updates. There will be flaws in the beginning, that will require patching.

Smartcard and PIN or the Increased Security of Just 4 Digits

The French government is currently enforcing the use of what they call strong authentication, for all access to people medical data: smartcards protected by a PIN code, containing an authority-approved certificate. The PIN code sums up to just 4 numbers and the question came to me:

Why should I trust 4 little digits with my users' security? (when my password has 12?)

There are many subtle technical points within that question, but the main answer holds to only one key view of the problem: the reduction of possibilities, helping for the enforcement of good processes.

Compared to a password-based authentication, smartcards and PIN codes enforce the following:

1. Just one mechanism to integrate passwords and content on the card: that of the card itself.
2. Just one mechanism to ask for authentication: challenge. That removes the danger of "password comparison" mechanisms where you just have to look into computer's memory to get the cleartext password.
3. Just one administrator code capable of resetting the PIN: the SOPIN. That removes the danger of old, "unused" administrator accounts you find in most company directories.
4. Just numbers in the PIN code, no letters. Though this may seem like a weakness in the case of brute-force, that's on the contrary a strength, because that prevents people from setting their given name as password, or that of their son.
5. Additionally, users tend to remember numbers better. As a typical human being, you could name tens of likely alphabetic strings for your own password. But you remember only a few sequences of 4 numbers. So when you know one, that's for good.
6. Just three attempts, you can't easily brute-force it by usual means.
7. Just one logical place to deliver a smartcard: inside the company. You may send a password or even a PIN by mail, but you need to deliver a token, you can only do it physically and the only logical location to do it when you have dozens or thousands of users is inside the company's walls. That reduces the number of intermediates between the administrator and the user, and most of the time replaces external intermediates with internal ones.
8. Just one smartcard. 1/ If it gets stolen, you'll notice it. 2/ You can't share it with friends and still benefit from it at the same time. So you'll (at least) make sure you get it back.
9. Just one attempt to build the cards. I mean that the cost of a recall would be huge to change just a few security settings. For instance, if you choose to allow unlimited attempts instead of just three, changing it back to three will cost you a return of all cards back to the HelpDesk. This means that most smartcard-based project try to do the things right from the beginning, whereas many password-based projects start with "lower-level" security and try to improve on it and eventually give up about it.

All in all, PIN codes and smartcards seem a good choice.

1-factor authentication in the Matrix

I just remembered the way Seraph tells Neo in the Matrix "You do not truly know someone until you fight them." and I was trying to sort the fight that follows into one of the typical categories of authentication:

1. Check what someone has.
2. Check what someone knows.
3. Check what someone is.

when I realized that in the precise context of the Matrix, in the case of Neo, categories 2 and 3 are the very same.

• Neo is the One because he knows he is the One.
• Being the One, Neo knows he is the best kung fu fighter.
• Knowing he is the best kung fu fighter, Neo is the best kung fu fighter.

He is because he knows and he knows because he is. Seraph indeed performs a 1-factor only authentication to check Neo is the One.

-+- The little joys of security-thinking ! -+-