Two-Factor Authentication (2FA)– Cisco Security Tools

As mentioned earlier, three factors are used to authenticate a user:

• Something you know

• Something you have

• Something you are

Passwords and passphrases are something you know. Because people often create easy-to-guess passwords or are sometimes compromised, security experts recommend adding a second factor—specifically, something you have.

 Two-factor authentication (2FA) adds a second factor, usually something you have, to the first form of authentication,  normally a password or passphrase.

The first common form of 2FA is texting a code to a cellular telephone. The advantage of this system is most users have a cellular telephone, and cellular providers are good at assigning only a single number to a single phone or account. There are ways to attack this kind of 2FA, however. For instance:

• Attackers can replicate SIM cards so two devices have the same phone number.

• An attacker can steal your phone or even use your phone for 2FA to break into an account while you are asleep or otherwise unaware of what is happening.

• Some phone systems allow you to share your account so other users to see your text messages.

• If you lose your phone, you lose access to your account; there must be some backup for the 2FA system.

Despite these limitations, text messaging is one of the most widely used 2FA systems.

A second common form of 2FA is a rotating security code— often called tokens—tied to a device or application. To use this form of 2FA, the user installs an app on one of their devices, like a cellular telephone, or purchases a hardware security token device. The 2FA app or device generates a new code periodically —usually every 60 seconds.

This timing of token generation is synchronized with a token generator used by the service. Users log in to their account using their password or passphrase and a token from the token generator. The server can verify the two tokens match to authenticate the user.

A third common form of 2FA is push notifications. In this case, the user installs an app on a mobile device such as a cellular telephone. When a user attempts to log in to a service, the service will push a notification to the user’s device. The user must authenticate by approving the login request.

Passwordless Systems

Many security experts believe passwordless systems are the future of authentication. Passwordless systems eliminate what you know from the authentication process, relying on some combination of what you have and what you are.

Passwordless systems use something you have and something you are to authenticate users.

Typical passwordless systems use two forms of authentication:

• Physical possession of a device like a USB key, host, or mobile device

• A biometric sensor of some type

Figure 20-3 illustrates a passwordless authentication system using a facial recognition camera.

Figure 20-3 Passwordless Authentication System

In Figure 20-3:

1.  The user, manufacturer, dealer, or operator enrolls the device on activation. Enrollment includes using a hardware-based identifier like a physical interface address or embedded identification document (EID) to create a device key. The device is stored in secure device memory.

2.  The user uses the camera to create a cryptographic hash of their face. The device does not store a picture of the user’s face but uses their picture as the basis for a hash, which is then encrypted or signed using the key created in step 1.

3.  When the user attempts to log in to the device—or any service requiring a token—the device key is retrieved from secure memory and compared to a key created using the same information and algorithm. If these match, the first stage of authentication passes.

4.  A token is created and handed off to the requesting app. This token might unlock the phone, log in to a password manager or a secure system, etc.  

One of the most common misconceptions about biometric systems is they store a copy of your fingerprint or your face on the device. If an attacker breaks into your device’s secure storage, they will not see any images but rather just a long string of numbers. This number describes the user’s face,  fingerprint, etc.

One of the risks of biometric systems is you cannot get a new fingerprint or face if an attacker somehow steals enough information about your face to re-create the local cryptographic

hash of your body part. Short of getting plastic surgery, it is difficult to change your face.

Facial and fingerprint recognition systems also are notoriously fickle. Users often struggle to be recognized, and these systems are prone to accepting faces and fingerprints that do not match the authenticated user’s.

Note

The “Encryption” section later in this chapter explains encryption and cryptographic hashes.