Two-Step Verification Dances Around the Issue

By Andrew James , written on August 8, 2012

From The News Desk

Last June, millions of LinkedIn passwords were stolen. In July, 400,000 Yahoo accounts were hacked. On Friday, one tech writer, Mat Honan, had his Apple and Amazon accounts hacked through cracks in their customer service, bringing down the rest of his digital identity, as well as wiping years' worth of personal information.

Since Honan's post on Wired recounting the hack, the Internet has been buzzing with how to best protect one’s account against human factors involved in exploiting personal information. The conclusion that most have come to is that two-step authentication will be our saviour – wherein you enter a password, and the service provider then text messages a separate code for login. It seems to work like a dream – I used it when my Gmail started to act up while living in Shanghai.

Honan's Amazon account was seized in a very old way – predating computers by decades at least. It was first used to create bank accounts by criminals, who would add a fake second name to a verified account, then remove the real identification, leaving a verified account with a fake name. It’s worrying to think that human exploits that were used half a century ago are still useful today.

As long as every company uses independent means of identification, and the "Forgot Your Password?" link exists, hacking an account will be possible – regardless of the levels of authentication. If social engineering can so successfully exploit a relatively robust-seeming system like the password update process, what’s to stop a hacker from using a similar exploit to gain access through two-step verification. Almost all companies with any added security also have backups for logging in when your phone has been lost, or stolen. These generally rely on a less secure email or easily found personal information. Gaining access to another person's email ends up being just as easy as the original hack.

This is the problem that Chris Drake of CryptoPhoto – who owns a patent for two-step verification – has been battling.

“Google is really smart, so I'm double annoyed that they came up with such a lame solution," says Drake. "The entire paradigm of most two-factor security solutions in practice, is flawed. The main problem is that when users can't log in due to the some 2FA problem, they somehow need to still be connected to their account. So providers implement ways to bypass it, which of course then gets exploited just like everything else.”

Even locking up the system altogether may not solve the problem. If Bryant Gehring, Google's Account Recovery Strategist’s stats are correct, email hacks occur "in the low thousands" per day. Conversely, relying on two-step verification through a cellphone, when 113 cell phones are lost or stolen every minute in the US opens up the potential every minute for over 100 people to lose access to online accounts. That’s only in the US, meaning two-step verification without a simple password retrieval process clears the way for around 150,000 Americans per day to lose access to online accounts.

Drake continues, "[P]eople loose phones. Worse, people also go on holidays, and guess what? Most of the time, your phone doesn't work in some new country [...] If everyone used 2-step, that would be about 20 million American customers who are unable to use their google accounts at least once per month." Not to mention, as was discussed at last year's Australian Information Security Association, even if two-step verification was the way forward, there's a disproportionate amount of users that feel uneasy giving out their phone number to anyone – including their email provider.

But Drake believes he's close to a robust solution to the problem with CryptoPhoto app. Their two-step authentication doesn't rely on text messages – or even text. On sign-in CryptoPhoto displays an image and at the same time sends a message to your phone asking you to tap on the same image from a matrix of photos. The single tap on the correct image logs you in.

CryptoPhoto's website describes it this way: Users enter their username and password into the program they're trying to access, and the second level is the related to either the physical token – CryptoPhoto offers a printable physical solution as well – or smartphone app, which verifies both the customer (to the site) while at the same time as verifying the site to the customer. CryptoPhoto isn't simply two-step verification, but bidirectional recognition of the two devices. If the user loses their phone, their other technology (ie: an iPad, iPod, or Android device) with the app loaded, or the physical token (a printed sheet with the photo matrices) acts as a backup, not the name of your first pet.

Drake admits that his program solves "pretty much" all of the current problems.  But we're now reaching a point where people are the becoming the weakest factor in our own online security.