Two-factor authentication: an often-overlooked fallacy

First off: I’m not say­ing that two-factor authen­ti­ca­tion (2-FA) is bad. It’s a rather good method. But people should be aware of what their authen­ti­ca­tion fac­tors really are, and not pre­sume pro­per­ties that they do not have.

Let me explain.

We all know about the qua­lity of the easy “some­thing you know” fac­tor: it’s a password/-phrase/-poem or simi­lar, stuff that you can easily memo­rize and thus do not need to carry around outs­ide of your head. Let me repeat: it’s a memo­riz­able quan­tum of infor­ma­tion. Thus, the only safe sto­rage for this — logi­cally — is your head, as this infor­ma­tion can be extrac­ted ter­ri­bly easy by humans if it’s any­where else. That means rea­ding it off a post-it, fin­ding the file con­tai­ning the pass­word — or even gues­sing it, because, let’s face it, many people use mne­mo­nic passwords.

As the name of 2-FA implies, there’s also a second fac­tor, often descri­bed be the phra­ses “some­thing you have” or “some­thing you are”. What these mne­mo­nics insi­nuate is that there is not­hing that you “know” about these fac­tors, which — alt­hough in most cases mostly true — isn’t accurate.

When using com­mon second fac­tors like cryp­to­gra­phic tokens, keys, bio­me­tric data or simi­lar, you shouldn’t for­get that you’re still dea­ling with sim­ple infor­ma­tion. It’s just that this par­ti­cu­lar piece of infor­ma­tion, usually, is not memo­riz­able in the usual terms. A key’s beard can be easily map­ped into infor­ma­tion descri­bing where the pits are, how deep they are, etc. A human’s DNA can be rep­re­sen­ted in a pretty long string. A key ring authen­ti­ca­tion fob is usually little more than a secret “seed” plus an algo­rithm applied to it.

So it’s not that it’s impos­si­ble to gain access to the second fac­tor wit­hout pos­ses­sing it, it’s just way less tri­vial than a sim­ple effort of memo­riza­tion. Key fobs don’t allow you to view the seed, for example, but if you can eaves­drop on a syn­chro­niza­tion, you’re game — and don’t even need the key. Depen­ding on the com­ple­xity of a phy­si­cal key, a sim­ple pho­to­graph is enough to fake it. And these are all methods where you wouldn’t even know your secret infor­ma­tion was lea­ked, if done right.

Thus, always remem­ber: two-factor authen­ti­ca­tion isn’t inher­ently secure. You need to pro­tect all the fac­tors equally well, and do not trust a fac­tor to be “safe”. After all, you are sus­cep­ti­ble to rubber-hose cryp­t­ana­ly­sis.

For a quick popu­lar cul­ture example of authen­ti­ca­tion fac­tor secrecy, the movie “Incep­tion” is an unex­pec­ted but wel­come can­di­date. (Spoi­lers.) In it, each cha­rac­ter that del­ves into dreams is urged to fashion a “totem” with spe­ci­fic pro­per­ties that only they know, so that they can check they’re not in someone else’s dream. It’s vital for them not to let anyone else see their totem, as it would give them the power to fool the other into belie­ving in an inva­lid authentication.

Here, the infor­ma­tion is phy­si­cal, but due to the spe­cial nature, also memo­riz­able. You might argue this redu­ces it into a “what you know” cate­gory, but it is a phy­si­cal fac­tor that allows you to verify that the cur­rent rea­lity is the same as the one you crea­ted your totem in. Just due to the fact that the rele­vant sys­tem isn’t a com­pu­ter but the real world shows how fee­ble the idea of a phy­si­cal token actually is.