At BarCampLeeds2009 I decided to chat about multi factor authentication and what we can do ourselves now. I will summarise my waffling here.
Multi factor authentication combines multiple factors to be more certain the person trying to log in is the person who should log in. Traditionally one factor of authentication is use, that being “something you know”, otherwise known as a password. Other factors include “something you have” such as a key, or “something you are” such as a fingerprint.
A multi factor solution that is being used by many organisations is a “something you know” and “something you have” combination. This is a really good combination in my opinion. Although I question the neutrality of many of the surveys I agree the biggest threats to accounts being compromised at the moment is malware capturing passwords, or social engineering where a user is persuaded to revel there password to a person or a fake web site. Using a physical “key” means that even if the user’s password is known it can not be used without the key.
So, how do you use a key on the Internet? There are a number of ways of doing this, but they all revolve around the concept of having a dynamic password that is used once. The device shows a pseudo random code that is unpredictable by anyone without a secret know by the key and the server, this is entered in to the web site by the user, and the server compares the code with what it was expecting.
The code has to change and each code should only be used once, but this can be changed in several ways. One solution is to have a timer in the key and change the code every 30 second or so. Another solution is to have a button that changes the number each time it is pressed and the server remembers how many times it has been pressed. The latter solution can be easily implemented on paper.
As part of Open Hack Day London 2009 we developed a open source security key.
One thing you can do at the moment is pay only £3 and buy a Pay Pal security key and I do recommend you do this. This generates a new number every 30 seconds and you enter this in addition to your password when logging in. The key is automatically linked to your PayPal account and you just need to activate it, and you can also attach the key to your ebay account so you can use it on that as well.
If you have a modern smart phone then you may be able to install the software version of the security key for free, but I am willing to pay £3 for the convenience of just pressing one button on my key ring rather than faffing around with the mobile. You can associate a phone and several keys with your PayPal account so you can use both, but only one device can be used with your ebay account at any one time.
The same security key can be used on any VeriSign VIP Network member web site in addition to PayPal and ebay. One of these members if VeriSign Labs. This is usfull because VeriSign Labs have a product in beta called Personal Identity Portal (PIP). This is an OpenID server and a service that stores you passwords and will log you in to a service without you having to enter your password. Although the latter requires a browser plugin to be instilled, and I believe the password may still be discoverable by some malware, it does remove the need for you to type in a password.
All these solution have a backup path to log in, so it you loose your token you can still log in. This is useful if you loose, forget or break your key, but it does lower the security to the security the lowest link.
Finally some people who arrived late to the discussion wanted to know what the relevance of the model train was. There was no link, I just wanted to play with the train. :-)