A while back, I blogged about the role of two-factor authentication tokens in protecting against phishing scams.Since then, the issue has come up again, and has recently has attractedmore attention, so I thought I’d spend some time here revisiting it.
First, let’s recall what two-factor authentication means. There arethree mechanisms we can use to prove to someone else that we are who wesay we are:
(1) something we have - a driver’s license, access card, or key
(2) something we are - a biometric like a fingerprint
(3) something we know - a password, or other common information aboutourselves (like a social security number, mailing address, or ourmother’s maiden name.)
Two-factor authentication simply refers to the idea ofauthenticating yourself using two of the above. Note that having twodifferent passwords is not considered two-factor authentication.(Unfortunately, I have seen actual security companies get this conceptwrong in their marketing literature).
Now, for online transactions, passwords are the dominant “somethingwe know” mechanism. One approach to fulfilling the “something we have”requirement is a hardware token that displays a sequence of digits thatchange relatively frequently and in a way that’s reasonablyunpredictable to anyone other than the person who issued the token toyou. To demonstrate actual possession of this hardware token during anonline transaction, you could provide the current value displayed onthe token. Since the digits are hard to predict by anyone other thanthe token issuer, no one except you can enter the digits correctly,thereby proving that you have possession of the token. The token wouldbe one factor. You could also enter your regular password, which wouldconstitute a second factor.
While two-factor authentication refers to the general concept ofhaving two different factors in the above list of three, from here onI’ll use it to refer to the specific case of using the above-mentionedhardware token in conjunction with a password.
Two-factor authentication addresses the problem of a single factorgetting leaked. For example, if someone figured out your password, theystill would not be able to transact as you since they don’t have thetoken. Similarly, if you lost the token, it would be useless to anotherperson since they don’t have your password.
One interesting question is whether such hardware tokens can be usedto solve the phishing problem. In a purely technical sense, the answeris no. Suppose someone sets up a phishing site that impersonates, say,your bank (and suppose that your bank uses hardware tokens as anadditional authentication factor). If you give your password and tokenvalue to the fake site, then that information can be used immediatelyby the phisher. Alternatively, the phisher could attempt to modify anytransactions in your session to his benefit. So, even having atwo-factor authentication token will not solve the phishing problem ingeneral.
Despite this limitation, there is some merit to using such tokens.In particular, they change the economics of phishing. While allphishers are interested in collecting your sensitive credentials(credit card number, passwords, etc.), a smaller number are interestedin using them then and there. Instead, many phishers will try to sellthose credentials in the underground markets. Different credentialshave different monetary values depending on a variety of factors. Theeleventh edition of Symantec’s Internet Security Threat Report contains information on the pricing trends we’ve observed.
If two-factor tokens reduce the profitability of phishing endeavorsor at least raise the bar for phishers then they have merit, even ifthey are not a silver bullet. If two-factor tokens become moreprevalent, I suspect phishers will change up their game and moreattacks will be conducted in real time. Ultimately, such tokens are notgoing to provide an adequate defense. However, for the time being theydo have merits.
When it comes to security technologies, it’s problematic to think inabsolutes. Instead, it’s important to evaluate whether a particulartechnology will have some positive impact. We can consider that impactin relation to the cost of the technology and only then can we make thecorrect tradeoffs.