Is Two-Step Authentication Really More Secure?
I used to answer security questions on website accounts with things that had absolutely nothing to do with the question. Many common security questions seem absurdly easy to get correct if you actually enter accurate answers. Most of the time, if you ask me one of my security questions, I have no idea what I wrote for them. The security of my accounts has depended on the fact that I pick passwords that are impossible to guess and pretty hard to crack.
But recently, I've noticed more websites using what's called "two step verification". I ran into this issue this morning when I was logging into a Yahoo Mail account and the log-in was deemed "suspicious". Yahoo, like most websites who use this, seems to have an extremely broad definition of "suspicious" -- any device that it doesn't recognize. Well that's just swell considering that one of the major advantages of web-based accounts is the ability to log on from anywhere with an Internet connection.
Security questions were intended to be used to recover forgotten passwords. I'm fairly adept at remembering passwords since I use the Internet so much. I can count on one hand the number of times in ten years that I've had to recover a password and all of those were for accounts that I hadn't used in ages. I've never needed to use security questions for recovering a password, since I can just use the option to reset it through a backup email address or mobile phone number.
So of course when Yahoo decides my log-in attempt is "suspicious" and demands that I answer a security question, I have no idea what the answer is. Fortunately, Yahoo gave me the option to have a code emailed to a backup non-Yahoo email address that I then had to enter to gain access to my Yahoo account. I'm not sure what would have happened had the other email service pulled out its own silly two-step authentication.
Yahoo didn't provide any notice that it was going to change the way I access my account. That's also typical; services rarely provide any kind of advance notice that they're going to unveil a two-step authentication scheme. That means I'm getting paranoid that some vital service I use is going to suddenly demand that I answer one of my gibberish security questions. That in turn means that more and more, my security questions aren't quite as nonsensical as they used to be, so that I can remember them.
Yahoo isn't using anything new as a second step in two-step authentication. It's using data it already has on file for the purpose of recovering passwords. In other words, if someone knows the answer to a security question -- the second step of the two-step authentication -- they don't need your password because they can answer that question to reset the password. But I have to make the security question weaker in case I have to remember it to be able to log in, which reduces the effectiveness of having a strong password.
The bottom line is that two-step authentication means that people have to remember more information to access their accounts, which vastly increases the risk that people will either use information that's easier to remember (and thus less secure) or write the information down. In other words, we've solved a problem that's created by Americans acting like idiots with a system that requires them to be smarter.
If you doubt that Americans are acting like idiots when it comes to security, just consider this analysis that found that one in five ATM PINs is either 1234, 0000, or 1111. And more technologically savvy users have to pay the price for the 1 in 9 Americans who use 1234 as their ATM PINs in the form of greater inconvenience and less security.
Of course, the way passwords are often implemented presents its own set of challenges. For instance, my ISP only allows passwords of a very limited length and only allows letters and numbers (no special characters), making things much easier for hackers who understand simple math. Come to think of it, who came up with the absurd idea that the password to every bank account in America should be a 4-digit number containing only 0-9?
Other services require passwords that contain numbers and letters and capital letters and special characters, making for passwords that might well be extremely secure in theory but that are such a mess that people just write them down.
That brings up the question of just how secure nonsensical passwords like tZwtX7%$43eoc9 really are anyway. For a human, a password like that is pretty much uncrackable. But things get a lot easier if you're a computer. Especially if you're becoming a more powerful computer every year. Don't even get me started on what happens when you have a computer that can build a computer that's superior to itself or (every cryptographer's nightmare) a quantum computer.
A system such as Diceware is far harder to crack even when you consider that the word lists are public. Diceware produces pass phrases that are real words, and thus much easier to remember. It eliminates the need to remember long strings of random meaningless characters. It reduces the likelihood of people giving up and writing their passwords down out of sheer hopelessness. It gets rid of the silliness of relying on questions that anyone can find out about anyone else through a basic background check or search on a genealogy website (such as "In what city were you born?") for "security". And it makes two-step authentication unnecessary.
Alas, there are very few services that would accept a Diceware pass phrase, due to the fact that there's no capital letters, numbers, or special characters. Basically, we've created an entire technological infrastructure with security based on passwords that are nearly impossible for a human to remember but are incredibly easy for a computer to figure out.
So I still don't have a great solution to the two-step authentication problem. One idea I've had is to set up an email account with a service that allows (and encourages) the use of Diceware that's strictly used for password recovery.
An even better idea is continuing to use "strong" passwords while creating Diceware pass phrases as the answers to security questions. The second option could actually work pretty well on a service that required two step-authentication, since it would provide a tough level of security with each step.
Anyone have any other ideas? No need to comment -- you can just log in to my Livejournal account and write your own post. My password is 1234.
But recently, I've noticed more websites using what's called "two step verification". I ran into this issue this morning when I was logging into a Yahoo Mail account and the log-in was deemed "suspicious". Yahoo, like most websites who use this, seems to have an extremely broad definition of "suspicious" -- any device that it doesn't recognize. Well that's just swell considering that one of the major advantages of web-based accounts is the ability to log on from anywhere with an Internet connection.
Security questions were intended to be used to recover forgotten passwords. I'm fairly adept at remembering passwords since I use the Internet so much. I can count on one hand the number of times in ten years that I've had to recover a password and all of those were for accounts that I hadn't used in ages. I've never needed to use security questions for recovering a password, since I can just use the option to reset it through a backup email address or mobile phone number.
So of course when Yahoo decides my log-in attempt is "suspicious" and demands that I answer a security question, I have no idea what the answer is. Fortunately, Yahoo gave me the option to have a code emailed to a backup non-Yahoo email address that I then had to enter to gain access to my Yahoo account. I'm not sure what would have happened had the other email service pulled out its own silly two-step authentication.
Yahoo didn't provide any notice that it was going to change the way I access my account. That's also typical; services rarely provide any kind of advance notice that they're going to unveil a two-step authentication scheme. That means I'm getting paranoid that some vital service I use is going to suddenly demand that I answer one of my gibberish security questions. That in turn means that more and more, my security questions aren't quite as nonsensical as they used to be, so that I can remember them.
Yahoo isn't using anything new as a second step in two-step authentication. It's using data it already has on file for the purpose of recovering passwords. In other words, if someone knows the answer to a security question -- the second step of the two-step authentication -- they don't need your password because they can answer that question to reset the password. But I have to make the security question weaker in case I have to remember it to be able to log in, which reduces the effectiveness of having a strong password.
The bottom line is that two-step authentication means that people have to remember more information to access their accounts, which vastly increases the risk that people will either use information that's easier to remember (and thus less secure) or write the information down. In other words, we've solved a problem that's created by Americans acting like idiots with a system that requires them to be smarter.
If you doubt that Americans are acting like idiots when it comes to security, just consider this analysis that found that one in five ATM PINs is either 1234, 0000, or 1111. And more technologically savvy users have to pay the price for the 1 in 9 Americans who use 1234 as their ATM PINs in the form of greater inconvenience and less security.
Of course, the way passwords are often implemented presents its own set of challenges. For instance, my ISP only allows passwords of a very limited length and only allows letters and numbers (no special characters), making things much easier for hackers who understand simple math. Come to think of it, who came up with the absurd idea that the password to every bank account in America should be a 4-digit number containing only 0-9?
Other services require passwords that contain numbers and letters and capital letters and special characters, making for passwords that might well be extremely secure in theory but that are such a mess that people just write them down.
That brings up the question of just how secure nonsensical passwords like tZwtX7%$43eoc9 really are anyway. For a human, a password like that is pretty much uncrackable. But things get a lot easier if you're a computer. Especially if you're becoming a more powerful computer every year. Don't even get me started on what happens when you have a computer that can build a computer that's superior to itself or (every cryptographer's nightmare) a quantum computer.
A system such as Diceware is far harder to crack even when you consider that the word lists are public. Diceware produces pass phrases that are real words, and thus much easier to remember. It eliminates the need to remember long strings of random meaningless characters. It reduces the likelihood of people giving up and writing their passwords down out of sheer hopelessness. It gets rid of the silliness of relying on questions that anyone can find out about anyone else through a basic background check or search on a genealogy website (such as "In what city were you born?") for "security". And it makes two-step authentication unnecessary.
Alas, there are very few services that would accept a Diceware pass phrase, due to the fact that there's no capital letters, numbers, or special characters. Basically, we've created an entire technological infrastructure with security based on passwords that are nearly impossible for a human to remember but are incredibly easy for a computer to figure out.
So I still don't have a great solution to the two-step authentication problem. One idea I've had is to set up an email account with a service that allows (and encourages) the use of Diceware that's strictly used for password recovery.
An even better idea is continuing to use "strong" passwords while creating Diceware pass phrases as the answers to security questions. The second option could actually work pretty well on a service that required two step-authentication, since it would provide a tough level of security with each step.
Anyone have any other ideas? No need to comment -- you can just log in to my Livejournal account and write your own post. My password is 1234.