Two-Factor Authentication

With more and more of my personal data being hosted in the cloud, I felt that I needed to take security more seriously. Since passwords are the weakest link in most systems, I was looking for a better solution. While I'm able to generate sufficiently secure passwords, there are only so many I can remember and I don't trust cloud-based password managers.

One common approach to improve security is two-factor authentication where you prove your identity using something you know (the first factor) and something you have (the second factor). Online banking has always worked this way - you had your PIN that you needed to keep secret and a list of TANs (lately, hardware tokens have become more popular). Even if the secret gets compromised, an adversary also needs to get hold of the second factor to do any damage.

Another example is SSH public key authentication, which is essentially a two-factor approach because you need the private key and and a passphrase to decrypt it (if you choose to set a passphrase). This is sufficiently secure for me; no password ever leaves my local system. As an additional layer of security, I disable SSH password authentication completely and don't permit root logins.

Over the last couple of years, more and more web sites have started to support two-factor authentication. One popular approach is through Time-based One-time Passwords (TOTP, RFC 6238). The basic idea is that client and server synchronize at some point by creating a shared secret. Using this secret, a timestamp, and a cryptographic hashing function, both client and server can generate the security code for any point in time. Users typically authenticate using a password and the generated one-time password that is valid at login time.

Instead of dedicated hardware tokens to generate one-time passwords, Google Authenticator can be used, a smartphone app that is available for all major mobile platforms (check your app store!). All you need is to synchronize with the server once by scanning a QR code. Note that if you scan the same QR code with multiple devices, you can use all of these devices as a security token (this is how TOTP works).

While this works great, there's the danger of locking yourself out of your account if you lose your smartphone. This is why all sites where I enabled two-factor authentication (Google, GitHub, Wordpress, and DigitalOcean) have a recovery mechanism for this case. Some providers give you a list of backup codes that you can print, or support an alternative login flow via SMS (which itself can be a security risk).

Another approach that is slowly gaining popularity is the use of FIDO U2F devices. I'll leave that for a future article.