Google’s move to add two-step authentication is laudable, but could lull users into a false sense of security, says Eric Doyle
Google has added two-step authentication to a variety of its accounts, such as the basic Google account and its Gmail services. While this is an extra security step in the right direction, it is not as secure as people may think.
Many users will simply ignore this extra layer of annoyance, as they see it, and some of those who use it will not think through the process and just accept it as a cast iron security improvement.
Stepping Up The Complexity
Two-factor authentication is based on the principle that you have your primary sign-on user name and a password (the first factor). Following this step, another password, known as a verification code, dispatched by the service supplier through your mobile phone SMS service (the second factor), must be entered. The process is summed up in the phrase: something you know (your password) and something you have (your mobile phone).
The problem is that it does not act as a safeguard against “man in the middle” phishing scams where spam emails contain links to fake sites, usually spoofed banking sites. It also does not allow for the march of technology.
In its original concept, the two-step method relied on the fact that users would browse the web from their laptop or desktop PC. Sending a validation code to an independent device – the phone – meant that online hackers could not intercept the code in transit. It also meant that a thief would have to have access both to the user’s computer and their phone. The phone was known as an out-of-band device.
Today, it is more likely that the mobile browsing device and the phone are one in the same device, or in-band, which weakens two-factor SMS systems. Although the remote hacker is still blocked, the thief who steals, or finds, a phone has effective access to both devices. The extra layer of security becomes a chocolate fireguard – a sight to behold but actually useless.
Owners of iPhone, Android and BlackBerry smartphones may even have downloaded an app which automatically generates the validation code, further aiding the thief.
Graham Cluley, senior technology consultant at Sophos, agreed: “Yes, it’s a good step from Google… but if it’s your phone that you’re using to access your web-based accounts, it’s not going to be that much help. Many users use their smartphone as a browser and, when asked for a number, without thinking, will supply the number of the very device they are browsing from rather than a secondary phone.”
Mobile Security Leaves Much To Be Desired
The problem does not stop there. Once in possession of the phone, the thief can cause so many other problems for the careless or luckless user.
“Mind you, many people don’t have their smartphones protected by a PIN code,” Cluley added, “even though they have them automatically remember all of their web-based passwords, so there are lots of problems in this area.”
Another danger is in the increasing number of Trojan horse apps with malicious code hidden inside. This is mainly a concern for smartphones that have unregulated download marketplaces. It would be simple to write a Trojan that allows a remote hacker to piggy-back on a user’s sessions.
This would mean that the hacker would be alerted once the validation is complete and would then be able to covertly insert their own transactions into the session.
Barclays, and some other banks, provide online customers with a validation device that requires a credit card to be inserted and PINned to generate a passcode. The user has their own bank-issued ID, and the separately-created validation code adds a true layer of added security.
The token-generating device still has its failings but is less vulnerable than SMS-based two-step security.
Google gives the impression that its latest move is a large step towards safeguarding user accounts but that’s just the marketing hype. Times change, and security systems have to respond to this march. Simple locks in the middle ages gradually evolved into the tumbler locks seen everywhere today, the increasing number of PIN-coded electronic locks, and the future use of palmprint or fingerprint locks.
Google is to be applauded for making its accounts a little more secure. It has shown that, like Facebook, it is taking the issue seriously, though Facebook has a lot to learn in overall security. But let’s not allow all this door-locking to go to our heads. More secure is not the same as strongly secured and the days of phone-based authentication started to fade when the first browser appeared on a mobile phone.