On January 28th, Google hosted a panel discussion titled "When Geeks meet Wonks" in their DC offices for international Data Privacy Day. Google's Director of Privacy for Product Engineering, Alma Whitten, announced that
two-factor authentication will be rolling out to all of Google's apps shortly. See
http://www.privacywonk.net/2011/01/the-technology-of-privacy-when-geeks-meet-wonks.php for more info but in short: Google is rolling out two-factor authentication by using mobile and land-line telephones to send one-time pass-codes. Remember those
RSA SecurID tokens we've all had to carry around at one time or another? This is the same concept, except Google handles the pass-code generation (vs. dedicate device) on their end and uses existing telecommunications infrastructure (channels) to transmit it to a device you enrolled in the service. This improves the security of your account by forcing an attacker to require access to both your password (what you know) and your enrolled device (what you have).
Ryan Single (
Wired) and Brian Krebs (
Krebs on Security) have posts covering the details. Please check them out for more info.
From security point of view, this is fantastic. I believe many more companies will follow in Google's footsteps, just as Google has been following in the footsteps of others to implement this service. For example, Chase and
Bank of America have been using two-factor authentication for years. However, as more and more companies begin using this method it will start to be exploited more frequently. There have already been reports of phishing attempts via SMS message. Bruce Schneier, back in 2004, said this was a fantastic development in the banking sector:
http://www.schneier.com/blog/archives/2004/11/twofactor_authe.html. Less than a year later, he was very cold on the subject:
http://www.schneier.com/blog/archives/2005/03/the_failure_of.htmlI am very much excited that Google is doing this. Google accounts are quickly becoming just as valuable to us as our bank accounts. As I mentioned above, I believe more and more sites will begin to implement this type of technology. As this technology becomes more pervasive, new risks will be introduced aside those illustrated by Mr. Schneier above.
- Large collections of cell phone and land-line phone numbers held by many companies that we previously would not have given such information to: Our online world doesn't always need to touch our real world. I am comfortable giving my cell phone to my bank because those worlds overlap. To Facebook? To Google? To Twitter? To ABC start-up company? I am bit more hesitant there.
- Will this authentication-focused information be included in information sold to advertisers? Will it's use be explicitly detailed in privacy policies and/or terms of service agreements?
- We have seen recently some very high-profile cases of database intrusions and thefts (Heartland, Lush, etc). If someone gets hold of these numbers, SMS spam will greatly increase. Imagine a database of 200 million phone numbers being compromised?
- Hopefully Google, and all others using this technology, will keep this column of data encrypted to combat theft and potential fraud.
- It is incredibly easy to spoof SMS, which could limit the amount of trust a user has in the authenticity of the SMS message.
- We can still trick users to a fake site. Fake site communicates to the legitimate site, induces legitimate site to send an access code via SMS while the user is still on the fake site. Then we have user name and password as well as valid authentication token. It might be a stretch but it's possible.
To combat some of the risks above, I have two solutions:
- Use Google Voice or similar service to forward SMS messages to your phone, giving yourself a layer of abstraction from your primary mobile/land-line phone number. However, this introduces more risks. For example: SMS message archives.
- If you're ultra-paranoid, get yourself a burn phone to use only for these purposes. It's not your primary phone. You can leave it turned off for 99% of its life and it still gives you the exact same level of security as using your primary mobile. If it gets spammed, who cares? This is just like a throw-away e-mail address used on compulsory registration services.
Again, good job to Google for implementing this. The risks explained above are not meant to be detractors but knowledge. As always, be aware of everything you do online. If something seems suspicious, trust your gut. As more and more companies start using this two-factor method, keep the above risks in mind.
I would also look toward organizations like OpenID and OAuth to help tackle some of these issues. Perhaps we will see clearing houses for security services such as this pop up.
What are your thoughts, readers? Drop them in the comment box.
