Tuesday, March 24, 2009

Phonefactor: how secure?

A system is only as secure as its weakest link. Phonefactor seeks to replace hardware security tokens with your phone. It is an interesting idea because not only does it use two factors: something you know (password) and something you have (phone)but also because it uses two channels: internet and phone (unless of course your phone is VoIP*). This would appear to increase security but it doesn't necessarily do so. The challenge in using a phone in real-time for authentication is that you have to handle the case where the user is not near the registered phone or if it is a cellphone and it is not reachable when the user wants to log into her account. And handling of this case is the weak link. The system has to fall back to what Phonefactor claims "strong security" but which in reality is quite weak. All you have to do in convince the call center staff to do a one time bypass or change the registered phone number. Usually this is done by asking for information like social security numbers, mother's maiden name etc. This is not secure. If it were, why have the phone factor at all? Just ask these questions on the internet while authenticating the user. Indeed, many banks/brokers have adopted this approach(I am not saying that this is secure). But some like one of my credit unions have fallen for the marketing gimmick and false sense of security provided by Phonefactor.

*Even if your phone is not VoIP, your provider may be susceptible to being hacked. For now, I ignore that angle, because there is a much easier way to bypass the 2nd factor.