Tuesday, March 24, 2009

Phonefactor: how secure?

A system is only as secure as its weakest link. Phonefactor seeks to replace hardware security tokens with your phone. It is an interesting idea because not only does it use two factors: something you know (password) and something you have (phone)but also because it uses two channels: internet and phone (unless of course your phone is VoIP*). This would appear to increase security but it doesn't necessarily do so. The challenge in using a phone in real-time for authentication is that you have to handle the case where the user is not near the registered phone or if it is a cellphone and it is not reachable when the user wants to log into her account. And handling of this case is the weak link. The system has to fall back to what Phonefactor claims "strong security" but which in reality is quite weak. All you have to do in convince the call center staff to do a one time bypass or change the registered phone number. Usually this is done by asking for information like social security numbers, mother's maiden name etc. This is not secure. If it were, why have the phone factor at all? Just ask these questions on the internet while authenticating the user. Indeed, many banks/brokers have adopted this approach(I am not saying that this is secure). But some like one of my credit unions have fallen for the marketing gimmick and false sense of security provided by Phonefactor.

*Even if your phone is not VoIP, your provider may be susceptible to being hacked. For now, I ignore that angle, because there is a much easier way to bypass the 2nd factor.

1 comment:

Steve Dispensa said...

Hi,

Thanks for the mention! I always love seeing other security analysts comment on the system.

I do want to point one thing out, though: PhoneFactor doesn't depend on using one-time bypass; if you don't want to use it, don't. In that case, not having your phone means you can't log in, just like if you forget your token or smart card.

It's up to each security department to do the risk/reward analysis on the trade-off between usability and security. PhoneFactor provides all of the options, but it's up to the customer to decide what fits with their particular security policy.

I'd also point out that, even with the help desk call and the potential human error that can be made, having PhoneFactor is still dramatically better than not having it: it completely prevents large-scale attacks like mass phishing, mass credential harvesting via worms or botnet clients, etc. - because the attacker would have to make a help desk for each user he wants to attack. That doesn't scale, of course, and the help desk will catch on pretty quickly if it does get 100 calls for bypasses in a row.

But your point is right - the bad guys will always go for the weakest link in the system, so each security department must carefully weigh the risks against the benefits when deciding how to deploy any kind of strong authentication.

Thanks again for the commentary.

-Steve Dispensa
Chief Technology Officer
PhoneFactor