Strengthening Two-Factor Authentication
Wednesday, March 5, 2014 @ 10:03 AM gHale
The key to use any technology is passwords, but they often present a relatively weak challenge to hackers. Until now.
There is a new way (or ways) to add a strong second layer of security to a password as researchers at the University of Alabama at Birmingham (UAB), in collaboration with the University of California at Irvine, proposed and tested a variety of methods.
Researchers offered innovative options to improve the security of two-factor authentication systems while also ensuring the systems’ usability in a paper presented at the 2014 Network and Distributed Systems Security Symposium.
“There have been many attacks on servers that store passwords lately, such as the breaches at PayPal and LinkedIn,” said Nitesh Saxena, Ph.D., associate professor in the Department of Computer and Information Sciences at UAB and a core member of the Center for Information Assurance and Joint Forensics Research.
As it has always been, people use the same few passwords which makes it easy to use and remember. Passwords typically end up stored on servers in a hashed form. Hackers can garner passwords either by an online brute-force attack, or by hacking a server with poor security and using a “dictionary” of passwords to test offline.
“A single server break-in can lead to several of a user’s accounts being compromised, because they’re using the same password in several places,” Saxena said.
Two-factor authentication schemes, such as Google Authenticator, or hardware tokens, such as RSA SecureID, use a second device to generate a temporary personal identification number, or PIN, the user must enter along with their password. But current two-factor schemes present the same vulnerabilities to server hacks as password-only authentication, Saxena said.
“If someone hacks into the server, they could learn the passwords via an offline dictionary attack,” he said. “Learning the passwords wouldn’t compromise the second authentication factor, but the user might be using that same password elsewhere. The hacker might not be able to log into Facebook if Facebook uses two-factor authentication, but they could log into Twitter if Twitter uses the single-factor authentication using the same password.”
The paper proposed and tested four two-factor schemes that require servers to store a randomized hash of the passwords and a second device, such as the user’s security token or smartphone, to store a corresponding secret code. The paper presents these schemes at several levels of computer system bandwidth, effectively turning four schemes into 13 security options.
“Rather than requiring the user to enter both their password and a PIN generated by an app, the user could enter a password, and their smartphone could automatically send a PIN over a Bluetooth connection or through a simple QR code,” Saxena said.
Saxena and his co-authors, UAB graduate student Maliheh Shirvanian, Stanislaw Jarecki and Naveen Nathan of the University of California at Irvine, analyzed each scheme in terms of security provided, usability and deployability.
The schemes use soft tokens, like smartphones. Using smartphones to provide secret codes can give a security system the flexibility to protect several passwords with a single soft token.
“Hard tokens are traditionally used within the context of a company that needs more security,” Saxena said. “With soft tokens in play, you can use just one token, such as your smartphone, to log into different websites securely.”
The proposed approaches are applicable to hardware tokens, too.
“With each of our proposals, you get a high level of security with the same or better level of usability than the current two-factor authentication schemes,” Shirvanian said.
For more details, click here to download the paper.