Two-Factor for Facebook: A True Story

A member of the PistolStar team shares his personal story on the dangers of Facebook, and the benefits of enhanced security two-factor login:

If you haven’t been under a rock for the past few years, you are well aware of the ever popular Facebook web site where friends and foes of many races and generations get together to share information.  Yes, I said friends and foes.  All good things must have their evil side and Facebook is no exception.   You may have a close friend and have trusted them with your Facebook credentials.  Friends don’t always stay friends and sometimes they even turn nasty toward one another.

 

Take for example this true story of my daughter (Jill) and one of her classmates (Sara).  At one point, they were close and of course, without our consent, my daughter shared her Facebook password with the young lady.  There were a number of “drama” occurrences for one reason or another between the two High School Freshman, which eventually drove them apart.  However, they still had mutual friends in common and my daughter’s ex-friend still wanted to be friends.  Jill was smart enough at this point to change her Facebook password.

 

Now we introduce a young couple, Sandy and Tim, that are having relationship problems and of course Jill and Sara are involved.  Jill is interested in Tim and Tim is interested back.  Jill and Tim have private conversations with one another over Facebook.

Sara has been trying to get Jill to speak with her so they can make up, but Jill has smartened up and doesn’t want to have anything to do with Sara.  Out of desperation Sara is able to guess Jill’s Facebook password, probably because the password wasn’t much different than the one she knew to begin with.  Sara finds the private conversations and reveals them to Sandy.

Fortunately for Jill, Sandy does not have anything against her and she had called it off with Tim anyway.  What could have been a very tough incident, peacefully calmed itself down, but the damage had been done.  Jill’s Facebook account was hacked by a Freshman student.

 

Since that time, we have enabled Two Factor Authentication through Facebook.  2FA is a two-step authentication process where the user must know their username and password AND also have their own cell phone that a One Time Password is sent to.  This is something you know and something you have.  Should Sara guess the new password again, she will not be able to get in unless she has my daughter’s phone and the passcode for the phone.

 

This link explains nicely how to enable 2FA on Facebook: link

You might be wondering what happened to Sara.  She more or less broke the law by accessing Jill’s personal communications.  You will be happy to hear that Jill reported Sara to Facebook and Facebook sent back confirmation to Jill that Sara’s own Facebook account had been terminated.

(The facts are true, but all names in the story were changed to protect the innocent.)

 

 

Two-Factor Takeover

In extension to our post last week stating that Apple is the latest to join in a trend that’s having more and more of the presently most influential companies adding enhanced security in the form of two-factor login to their accounts, we follow up this week with yet another.  Twitter will be joining the likes of Apple, Google, Facebook and Microsoft as they begin rolling out the feature in a short, but unspecified time from now.

It appears as though Twitter has had this project underway since at least early February, when they had posted a job position for the project.  It is likely no coincidence that the service had suffered a hacking attack in which 250,000 account passwords were compromised just the week before the job posting.  When just yesterday the Associated Press had also suffered a compromised account, in which bogus messages were tweeted, the need for the enhanced security is especially evident.

 

Source: The Wired

Source: Ars Technica

Mobile Authenticator Apps for Two Step Authentication

A number of Two Step and Two Factor authentication methods exist today to help further secure our valuable digital resources.  As secure as they are, they can cause “ease of use” issues which then puts the onerous on the end user.  Using security questions is limited by how well you can answer the questions so others can’t guess them but at the same time, make it easy for you to remember.  Security questions get forgotten more times than people would like to admit.  Instead of remembering answers to questions, we can implement the use of hard tokens that generate One Time Passwords.  But we still need to remember to bring the token with us or not leave it behind to get lost.  Some tokens require batteries which leave them vulnerable to losing power at the most inopportune time.  Cell phones improve on this because remembering to bring your cell phone with you and keeping it charged is akin to remembering to breathe for most people.  But deep in the middle of a large building will prohibit cell service and prevent the OTP being delivered to the phone.  On the other hand, you may have cell service, but be traveling abroad and the roaming fees will sting your wallet.  Printed OTPs are convenient;  they don’t need to be memorized and can stay safely tucked into your wallet, but you can run the risk of running out of OTPs before you get a chance to print more.

 

Consider a solution that uses your cell phone or mobile device, but doesn’t require memorizing anything or connectivity to the outside world.  Many organizations and online sites have implemented “Mobile Authenticator Apps” to provide the 2nd factor of authentication.  An application designed to generate an OTP that the authenticating service will honor is installed on your mobile device.  Once configured, all that is required to generate an OTP is to have possession of the device and remember to keep it charged.

 

A mobile authenticator app generates a Time Based One Time Password (TOTP) – This is an OTP based on the time of day.  During enrollment, the device and the authentication server both register the same moment in time.  The TOTP is generated based on how much time has elapsed since the shared time value.  Both client and server can now always generate the same password without having to communicate with one another during the authentication process.

Continuing Towards a World Without Passwords

In a move that appears to be an attempt to catch up to its competitors Google and Facebook, Apple and Microsoft are now the latest monoliths to have introduced a two-factor authentication option for their users’ Apple IDs, and Microsoft accounts, respectively.  Once again the evidence shows that we’re on our way towards a world without passwords.  Multi-factor authentication is ever more trendy, and now everybody’s doing it.

Similarly to the existing two-step verification offered by Google and others, Apple and Microsoft’s added security follows suit by requiring those users whom have enabled the feature to input a special code during authentication; rather than the usual username and password, the additional factor of the password code effectively enhances the security for the account.  This special code, often known as a TOTP (time-based one-time password) is typically delivered via a text message to the users cell phone, once it has been registered as a trusted device.  Much like Google’s Google Authenticator mobile app,  which allows users to receive the password codes via a convenient app rather than text messages, Apple offers the same convenience via their ‘Find My iPhone’ app, and Microsoft as well, through an as yet unnamed app of their own.

As with these previous methods of offering two-factor authentication however, these follow seemingly in identical footsteps, and therefore bring not only the enhanced security benefits with them, but also the headaches.  Although multi-factor authentication eliminates the need to remember the password in some cases, it still implements further steps and disruption to a user’s routine. The ideal situation would be to implement two-factor authentication which is transparent to the user while being able to block unwanted access.

Read more about Apple two-factor…

Read more about Microsoft two-factor…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169