2fa redux

The mythic Ned Ludd, leader of the Luddites. Via Commons.Wikimedia.Org

It has been said, recently, that my position regarding multi-factor authentication[en.WP] proves I am a luddite. Actually, I love multi-factor authentication. But I have yet to see a logical and ergonomic implementation which is foolproof.

MFA is often described as requiring at least two items/routes of identification, each of which must belong to at least one of the following classes: 1) Something you know, 2) Something you have, and/or 3) Something you are.

This is completely false.

The classes should be 1) Something you and only you know, 2) Something you and only you have, and/or 3) Something you and only you are. This restriction all the difference makes.

A collage of faces and interface sliders from a digital face-capturing software.
“Using the FaceMachine java application, multiple generated faces were captured and made into this collage.” By Randallbritten, from Commons.Wikimedia.Org

Everyone wants a biometric identifier, which is something you and only you can be, like your unique fingerprint, or Apple’s 3-d facial analysis. Here are a couple of ways this can fail: the biometric data must be initially recorded, once recorded the biometric data must be stored safely, and when making a comparison all steps from from sensors to the locking mechanism must be secure. Also, the biometric sensor must not be able to be fooled, or mocked.

Even if it were possible to get all of these steps perfect, which it is not, here is the #1 reason you should never use biometrics: the entire purpose is to be something you cannot possibly change.

Even if it is compromised.

So all of you folk who have busily recorded your fingerprints, iris scans, stereoscopic facial ids… all of your data is stored by governments and corporations on the internet, or on potentially vulnerable devices. This data can be hacked; compromises have happened. You cannot simply go out and get your finger or eyeball replaced. So do not use this.

No, really, that is it. Do not use biometrics. Ever. You do not want to live in a situation where the most-trusted method of ID is immutable[note] and compromised.

“A collection of my RSA tokens for 2-factor authentication.” Photo by Edwin Sarmiento, licensed CC-BY 2.0

There are all the usual problems with something you have: you might lose it, someone could take it, it can probably be duplicated, etc. Those are not reasons to oppose MFA. Go ahead and use a digital fob if it makes you feel good. Do not use your cell phone.

Mobile phones are extremely bad for your personal privacy and security. Wonderful and convenient? yes, but their use in most authentication schemes is to spy on you, not to authenticate you. An example authentication exchange involves sending an SMS to the phone which is received by an app on the phone and voilà! you are authenticated! What you do not see is that app has now recorded where you are located on the planet, may have scanned all your SMS messages, usually has scanned your contacts and recent call logs, and sent all this data to the authenticating party.

You most likely were not informed that this would happen. You most likely would not agree to it if you had been informed.

So do not use your cell phone.

Mobile devices in general are risky from the other direction too. Evil perpetrator A might create a perfectly wonderful app that also requests access to your SMS, and can now also authenticate using your phone number. Evil A might, instead, have you ‘sign up for a new account’ – but you do not actually know where this new account is. Maybe they just used your identity to create a fictitious social media account which they will use to help someone appear to be famous, or to spread misinformation. But maybe it was a new credit card, in your name.

Do use MFA. It is great. But also use your brain. There is really not very much you can know that only you can know, or have that only you can have. Use the simplest possible systems, like storing your passwords in a password safe kept in your cloud storage and synchronised across all your devices.


Image showing an altered fingerprint. Unknown source.

Note: Actually, it is possible in China to pay for an elective surgery which transplants your own fingerprints, for example from your left hand to your right, amongst other methods for permanently altering your fingerprints. And in places other than China as well, though perhaps not quite so cheaply. You really don’t want to do this just because some social media corporation has let your personal identity be hacked.