Account Login Security
Say you're a bank or some other financial institution. When a client opens an account, you are legally required to collect all the personal details and identifiers to verify that person's identity and open the account. But for them to access the account remotely, the minimum requirement is a username and password.
What could possibly go wrong?
More often than not, the username is their email address, which is not only known to everyone they have ever emailed, but it lives in a myriad of databases aggregated by shopping sites which means it's also tied to your real name and address and your spending habits. This is very valuable information and it gets sold to marketing firms who then use it to create a profile of your net worth. And yet many people use that very same email to log in to their bank account.
As for the password to the bank account, bad habits here abound, here are some if the most common:
-
sticky note of the computer or desk
-
using a password that is used for other websites including email accounts
-
using pet names, kids' names or birth dates
-
using one of the 10 most common, or 10,000 most common passwords
Enter 2 Factor Authentication (2FA)
2FA, SMS 2FA and 2 Step Verification are sometimes used interchangeably (they're not) but the concept is the same and it's based on the mantra-
-
Something you are (your username or email address)
-
Something you know (your password)
-
Something you have (your phone, an RSA device, an authenticator app, or a physical device like a YubiKey)
2-Step Verification
You are probably familiar with this already.
-
You navigate to the login page, enter your username and password
-
If you have enabled it, you are notified that you will be receiving a text with a 6-digit code
-
You enter the code, it verifies the code and you gain access to your account
Risks and Mitigations
2-Step verification relies on your mobile account to be secure. Unfortunately, you mobile provider can easily be convinced to port your number to an attackers phone, and with that, they reset passwords and can take over your accounts. The attack is called SIM Swap/SIM Jacking
SIM Swap Stories
Protect yourself from SIM Swap with
2 Factor Authentication (TOTP)
Time-Based One-Time Passcode secret key generator.
There are several forms of this, but they all work on the same principle that a hardware device (your phone or a SecureID RSA KEY) generates a 30-second 6-digit passcode that is derived through a cryptographic algorithm that is synced between the device and the website you are trying to login to.
The advantages of this are:
-
More secure that 2 Step SMS verification
-
One App can store they keys to multiple websites, all independently verified, can be shared between devices.
-
The account vendor (Amazon, PayPal, Gmail) does not need to know your phone number (one less attack vector)
TOTP Apps (available for iOS and Android)
Risks and Mitigations
A bit more technical to use than SMS. If you lose your phone, account recovery is more challenging, but that's also the point. You can share the codes between multiple devices (i.e. work phone and personal phone) but you need to secure the app from being ported onto another device by a hacker (efani can help here too).
2 Factor Authentication (hardware device)
One more step down the security rabbit hole, this is considered the safest way to go. This uses a USB hardware key that is plugged into your laptop at the time of login and produces a cryptographic key that validates the signage
-
Requires physical possession of the device (not unlike your phone, but it's smaller and easier to lose)
-
Must be registered with the account before use (just like TOTP)
-
Cannot make a copy
-
Must be purchased from authorized vendor
Yubikey is the most well known, there are others
Illustration of 2-Step Verification
complexpassword
--Send Text Code-- xxx xxx
BANK
Match? -> YES
Authenticated , Login allowed
--Enter Text Code-- xxx xxx
Match? -> YES