Another form of non-two-factor
There has been a lot of talk on the Internet (and on this blog, in particular) about various forms of authentication that are advertised as two-factor or "strong" (whatever that means), but I heard a new one yesterday: e-mail as a second "factor".
The way the system works is as follows: user signs into the account with her usual username and password. The system then sends an e-mail to her pre-registered e-mail address with a link, code, etc., in it. She then opens her e-mail (perhaps logging onto a VPN in the process), receives the e-mail, copies the code, clicks the link, whatever, and the system allows her in.
This system has a number of obvious usability problems, and it certainly can’t be used to get into anything required for receiving your mail (including VPNs, e-mail servers themselves, web-based mail apps, etc.), but there are a couple of nontrivial security problems as well.
The biggest security problem is that you have no idea – none – how secure that e-mail is. It could easily be a gmail account, non-encrypted, or it could be the person’s own mail server hosted at a place like linode or something. These are amazingly insecure environments.
It’s no better in the case of a corporate e-mail, though; basically, you’re in the position of delegating trust to the corporate IT department for securing access to that e-mail. I have firsthand knowledge of a major US government agency that makes e-mail available through Outlook Web Access anywhere in the world, using only a username and a password. This makes teh whole system one-factor, and what’s worse, the user can easily use the same username and password for both accounts.
As a general rule, it’s dangerous to delegate responsibility for security to someone else, and it’s particularly dangerous to delegate it to end users. Trusting a user not to have an insecure hotmail account does not make for a second factor.
-Steve
Leave a Reply