This is something that Tony Perez and Sam “Otto” Wood both recommend, so you know I have to look at it seriously!
I think I need to point out that I’m willing to accept that I’m wrong about things. After all, I can’t know everything, and I am well aware of that. But one of the things I work hard to do is learn, adapt, grown and get better at all this. The whole reason I started talking about tech on this site was I was trying to understand cloud hosting back in August of 2010(A lot of tech posts were ported over from Ipstenu.org after the fact.).
The point is I do this site because I want to learn, and when I learn, even if I don’t understand all of a thing, I want to share what I’ve learned specifically because I know people will come and correct me. Next to answering people’s questions, this is the fastest way I know of to really understand things.
So.
I didn’t mention Two Factor Authentication in my security post. Using it certainly would have mitigated the brute-force attack, though not the DDoS implications of it, and that remains why I am a fan of ModSecurity. That doesn’t mean I didn’t just add another tool to my arsenal, or that I’m not willing to try something out.
I am now using Two Factor Authentication.
Two-factor authentication (aka multi-factor authentication, or TFA, T-FA, or 2FA) is a way to verify your authenticity by providing two (ore more) of the following factors:
- Something the user has – aka a possession factor
- Something the user knows – aka a knowledge factor
- Something the user is – aka an inherence factor
For most of us, we authenticate only via knowledge – that would be your standard username and password. You “know” your password, thus you pass the knowledge factor. A PIN (like for your bank card) is the same thing. This is simple, it’s easy, and most of us can remember a password.
Something you have is easy to explain if you’ve ever worked for a company and had a RSA ID or a keyfob with a random generated string. That’s the possession factor at work. In fact, your bank card (again!) is one of these too! It’s something else, something physical that you must have to prove you are actually you.
Inherence factors are things like biometrics, so a fingerprint or retina scan. That’s all you need to know about that. Arguably it’s something you have, but it’s a part of you, something you always have with you, so it’s inherent or innate to your very person. Latin. You’re welcome.
It’s pretty obvious that a strong password only goes so far. If I can’t log into my laptop without a USB keyfob, then my site is super secure. This is better than using the picture and keyphrase that a lot of banks use right now, but it’s also harder. It’s very easy for a company to have you pick a photo, a sentence, and a password and make you verify them when you log in. But to instead make sure you have a specific device with you that verifies who you are and that you’re you in this very second?
How, exactly, they work depend on which methods your using. There are myriad different methods of possession factors you could use, and how each one works is a little different. But we like multiple factors because if you needed (say) my retina scan and a password to log in and a titanium ring, and another person with those three items, then I’ve just described the plot of Charlie’s Angels: Full Throttle. I’ve also described a pretty tough nut to crack if you’re not Drew Barrymore.
The issue with these methods is they’re not (yet) practical for the common man, and that’s really a large part of why I don’t like TFA very much.
The knowledge factor is the most easiest to hack. We’ve see that. That’s the whole reason we want to use two or more factors to authenticate. I’m not arguing that. The possession factor is the easiest to break (lose your keyfob or be out of cell phone range). Unless there’s some backup to let me in even if I don’t have the second factor, I’m SOL in a lot of ways. Of course, once you have a backup method, then that’s vulnerable. The inherence factor is the least reliable so far and the hardest to implement correctly. There’s a whole Mythbusters on how easy it is to make a fake fingerprint. It’s not that this is easy to hack, it’s that it’s hard to protect.
Okay, so what should we do?
The Google Authenticator Plugin for WordPress comes recommended by my man Otto and I know I’m not Google’s biggest fan, but this is one instance where I think they did it right.
The plugin uses open source code for Google Authenticator, which is not something Google really invented so much as perfected. In fact, my old keyfob at work did the same thing.
Here’s how it works. The site you visit generates a string of characters called your Secret Key. This key can be a string (like hE337tusCFxE) or a QR code embedded with all the information from your site (like site name and so on). You enter the data into the app on your phone, and that uses secret string plugins the date and current time, to generate another random number string you use when you log into the phone.
It’s like a password that always changes, and since your phone and your (say) blog have clocks running, they know what time it is, parse the math on login, and off you go. So yes, this will work if you’ve got no cell reception. But no, it won’t work if you’ve lost your phone (which remains an issue for me). Since each site has a unique key and time is always changing, the code is never the same twice. No two users or sites will have the same key either. There’s more math to it, and you can read what Otto commented about it.
Now to log in to my blog I need the username and password, plus a random number I can only get at if I have my cellphone and know the passcode there too. In my case, if I lose my phone, I can’t get into my site. This is, most of the time, okay. If I’m on a strange computer, I need the phone anyway to get the password out of 1Password, and I tend not to log on when I’m not on my own computer or my iPad (which requires the use of an app password, less secure all around, but needed).
To me, it’s not risk versus reliability, or even risk versus vulnerability. It’s risk verus risk. So far, the risk of losing my phone is less than the risk of what happens if I lose my website. After all, my website is my life.
I’ve been using the Google Authenticator plugin for a while now. I am looking to switch to the Duo security plugin though, as it offers a lot of really awesome functionality on top of what the Google Authenticator can do.
https://www.duosecurity.com/docs/wordpress
You can log in via push access on your phone (requires 3G), via a standard authentication code (works offline) like Google Authenticator, SMS authentication, voice authentication, or you can buy a USB dongle which auto populates the authentication code line OR you can use one of those nifty little hardware token thingies.
There is of course a catch, as some of those services cost extra, but for the sake of convenience and for those without a smartphone, these could be remarkably useful.
Perhaps it would make sense for a multi-factor authentication system to provide a backdoor with one-time use passwords, just like Google itself does (they provide printable one-use passwords as a backup for when you lose your phone).
My own backup solution is to just SSH into the box and remove the authenticator plugin. That’s not exactly convenient though.
The Google Authenticator plugin has that. It’s how I logged in on my ipad 😉
Oh weird. I didn’t know that.
It’s not the list of ten that Google has, but it has a single key you can use multiple times. Not as safe, I agree, but very helpful.
If you can use it multiple times, then it’s something I would have intentionally not used. I was referring to one-time passwords.
Yeah, that would be interesting and a totally awesome add on.
Hey Mika,
Are you familiar with Mozilla’s Persona? It is based around Email Ownership-Based Authentication. A write up on it can be found here.
There is a plugin that makes it available to WordPress users. http://wordpress.org/extend/plugins/browserid/
Peter
😳 Ok, not exactly two factor authentification. I use it when accessing TroveBox. More of a step up from users reseting their password every time they try to visit a site.
I was going to say … I did know about Persona, but I haven’t messed with it in depth yet 🙂 Thank you for the write up!
[…] understanding the concepts around Two-Factor security I encourage you to read Ipstenu’s most recent post on the subject. It was very thorough, and very readable for all […]
[…] More on 2FA from my friend Mika Epstein […]
I found it concerning, that with Google Authenticator, you have to opt users IN to using it. Why would an administrator not want to enforce TFA across the system?
I really like DuoSecurity plugin.
Because unless you opt them IN, how do they get the code? They’d never be able to log in. For new users, this isn’t so terrible, since you could hook into the new user email and include the code (or QR code), but for existing users, how do you make sure everyone gets it?
(If I had a big site, I’d probably email everyone ‘You have 30 days to turn this on…’ And then go in and turn it on for them on day 30 – or script it. Can’t log in? Now you have a massive hassle, and didn’t we tell you so?)
It should probably force the user to the analyticator page next time they log in.
That would be an awesome addition 🙂