Monday 27 August 2012

Two-Factor Authentication Example: Dropbox

Update: LifeHacker has a list of places where two-factor authentication is currently available as an option.

I'd Go for the App

Generally less accurately referred to as Two-Step Authentication, the principle of Two Factor Authentication demands the production of two or more out of a set of three authentication factor categories:
  1. A knowledge factor - something you know;
  2. A possession factor - something you have; and
  3. An inherence factor - something you are.
Inherence being problematic - as can be appreciated from consideration of the archetypal examples of fingerprints, voice prints, and iris scans, and in particular their potential vulnerability to replay attacks - it has become common for two-factor systems to employ the ubiquitous mobile phone as the thing the user has, in combination with various little bits of secret information that the user knows.

One of the first two-factor systems to gain popularity was Google's Authenticator app (an open source project) on these platforms:
  • Android 2.1 or later;
  • iPhone iOS 3.1.3 or later; and
  • BlackBerry OS 4.5 - 6.0.
Primarily covering GMail, this system now extends to all other Google Apps, and can be enabled in any third party app using the PAM Module. The first factor comprises your traditional combination of user name and password. Then, the mobile Authenticator application prompts you for an auto-generated verification code.

Now On Dropbox

Anyway, not to bury the lede, Dropbox - perhaps in response to last month's spammage, enabled by a Dropbox employee who had re-used his or her password at another, previously hacked site, resulting in the exposure of many users' email addresses - now offers such a system. Look under the Security tab, in the section labelled Account sign in, for the so-called Two-step verification setting.

Two options are provided for acquiring the new verification code. The first is a simple text message to your mobile phone. This is the easier of the two, but it also introduces a new potential vulnerability. Attackers can use social engineering against your phone provider to have your messages forwarded to another account. This exploit has in fact been documented several times against Google's two-factor system, e.g. at CloudFlare in May of this year.

So yeah, I'd definitely go for option 2, which is to use one of the following mobile apps to generate a unique time-sensitive security code with the help of the standard Time-based One-Time Password (TOTP) algorithm:
You may select either to scan a displayed bar code / QR Code, where supported, or to enter your secret key manually. Note that most apps will still generate the required security codes even when the cellular network or other data service is unavailable, such as when travelling or where coverage is unreliable.

Hat tip: Brian Krebs, as is so often the case!

No comments:

Post a Comment