Evernote has now joined the growing number of online services with support for two-factor authentication.
What this means for the average user is a more secure account, as you will need to provide a second factor when logging in, such as an SMS from your phone, or a challenge/response using Google Authenticator.
Twitter entered the two-factor authentication (2FA) game earlier this year when they released the de-facto implementation, time based OTP over SMS. It has been working fine even though it had its shortcomings, including the inability to view app passwords created for apps without support for 2FA. Not to mention the lack of carrier support for most operators in Sweden.
Twitter have just superseded their recently implemented 2FA with a new scheme called “login verification”, which uses your mobile Twitter client as an authentication token, which means that they no longer have to rely on carriers to support their service.
The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitter’s server.
When Twitter receives a new login request with a username and password, the server sends a challenge based on a 190-bit, 32 character random nonce, to the mobile app – along with a notification that gives the user the time, location, and browser information associated with the login request. The user can then opt to approve or deny this login request. If approved, the app replies to a challenge with its private key, relays that information back to the server. The server compares that challenge with a request ID, and if it authenticates, the user is automatically logged in.
A very creative solution to the problem, and since the approval is completely out of band with the authentication, clients do not even need to be aware of the secondary authentication procedure.
The downside is naturally that your phone is ever more important to keep track of, even though they seem to have support on standby in case you lose access to your phone.
Facebook uses a similar strategy in case you have enabled login verification for your account, but instead of relying on RSA cryptography, any logged in client may approve a new computer. The upside compared to the Twitter solution is that the approvals are not locked to one particular device, and the downside is the exact opposite – any logged in client may approve a new client.
When enabling login verifications, you are presented with a backup code, which can be used to access your account in case you lost your phone. I make it a habit of always writing the recovery codes into the current site’s entry in 1Password. That way, you can use any computer with 1Password installed to retrieve it when needed.
WP Require Auth is a plugin for WordPress which makes it mandatory to be logged in before viewing any page. It is just a matter of downloading and unpacking the plugin as usual and activating it in the Plugins page in WordPress. There is currently nothing to configure.
Head on over to the WP Require Auth website to download or file a bug/feature request.
This effectively replaces my little hack for doing this earlier on.
Logging into websites have always been a pain if you want to stay somewhat secure. One could either use the same username and password everywhere or choose from a few remembered passwords. The next best thing is to use some kind of password manager, such as the one built into most modern web browsers or perhaps 1Password.
Another way of looking at online identities is the concept of one central hub – you. Think of it as your “home”, a place for your identity. This identity could then be used to authenticate you on any supported site, without requiring a password or even a username, provided that all required information has been entered into the central hub profile beforehand, such as your full name and username.
This is exactly how OpenID works! It acts as a central hub for your online identity and lets you login to all OpenID enabled websites without having to come up with a new password each time (or worse, use the same password). What makes OpenID work is simplicity; it is not that hard to grasp or explain the concept of an online identity hub and using an URL to identify yourself with.
A huge benefit of OpenID is that it is completely decentralized. This basically means that anyone can set up their own OpenID provider, and there are already lots of open libraries available to make this as painless as possible. This means that if you don’t trust anyone to hold your personal identity, just get a domain name and set one up for yourself, and use any type of authentication you want to identify yourself to your own hub. You can even use X509 certificates or OTP for this purpose if you want.
As for security, make sure to use HTTPS for the provider to protect against man-in-the-middle and replay attacks. The other important security issue are phishing attacks, where users would enter their credentials on a third-party server instead of their own. Using client certificates or making it mandatory to already be logged in before executing a request would however make this a non-issue. Other than that, the ordinary web problems remain, such as bugs in the OpenID libraries and other attack vectors.
If one would be able to gain access to your OpenID provider, he would have access to all authenticated sites. To put this in context however, look at your email account. If one were to gain access to your email, he would undoubtedly have means to access most of your sites anyway because of the password recovery feature.
Chances are that you already have an OpenID identity without even knowing! Lots of big websites provide this service, and it is even possible to roll you own as mentioned above, or even install a plugin for you very own WordPress blog to enable this feature. If you have your own fancy domain but no means to setup an OpenID provider, fear not, there is support for delegation, meaning that you can delegate the authentication to another provider, while still providing your own domain for authentication to the target website.