I recently had an interaction with an online finance company that I invest with regarding the merits of various second factor authentication methods. It is worth exploring why we need a second factor when authenticating. First I will talk about what authentication is with respect to web applications. A little background on usernames and passwords, as well as some of the problems with passwords as a method of authentication. After a summary of the multitude of ways that a password can be lost or stolen I hope it will be clear that in many cases passwords alone are not a sufficient method of authentication.
Authentication is a problem that will have to be solved at some point in the development of a web application. Verifying that a person (or machine) is who they say they are intuitively seems quite simple, probably because we as humans have no problem identifying our friends, family and colleagues on a daily basis. My experience has been that it is much to authenticate a person is who they say they are, and whenever I think I have a handle on it I find out that it is even trickier than I imagined. I personally believe that this is in part because of the huge amount of information that we take for granted from our senses of sight, sound, touch and smell that allow personal authentication to be so easy and internet authentication to be so hard.
The traditional first step in web app authentication is a username and password combination. The username is the person's unique identity with respect to the web application, and the password is a piece of information that only they know, and they can pass to us to validate their identity. This is reasonably straightforward for the web application developer to implement, but have recently become problematic when used on their own. One of the reasons that using passwords is a problem is that there is no way to verify that the person who knows the password, is the same person who signed up, and conversely there is no way to ensure that the person who signed up remembers the password.
Once a password is entered it can be stolen, intercepted, guessed or acquired by some other method. If the password falls into the hand of another person there is no way to know if the person that enters the username and password is the original person, or someone who just happens to know it. There is no easy way to tell them apart, everything will appear normal. The user hasn’t really been hacked, it is just that our authentication system is broken. This wouldn’t be as much a problem as it is if passwords were hard to steal, guess or intercept. Sadly bad actors have become adept at all three.
It is very easy for an application to remember what password (or more correctly a hash of the password) a user entered, but this is a challenge for a human to remember it. That is probably why we don’t check if a friend we meet on the street is who they say they are by random 20 character codes, we have better methods, and we would never remember the code, or be able to verify one that was given to us was correct. The password system is easy for computers, but hard for humans and that hardness leads to passwords that are easy to guess or easy to forget.
Because a large number of strong random passwords are hard to remember, many users will use passwords that are simple and easy to remember. This presents a problem because there are vast collections of frequently used passwords easily available to attackers. They can try these lists against every user of a web application, and if they can log in. This is an effective way of successfully guessing a person's password at scale.
If a person reuses a password then they are at risk of it being stolen or guessed for another website where they have used the same password. When an attacker acquires a username password combination an attacker can then try the username password combination on a lot of other popular websites. They can then impersonate the person on all sites where the same password was used.
If a person makes a strong unique password for every site they will visit they will probably forget at least one of them at some point, even if they have made good use of a password manager. Then they will have to enter a password reset flow, and can easily become the weak point in any password retrieval process. The main problem being that you have to create a new piece of secret information for a person that you haven’t been able to identify.
Passwords can be stolen from the user in a number of ways, but one of the most prevalent and insidious methods. It is prevalent because it is effective. It is insidious because it can be hard to detect, and can outwit even experienced users. Phishing is the practice of convincing the victim to enter their credentials into a fake authentication form, and stealing the entered credentials for future use. The fake website can look exactly like the one the user is used to logging in with, and it can even redirect them to the real application after they have logged in, so they are completely unaware that their credentials have been stolen. Again the application will not be able to distinguish between the real user, and an attacker with phished credentials.
Passwords can also be stolen from the application itself, using a number of attacks that range from SQL injection to full database compromise. Once this has happened the application can have no way of knowing if they are authenticating the real person, or an imposter. The devastating nature of this kind of data breach is why storing the actual passwords in their original form is considered bad practice. Passwords should always be stored hashed, where a hash function produces a value that can not be reversed to retrieve the original value.
This is not a complete exposition of all of the reasons why password only authentication is inadequate. The chief merit is that it is relatively easy for developers to implement, and it is better than nothing. The arguments that it should be supplemented, or replaced are compelling. Chief amongst these is that one mistake the entry of a password, or storage of a password leads to a broken authentication flow for a web application. This has led to the increasing use of multifactor authentication, where a user needs to enter multiple independent authentication methods to authenticate to the site. This is an improvement because the loss of one method does not completely break the authentication to a site. It is also helpful in securing password reset flows. When it comes to authenticating users to a modern web application supplementing password only authenticating is prudent to protect your users, and the integrity of your applications.