How is physical access not a factor in 2-factor?

A place to discuss the science of computers and programs, from algorithms to computability.

Formal proofs preferred.

Moderators: phlip, Moderators General, Prelates

arjan
Posts: 67
Joined: Tue Feb 26, 2013 7:48 pm UTC
Location: The Netherlands

How is physical access not a factor in 2-factor?

Postby arjan » Wed Jun 10, 2015 2:10 am UTC

Hi all,

Maybe someone can share some wise thoughts about this matter. I'm told by security experts that for rather sensitive (medical) data, you need to implement 2-factor authentication by law. So, not just a username/password combination but also a smartcard, or a token via SMS, a fingerprint or whatever.

The system I'm talking about cannot be reached via Internet without plenty factors. You'd need 3 different passwords and an SMS to get there, so the rules are OK with that. Normal users however access the system with just a username and password, but with just those, in order to get to the data you have to actually be sitting behind one of a few computers that have access. In other words, even if you know the password you'd still have to commit burglary.

But if burglary is a sensible scenario, the "hacker" could also just take the server and all data with him.

So my point is, physical access should be considered a valid factor in 2-factor authentication. Am I wrong?

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: How is physical access not a factor in 2-factor?

Postby ahammel » Wed Jun 10, 2015 2:55 am UTC

I can imagine a number of scenarios in which physically stealing the servers would not be an option:

- The servers are protected by better physical security than the terminals (this is almost always the case, in my experience).
- The attacker doesn't want it to be obvious that an attack has occurred, perhaps so that they can make use of the information before the breach is noticed
- The attacker has social-engineered their way into the building and there are other people around. They therefore have to look like legitimate users while carrying out the attack.

Regardless, if the law says you have to use 2-factor, it's almost certainly a better use of your time to implement SMS authentication than to try to argue with the authorities about what "2-factor" means.
He/Him/His/Alex
God damn these electric sex pants!

Tub
Posts: 391
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: How is physical access not a factor in 2-factor?

Postby Tub » Thu Jun 11, 2015 10:00 am UTC

The way I understand it, 2-factor authentication means combining something that you know with something that you have for authentication. If someone robs you, they still don't know what you know. If your secret information leaks, they still don't have the required item. 2-factor authentication is meant to solve the inherent weaknesses of passwords, like password-reuse, leaked hashes and large-scale random guessing, i.e. untargeted attacks against anything that seems weak. I can probably acquire a million valid logins somewhere, but I cannot just go and steal a million matching security tokens.

Against targeted attacks, 2-factor authentication will make things more difficult, more expensive and easier to detect, but not impossible. Requiring physical access happens to make targeted attacks more difficult, more expensive, easier to detect, but not impossible. So you're right: it can serve the same purpose as a 2-factor authentication. However, it is not a proper authentication factor.


What is not 2-factor authentication is combining something that you know with some other thing that you know, like three different passwords, especially if you end up typing all three into the same keyboard and sending them over the same communication channels, where they can be intercepted at the same time. Or combining something that you know it with something everyone else knows, like your mother's maiden name.

Your cell phone is something that you have, but SMS is not exactly a confidential communications channel, so it's not a reliable way to verify whether you actually have the item in question. Harder to beat than 1-factor, but not quite 2-factor yet.


As far as I'm concerned, a lab key is certainly something that you have. But it has three weaknesses, due to which it cannot count as an authentication factor:
1) the key check is disconnected from the password check. The computer checking your password just assumes that the key was properly verified.
2) physical access is granted to more people than access to the data, e.g. the cleaning service. Would you consider it secure to tell your cleaning service your passwords, but not the matching usernames? No? Then why would it be acceptable to provide them with one of your two factors?
3) physical access is not even a form of authentication, unless you have a personalized electronic key. Your password can be combined with your colleague's lab key and vice versa.

If you require physical access, you've increased security by roughly the same measure as you do by implementing 2-factor authentication. But it does not count as an authentication factor for the three reasons I mentioned.
Having an electronic key which needs to be shown when logging into the systems, and that gets compared to the username you wish to log in with, that would be a proper factor.


That being said, the letter of the law is probably somewhat disconnected from actual best security practices, so go ask a lawyer.

EvanED
Posts: 4331
Joined: Mon Aug 07, 2006 6:28 am UTC
Location: Madison, WI
Contact:

Re: How is physical access not a factor in 2-factor?

Postby EvanED » Thu Jun 11, 2015 3:45 pm UTC

Tub wrote:Your cell phone is something that you have, but SMS is not exactly a confidential communications channel, so it's not a reliable way to verify whether you actually have the item in question. Harder to beat than 1-factor, but not quite 2-factor yet.
I think that's a very pessimistic view. I can imagine that you could eavesdrop on someone on the same cell tower or spoof someone's phone if you know the IMEI number. (Don't know for sure they are true, but say for the sake of argument they are.) But in the mass-database-compromise scenario, those won't hold.

Maybe SMS is just shy of real, honest-to-god 2-factor... but it's at least, say, 1.999-factor.

3) physical access is not even a form of authentication, unless you have a personalized electronic key. Your password can be combined with your colleague's lab key and vice versa.
This is a really good argument. I find it incredibly convincing.

Tub
Posts: 391
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: How is physical access not a factor in 2-factor?

Postby Tub » Fri Jun 12, 2015 11:46 am UTC

EvanED wrote:I think that's a very pessimistic view.

I find that pessimism helps a lot when you're trying to design secure systems. ;)

For one, it's a relatively easy factor to overcome on targeted attacks without raising suspicion by stealing the authentication thingy. The tools are available, a script kiddie with a bit of hardware can do it. It's certainly less risky than sneaking into a building and sitting down at the right computer below a security camera.
Considering that we're talking about medical data, I'd say that one compromised account is plenty to get what you need.

Mass-compromises might be possible because SMS lack encryption. If you work at the SMS-sender-service or any of the phone providers in between said service and the target's phones, you can mass-read SMS and you're done. If your security relies on multiple foreign entities all being honest and not compromised, that's a problem. Doesn't even have to be the NSA to attack your system, there are enough individuals in between with the opportunity.

Pessimistic? Paranoid? Sure. But experience should have taught us that these things do happen when the protected systems are worth enough.


And it's not even difficult to close the attack vectors: replace the SMS with an RFC 6238-compatible TOTP-app and you're done.

User avatar
Wildcard
Candlestick!
Posts: 253
Joined: Wed Jul 02, 2008 12:42 am UTC
Location: Outside of the box

Re: How is physical access not a factor in 2-factor?

Postby Wildcard » Sat Jun 13, 2015 5:29 am UTC

@Tub: Interesting that the weakness of a lab key is to some degree similar to a weakness of Apple Pay on a phone with Touch ID. The weakness is:
Touch ID just verifies that the person using Apple Pay is the same person who set up the phone. It doesn't verify that that person is the valid cardholder for the credit card being used.

This weakness is the reason why Apple Pay is only "secure" from the perspective of the user—not from the perspective of the bank or the merchant. Sure, perhaps no one can steal your credit card info when you pay with Apple Pay, but the merchant can't be sure that you didn't steal the credit card info in the first place that you're now using with Apple Pay.
There's no such thing as a funny sig.

User avatar
WanderingLinguist
Posts: 237
Joined: Tue May 22, 2012 5:14 pm UTC
Location: Seoul
Contact:

Re: How is physical access not a factor in 2-factor?

Postby WanderingLinguist » Sat Jun 13, 2015 2:56 pm UTC

Wildcard wrote:@Tub: Interesting that the weakness of a lab key is to some degree similar to a weakness of Apple Pay on a phone with Touch ID. The weakness is:
Touch ID just verifies that the person using Apple Pay is the same person who set up the phone. It doesn't verify that that person is the valid cardholder for the credit card being used.


Maybe I'm missing something, but how is this problem unique to Apple Pay?

As I understand it, in order to set up Apple Pay, you first need to have an Apple account with a credit card associated with it (which is verified the same way you verify any credit card for an on-line purchase). Yes, you can add further credit cards for Apple Pay without going through that process, but it does require that the names match.

I don't really see how that's any less secure than an ordinary on-line credit card payment. Not that I'm saying that's necessarily great security, but I don't think the weakness is as you state it (or rather, the weakness has nothing to do with touch ID).

Security is complicated, so maybe I missed something, or misread the article, though...

User avatar
Wildcard
Candlestick!
Posts: 253
Joined: Wed Jul 02, 2008 12:42 am UTC
Location: Outside of the box

Re: How is physical access not a factor in 2-factor?

Postby Wildcard » Sat Jun 13, 2015 5:36 pm UTC

It's not less secure than an ordinary online credit card payment. The difference is, Apple Pay can be used to make purchases in brick and mortar stores—without requiring the card user to verify that he actually has the card in his possession. This basically nullifies1 the design of CVV1/CVV2 and the reasons why they are separate.

So, not specific to Apple Pay, but I was commenting on a similarity to the "lab key access" discussion relating to the thread title. To summarize: a lab key may add an additional, separate layer of security, but it doesn't operate as a factor in 2FA, so thinking that it does will actually weaken your security. Touch ID on Apple Pay adds a layer of security, but doesn't actually verify that only the proper owner of the credit card can use the card—so thinking that it does, like the banks are apparently doing by omitting proper ID theft safeguards, actually weakens security.

1Nullifies for the specific case of Apple Pay being set up by a criminal using a hijacked iTunes account—again, see linked article.
There's no such thing as a funny sig.

EvanED
Posts: 4331
Joined: Mon Aug 07, 2006 6:28 am UTC
Location: Madison, WI
Contact:

Re: How is physical access not a factor in 2-factor?

Postby EvanED » Sat Jun 13, 2015 9:16 pm UTC

Tub wrote:Pessimistic? Paranoid? Sure. But experience should have taught us that these things do happen when the protected systems are worth enough.
I'm not saying one shouldn't be a somewhat paranoid, but what you're talking about is still orders of magnitude more difficult than a normal 1-factor database attack.

And by the way, not only do you have to mass-read SMSs, but you have to be able to remove those messages from the stream or you don't have a covert attack. For example, I have accounts with two banks; the one I use for day-to-day banking uses SMS for 2-factor auth, but the other (which I use for long-term savings) uses just single-factor. (At some point soon I will actually probably close my account with one of them because of this, to be honest.) If the roles of those were reversed and someone were to compromise my day-to-day bank and charge to my CC, say, $47.83 with a description matching my local grocery store, to be honest I actually probably wouldn't notice. But if they were to try to log into my account and I fail to block the SMS with the login number, you can bet I'd be changing my password and watching my statements quite closely.

(Also, if we're talking about just the terms "1" vs "2" factor, I think "compromise Verizon" should probably count as a second factor. :-))

And it's not even difficult to close the attack vectors: replace the SMS with an RFC 6238-compatible TOTP-app and you're done.
So I'm not a security expert, but I'm not actually convinced that's more secure. In practical terms, I think it's probably less, because a database compromise at the service provider can compromise the TOTP keys. (Which, again, is probably less of a second factor than "compromise SMS".)

User avatar
hotaru
Posts: 1041
Joined: Fri Apr 13, 2007 6:54 pm UTC

Re: How is physical access not a factor in 2-factor?

Postby hotaru » Sat Jun 13, 2015 9:26 pm UTC

EvanED wrote:(Also, if we're talking about just the terms "1" vs "2" factor, I think "compromise Verizon" should probably count as a second factor. :-))

the issue is that the SMS probably goes through more than just Verizon, is not end-to-end encrypted, and can be easily suppressed when it goes over a public network (such as the internet). compromising Verizon isn't necessary to attack such a system.

Code: Select all

factorial product enumFromTo 1
isPrime n 
factorial (1) `mod== 1

EvanED
Posts: 4331
Joined: Mon Aug 07, 2006 6:28 am UTC
Location: Madison, WI
Contact:

Re: How is physical access not a factor in 2-factor?

Postby EvanED » Sat Jun 13, 2015 9:29 pm UTC

hotaru wrote:
EvanED wrote:(Also, if we're talking about just the terms "1" vs "2" factor, I think "compromise Verizon" should probably count as a second factor. :-))

the issue is that the SMS probably goes through more than just Verizon, is not end-to-end encrypted, and can be easily suppressed when it goes over a public network (such as the internet). compromising Verizon isn't necessary to attack such a system.
I was using Verizon as a placeholder. You still need a pretty deep compromise of some system along the way, and if you want your attack to be covert you need to know you can intercept the vast majority of messages that you trigger, so it can't just be some random internet router.

Tub
Posts: 391
Joined: Wed Jul 27, 2011 3:13 pm UTC

Re: How is physical access not a factor in 2-factor?

Postby Tub » Tue Jun 16, 2015 7:45 am UTC

EvanED wrote:So I'm not a security expert, but I'm not actually convinced that's more secure. In practical terms, I think it's probably less, because a database compromise at the service provider can compromise the TOTP keys. (Which, again, is probably less of a second factor than "compromise SMS".)

Well, if a compromise at a "service provider" affects you in any way, you have noone to blame but yourself ;)

You may notice a pattern in my posts here: relying on other entities for security is a problem. Not because of paranoia, but because of a simple security consideration: you want your risks to be calculateable. You cannot quantify the risk of a database compromise at RSA. You cannot quantify the risk of someone intercepting an unencrypted SMS. You can take a wild guess and say that these risks are probably low, but how much is that worth? When your security can neither be quantified nor verified, the only safe assumption is that you have none. Otherwise, you're just lulling yourself into a false sense of security, and that's often worse than having no security at all.


I will agree that TOTP is a suboptimal protocol because the verifier does not just get enough information to verify tokens, but also to generate them. A different protocol similar to message signing with public/private key pairs seems smarter.

However, even TOTP in its current form does not rely on a service provider. Implement a few algorithms on your server, have the users install an app or buy a compliant token generator, done. In this implementation, your attack vector turns into saying that someone can compromise your database if only they managed to compromise your database.

The comparison to compromised passwords wouldn't really hold, because those attacks usually use stolen logins from service A and try them on service B. That doesn't work with TOTP token generators, so you still need to compromise service B before you can compromise service B.

arjan
Posts: 67
Joined: Tue Feb 26, 2013 7:48 pm UTC
Location: The Netherlands

Re: How is physical access not a factor in 2-factor?

Postby arjan » Mon Jul 06, 2015 10:19 pm UTC

Let's say someone in IT who is a real expert in security has a laptop that holds his Bitcoin account worth millions. Would he rely on a 15-factor policy that includes username, password, as well as voice, face, eye, fingerprint recognition, a chip with a 17-digit code, a DNA and a blood sample, OR would he put the laptop in a vault? The latter is a quite old yet thoroughly tested method of keeping unwanted figures away from your stuff. There is a mature industry specialized in keeping it that way. They also have a 100% detection rate when they are successfully attacked. In IT security however, the difference between a laptop in a vault and another connected to Wifi in Starbucks officially has zero significance.

User avatar
Xanthir
My HERO!!!
Posts: 5320
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: How is physical access not a factor in 2-factor?

Postby Xanthir » Tue Jul 07, 2015 12:41 am UTC

...is he just storing the laptop without using it? In the real world, you're defending against things like having your laptop stolen, in which case the vault is irrelevant.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))


Return to “Computer Science”

Who is online

Users browsing this forum: No registered users and 2 guests