Let's talk a bit about, uh ... two-Factor authentication or multi-Factor authentication Anytime where you have a password usually a password doesn't have to be. Uhm ... And then they ask you something else like to verify your identity so maybe they send you a one-time password through a text Or maybe you have to use an app like Google authenticator to produce a one-time number if I want to login to my online Banking I have to put my card and type my pin into a device Which produces me a one-time password. It's this kind of idea. Everyone I think has a kind of intuitive idea of what the point of two factor is but let's sort of try and formalize it a bit and break down what it's good for and what it's not good for and You know, exactly what we're getting from it that we wouldn't otherwise have. The point of authentication is to verify to some server It's usually remote or your machine that you are who you say you are. And so in essence you're really Allowed to access the things on that machine or on that device Passwords seem to be what we've settled on as a kind of happy medium. They are something We know by I have some knowledge but hopefully no one else has and that means that I can type that in and Verify it must be me because I'm the only one that knows what that is right? if you want to know about what happens when other people know those things then see the other videos we've done on this because I've Talked about passwords before so if your password is six characters long It's being cracked right now And it's being cracked quickly because we can go through all with six character passwords in a fraction of a second Passwords are not foolproof right, people pick bad ones and they get hacked They even they can pick good ones, and they still get hacked because it's like a key logger Maybe a key log, or something like this. That's where two factor or multi-factor authentication comes in. Uhm ... So usually we talk about these three things we can use to demonstrate That we are who we say we are so we have something we know a Password or something else a date of birth a mother's maiden name these are kind of common ones people go for something we have, right. Our mobile phone receiving a text message or Credit card or something like this or something we are. Now, something we are is less common, but this would be Biometrics or fingerprints you know Iris recognition voice recognition? If we're going a bit more out there gait recognition That's how you walk things like this usually demonstrating who you are has some kind of hardware involved So is less common We're gonna put it aside for today what we do is. We combine something we know with something We have to make it that much harder for someone that finds out that thing we know can break into our account all right So let's assume for a minute that someone's guessed my password They don't have possession of my phone hopefully we don't need a pin code on the phone. They don't have the app on the phone So they can't answer that question when asked so when they try and log in they get the password correct But they can't get the second part of the puzzle and that has two benefits first of all they can't compromise the account but also if someone's logged in successfully of a password but unsuccessfully with the other part of the two factor that could flag a warning that then sends an email to the user to say just Check your password hasn't been compromised if your password is compromised even if it's not your fault They stopped someone breaking into your account This is why it's quite common on things like password managers online banking and other You know some email systems and in fact a lot of computer systems these days We'll see multi-factor authentication being used, but that isn't to say That it's always a good idea, right? There's this sort of opinion perhaps in security circles about more security is always better and that I broadly agree with in general But of course you have to consider ease of use you have to consider that some of these people aren't experts and they haven't got that much time to be constantly checking their mobile for extra texts and Things maybe they're trying to do this somewhere where there isn't any reception you can't Just put on extra layers of security and it not a little bit hinder what people are trying to do I think the idea of multi-factor authentication is to have a compromise between the additional security offers And it being a total pain and never actually getting anything done. You know so for example on some software You'll find that it only Asks let's say for multi-factor for logging in on a new device and once you've logged in it will allow you to persist that that Session for a while things like this the idea being that it's somewhat inconvenient, but it doesn't get a bit silly about it All right, because this can come back and get you someone pointing this out to me when I was talking about this on on Twitter and You know that they had a lot of friends who Accidentally been kicked off whatever observer because they've the device that was producing - something they have and that's actually happened to me I used Google Authenticator to log onto one of my servers and I lost my phone because it got broken and it went off to repairs and for those two weeks. I'd completely forgotten I mean you smash your phone the last thing you're thinking about is all. I must save my Google authenticator passwords You're not thinking about that it's gone, and then you realize actually I can't log into my twitter or my or my Server for two weeks right in the end. I had to in the end I had to go in Via the terminal on the server and reset the authenticator password which was a bit of a pain So you can imagine it's quite easy to lock yourself out because you can lose that thing you have so You know multi-factor authentication is a really good thing and people should be using it where security is a concern right? but it's not a completely foolproof Replacement for good passwords, and you can't really realistically use it on every single system you have unless you're just Unbelievably willing to put up with you know inconvenience right if you much more patient than me because I you know I can't do it I supposed to clarify two-factor authentication is a subset of multi-factor authentication Which could have any number of authentication Mechanisms you could imagine combining all three of these you see that on the movies quite a lot where they look into something with their I then they speak out loud or maybe they also type in a password It's going to take an ages to log into anything But you know that's the idea so a good example is the is the hash based one-time password or one-time password Right which is at the core of Google authenticator and numerous other tools for uhm ... generating these things so we're talking about you. Type in a password that you know and then some device you have generates a different password But only it has only used that one time And unless you know both of those things at the same time you're not getting in. That's the idea so I actually have Google authenticator So I can show you broadly what it is There are lots of alternatives like free one-time password and another numerous other apps You can search for but do this all what I've got here is Google authenticator every 30 seconds rotating these one-time passwords So you can see this little countdown here when it gets to the bottom It'll generate another set of passwords, and then I have to type in that password whenever I log in so How does that work well? Let's just talk a little bit about how it works in actual fact it basically ties back into our message authentication codes that we were talking about in a previous video right we had HMAC with a key Would be used to generate two sub keys, but we won't dwell on that and a message in hash based one-time passwords or h? HOTP We actually calculate the age mac of a secret key s and a counter That we're counting up right so the first time I log into this website the counter will be 0 or 1 it's not important Right but obviously my device, but I'm using to generate these one-time passwords and the server have to be on the same number The secret key we've shared beforehand hopefully not in plain text to everyone all right So it'll be able some long string that a server gave me when I first created my account or when I first set up this Authentication system the idea is that we're combining our secret key that only means a server know with whatever the counter currently is to generate a one-off Hash which is then essentially shortened and turned into a small number the way. We do that is We take certain bytes from the h mac because that's going to be for example for an h mac of a ShA-1 That's going to be 60 bits. So we take four bytes from here. We calculate those four bytes Modulo 10 to the d. Where d is how many decimal we want right so on my Google authenticator? I was using six so your authentication app would have a certain number of digits the output and what would happen is the server when you log in will perform the Exact same calculation because they know were two things that we do they know the secret key, and they know the counter right now I'll get on to exact because Google authenticator extends this to use time and we'll talk about that in a moment But the thing the interesting thing about this is in actual fact it's really a second password alright this secret Key is a big long password that we have that is stored on my phone or my other device and stored on the server So in some sense that can also be compromised. It's still vulnerable to phishing and many other Security issues the problem with this like it's quite widely used the problem is but it you might accidentally get out of sync Let's imagine that you generate one of these one-time passwords, but then someone phones you up and you get distracted and you wander off Right then you generate another one try login, and you have sync and we've got a real problem So we're gonna check use instead and this is what Google authenticator. Does is use totp or a time-based one-time? Password so always happening here if we're placing our increment encounter with the current time alright So that as long as me in the server roughly at the same time We can log in we still keep this shared secret between ourselves There's obviously a few niggly details that we have to consider here, so first of all we you know, what unit of time We're using we can't use milliseconds because the chance of me in a server being on the same number of milliseconds is Astronomically low, and I can't type in the one-time password in a millisecond from it to be I mean, I could type pretty far. No, so what we do is We let's say round to the nearest or floor to the nearest 30 seconds So what you would do is you would take the Unix time number part on use time right? So you know link somewhere buried deep down inside that system? There's a little counter, but that Unix time divided by let's say 30, okay And then the floor function which basically goes down to the nearest integer So what we're saying there is in thirty-second blocks Generate a unique number right which in essence replaces this counter, right? We still use an HMAC as before now in practice in case they're out by let's say a minute or two minutes We might calculate on the server side c + 1 C minus 1 just to see if they're ok they're close enough, right? So for example when like when I look at the password on my app if it's about to expire I can still type it in because even if it's just expired it'll still be allowed, right? And it's a security parameter of these systems is how what the window size is. So I'm just oversimplifying this slightly. Actually we can subtract a start time here, right? Like the default is zero which is what I haven't bothered to talk about it but you can agree with the server a time to start and you essentially take Unix time - whatever your start time is but let's not get into too much You know in too much pedantic. Presumably that helps with the timezones, right? Yeah, I mean time zones caused a problem here That's for another video. Yeah, I know right accounting we had a video on that. From the bank. I think due for ease of a technical term Very similar so what happened so smart cards were actually to pass a little bit smarter than people think and they actually perform encryption and all kinds of things. What that machine will do is essentially a challenge response. It will send them a request of a card for it to perform a certain cryptographic function The card asks for the pin. You supply a pin and it performs a punk function which is then turned into a a one-time password, right? So it basically verifies that you are both in possession of your card and have the pin which is good news Other banks will work on this kind of principle with a time-based system, and hopefully they ask you plenty of time So in my bank to log in I have to use this device and then to send any money I also have to use this device and this stops the old the classic replay attack and time of check time of use issues Where I've logged in wandered off Stupidly left my online banking logged in and then someone has at all my money Which would be if not quite as much as they'd like I've always had a slight concern with the multi-factor authentication they've used in Star Trek where they read out their password allowed operation in front of everyone else. I mean, okay Yes, so the voice recognition Part of it. There's something they have maybe you can't steal that but now everyone knows your password It's hope they may take them daily. I'm sure they've solved it by then that we release their problems
At the linked time.
woooooœœœooo