What happens when hardware authentication tokens get 0wned?
How bad can it be? Can two-factor authentication turn into an open door?
Published 14:37, 23 March 11
This is not an RSA SecurID story - there are plenty of those, you can find them all over, or read some extraordinarily timely advice shipped by US-CERT to US Government agencies about (ahem) best practices in systems assurance.
Instead this is a personal war-story.
Sorry, no names will be provided, and I want to make it clear that what follows is not in respect of any current product manufactured by any company.
However: I spent a long time working for a Silicon Valley-based hardware manufacturer, and at one point in the early 1990s the team I worked with were assessing various manufacturers' hardware authentication tokens.
There were a bunch of manufacturers making them at the time - some were time-locked, others were challenge-response. One seemed particularly ergonomic and solid, and so we made enquiries amongst other friends / researchers in the security community.
So we phoned up this Notable Security Geek (NSG) - the conversation went a bit like this:
Us: We're really interested in this token
NSG: I'll phone you back (Hangs up)
He calls us back later:
NSG: What serial number is on your token?
Us: 12345678 (or something)
NSG: What number is currently on screen?
Us: 00CAFEDEAD (or something)
NSG: Okay - the next three numbers it will generate are (provides three numbers) ...
Us: (and the numbers prove to be correct) Ooo... dat's bad...
So you can understand why we didn't buy that particular hardware token solution.
Any basic Computer Science course will tell you that authentication is achieved by proving:
something you know, something you have, something you are
...which any computer-security expert will tell you eventually equates to:
something you forgot, something you lost, something you used to be
- but the point of hardware security tokens is to try to improve your security by replacing passwords ("something you know") with a supposedly harder-to-bypass, harder-to-replicate unique physical device: a hardware security token ("something you have").
However if you can handle the device briefly and - possibly by cross-referencing with some kind of database - obtain enough data to pwn it forever, the implications for your security would be horrific; not only for your extended security exposure but also the economic cost of the fiddly process to replace every device.
Password replacement is cheap by comparison - which in part is why I am still a strong supporter of passwords irrespective of how much damage I've done to them over the years. But if you take your security really seriously, you might want to look at hybridising both something you know and something you have, buying a good quality (perhaps challenge-response based) token - or software equivalent - augmented with an wholly independent traditional password scheme. To my taste 4-digit PINs don't really cut it.
The downside, of course, is that if you make it too hard for your users to do their work, they'll just forward everything to GMail and walk around you.