Sunday 20 April 2014

GOOGLE TWO-STEPS AUTHENTICATION WEAKNESS

A Two-Steps or Two-Factors authentication is when to log into a service you need your login and password (something you know), plus an additional code that can be on your smartphone for instance or on a USB drive (something you have). Generally speaking, a multi-factor authentication is far more secure than just using credentials, that can be either stolen, keylogged, intercepted, or brute-forced.

Google messaging service, Gmail, provides such 2-step authentication. There is two ways I know of to enable it, either by asking Gmail to send a SMS with the verification code, or by installing Google Authenticator application on your smartphone, which generates verification codes. Either way, you have your usual credentials, login and password, and a verification code.


WHAT IS THE PROBLEM ?
___________________________________________________________
Gmail 2-step system also adds two kind of other codes : Application Specific Password (ASP) and Backup One Time Password (BOTP). BOTP are to be used when you do not have your smartphone with you for any reason (lost it, broken, or because it was stolen). Your credentials are still needed, both login and password, and BOTP can be used as a verification code. Once one BOTP is used, it is automatically expired by Google, and you receive a nice email telling you that someone just used a backup code to enter your account. When you enable 2-step authentication, by default ten BOTP are created. It is advised to print them and to store them in a safe place. Regarding BOTP, so far so good, they cannot be used to lessen the 2-step authentication security, and are a convenient recovery way to getting back access to your account.

Application Specific Password (ASP) on the other hand, are to be used for devices that are not 2-steps compatible, such as a smartphone for instance. On a typical smartphone, if you just register your Gmail account, enter your login and password, it cannot log into your account, because it is not "2-steps aware". For this kind of devices, Google created ASP that can be generated for them. Using ASP bascially means you just need a login + ASP for the concerned device, nothing else. What that means more globally, is that you can log from anything (smartphone or computer) with just a login + ASP, without the account password, bypassing the very principle of a 2-steps authentication. Also, if you have a strong account password, it may even be easier to use the ASP instead to hack into your account. Apparently a specific request to android.clients.google.com is also required, as tested on duosecurity.com. So it's not as easy as using just your browser and enter the login and ASP only, but if instead of entering your account password you just need an HTTP request, that's still a serious weakness. You could also enter the login+ASP on a smartphone for an easier procedure.

It seems that Google from the above link is aware of the issue and has already taken steps to mitigate the risks (like not granting access to account security settings when accessed with an ASP). Also, when you create such ASP, Google clearly warns that it grants full access to your account. Nonetheless, you Gmail access is not a true 2-steps authentication with this ASP hole. If you feel really concerned about it, and that you must have a true 2-steps authentication, the only thing you can do is to not create any ASP. Does it means that you cannot read your Gmail from your phone ? Fortunately on Blackberry 10, such as the Q5 for instance, the smartphone is natively 2-steps aware, and upon entering your login and password, you have a true Gmail web page asking for a verification code. I have no idea for other smartphones, but I hope it holds true for Android as well :-)

I have read that Google is planning this year to allow the native use of a YubiKey instead of the Google Auhtenticator. A YubiKey is simple USB devices seen as a keyboard by the OS, and upon a press on it with the finger, sends an encrypted One Time Password (OTP), different for every touch, and which by definition cannot be reused. A Yubikey is more secure than an application such as the Google Authenticator because it does not require any driver or software, is not connected to any network (unlike a smartphone), and is waterproof, crush safe, and has no battery. Also each Yubikey has it's own unique identifier and AES secret key used by Yubico's servers to validate the OTP, that even Google or any other service does not know about. Please note that currently using a Yubikey for Gmail is possible but really cumbersome : you have to download two software, one to customize the Yubikey second slot, one to challenge it and to send back the answer to Google. Also you have to follow an inconvenient procedure to make this setup, and on every computer you will log in you will need to install a software. To sume it up that's possible, but it's not a native support. A Yubikey can be used for other online services such as Lastpass (Password Manager), or the new encrypted email messaging service Lavaboom (now in BETA).


CONCLUSION
___________________________________________________________
All in all, enabling a multi-factor authentication is far better than not using it, even with Gmail. Just be aware about the Application Specific Password weakness, and let's be ready for Google next move on this area, if they decide to enable native Yubikey support for public accounts. Besides the multi-factor authentication to your emails, if you also value your privacy, and do not like your emails to be read by someone else, you can take a look at Lavaboom encrypted email service as mentioned above, or stay tuned for Darkmail by the authors of the now closed Lavabit encrypted email service, used by Snowden. You may also check the Unseen.is service. I hope more online services will use the Yubikey in the future, as it is far stronger than just a password, and more secure than generating a code with a software on a computer or a smartphone.

Update 1 : Criminals now target both computers and smartphones to retrieve the verification code from the phone as well, to bypass Two-Factor authentication. Using a Yubikey is not vulnerable to this kind of attack.

LINKS
___________________________________________________________
http://darkmail.info/
http://www.lavaboom.com/
http://www.yubico.com/
https://lastpass.com/
https://www.duosecurity.com/
http://www.forbes.com
http://www.dailytech.com
https://unseen.is/


Follow me @gkweb76