shahine.com/omar/

I’ve always been skeptical of the usability of two-factor authentication. Specifically, Microsoft employs a form of Two-Factor authentication using a Smart Card. To get access to our corporate resources from outside our network you are required to enter your username + password and enter your Smart Card (which is our Badge) into a Smart Card Reader entering your PIN number. The Smart Card contains a certificate that is used to identify you to Microsoft (in addition to your username and password).

The problem with this is that each computer that you want to use to connect to corporate assets requires a Smart Card reader. Kind of a pain. Especially since laptops don’t have PCMCIA readers any more (replaced by Express Card).

When thinking about using two-factor authentication for securing non work assets, I just assumed this would be a hassle.

VeriSign Two-Factor Authentication

I knew that a while back PayPal started to offer a PayPal Security Key that you could use as an extra layer of security when signing into PayPal or eBay. This seems like a good idea after all, because PayPal is linked to my bank account and Credit Card, and eBay has one of my post important identities: my “seller reputation” is tied to it. An extra layer of security to sign into those sites seems like a good idea, but at what cost?

When I found out that VeriSign PIP (an OpenID provider among other things) started to offer extra security using a Security Token (and was compatible with the PayPal Security Key) I decided to give it a shot. After all, the entry price was $5. You can see the PayPal Security key below:

In addition to the PayPal Security Key, VeriSign offers two additional solutions:

1. VIP Security Card – a credit card sized Token
2. USB Memory Key from SanDisk – a traditional USB Key with special software.

Both solutions cost more than $5 so I started with the PayPal key. I’m not interested in #2 since I view it as more of a hassle to have to insert something into a computer.

I received my PayPal key the other day and immediately fell in love with it. It’s small, and easy to use and easily found a place on my key chain. For $5 it’s a steal.

However, I was wondering what the VIP Security Card was like.

Luckily I’ve been chatting with the folks at VeriSign over the past few days and they were kind enough to send me a VIP Security Card to play around with.

All I can say is WOW. This thing is awesome. It’s the exact same size and dimensions of a credit card. I assumed it would be thick because it appears to have some kind of LCD. But actually it’s a form of screen similar to the Amazon Kindle. It consumes no power to display the current code, only to change it. Your security code is only ever valid for 30 seconds and each one is unique (One Time Password).

Personally, I prefer this format better since I can just throw it in my wallet and my wallet is always with me, unlike my keys.

Other Two-Factor Authentication systems

I should point out that two-factor authentication does not have to be limited to physical tokens like the ones mentioned above. There are numerous other mechanisms that other OpenID providers utilize. VeriSign summaries a whole slew of then here.

SSL Certificates

VeriSign and myOpenID both support SSL Client Certificates, but they both implement them differently.

Most people are familiar with server based SSL certificates. These are the things that practically every single ecommerce or financial institution uses to encrypt the information between you and them. It makes is to that the bad guys cannot sniff your traffic and steal your credit card or other personal information. Generally speaking these have been adequate protection for hundreds of billions of dollars in transactions over the years. Since it’s hard for the bad guy to pretend to be the server you are interacting with, they tend to focus on things like Phishing and man in the middle attacks to steel your username and password (and now DNS exploits).

For years we have been trained to look for the “lock” icon when dealing with secure websites.

Over time this has evolved to include more prominent UI features as you can see below in IE 7

and FireFox 3

However little attention has ever been paid to client side SSL certificates. Well they work just like server side certificates except that the authentication is mutual. In other words, not only do you validate that the web site says who they are, but the website is validating who you say you are. This is done because the server and you share a secret, and SSL is a mechanism for verifying that you both know the secret, without exchanging that secret with each other. Sounds complicated? it might, but this is the basis upon which Public Key Infrastructure (PKI) is built.

At the end of the day, what you need to know is that the way this can be a two-factor authentication mechanism is that you install this SSL cert on each computer that you plan to login to the service (in this case the OpenID provider) and after you authenticate to the service using a username and password, the service has an addition layer of authentication via your client SSL certificates. It’s like a “Soft Token” (a software version of a hardware token, like those mentioned above).

VeriSign and myOpenID have two different uses for SSL Client certificates. For VeriSign they work much like a hardware token, meaning you have to posses the client certificate and your username and password to gain access. If you don’t have you client certificate installed you can have a temporary access code sent to your phone via SMS or your email account.

myOpenID uses the SSL as a way for you to login to the site without entering your username and password. So in a way, it’s a replacement for your password credential and works a bit like an Information Card.

Image Authentication

Some services like myVidoop.com (another OpenID provider) use images as a two-factor authentication. After you login you are presented with a series of images from categories that you pre-selected mixed with pictures from random categories. Since only you know the categories you picked, you enter special codes corresponding to those categories. There is no password per se, your selection of the right images from the right categories is your password. Clever.

These images work in conjunction with specialized code they have to “activate” a browser. In other words, you only get to go through the image identification once you’ve confirmed the browser to myVidoop. If you have not you can use SMS or email to temporarily activate your image authentication.

So in this case, your two-factors are 1) provide identity of browser to service and 2) authenticate using images.

I have to admit, I’m still getting my head wrapped around this one. I haven’t yet figured out how they “identify” a browser.

Phone Based Authentication

There are two forms of Phone authentication that I’ve run into. Voice authentication that myOpenID uses and SMS based authentication that a number of services use.

CalVerifID is a service myOpenID runs that allows you to use your plain old telephone to authenticate. When you signin to myOpenID and when you receive the phone call from them, press #. Very simple.

SMS verification is currently supported by VeriSign and myVidoop to allow authentication in the case where your primary two-factor mechanism is not available. This comes in very handy say if I am not near my hardware token or I’m too lazy to go get it from my wallet and my iPhone is right in front of me .

Final Thoughts

As you can see, there are numerous options today for two-factor authentication. You can immediately secure such assets as your PayPal and eBay account with any VeriSign VIP product. Furthermore as OpenID continues to gain in popularity, you’ll have more options for securing your Identity on other services.

I’d say this is progress.