In the YouTube video below, Joshua Reynolds presents at the IEEE Symposium on Security and Privacy about a couple of usability studies he and others conducted testing the usability of configuring and using Yubico’s Yubikey two-factor authentication security keys.
Two-factor authentication (2FA) significantly improves the security of password-based authentication. Recently, there has been increased interest in Universal 2nd Factor (U2F) security keys-small hardware devices that require users to press a button on the security key to authenticate. To examine the usability of security keys in non-enterprise usage, we conducted two user studies of the YubiKey, a popular line of U2F security keys. The first study tasked 31 participants with configuring a Windows, Google, and Facebook account to authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking themselves out of their operating system or thinking they had successfully enabled 2FA when they had not. In contrast, the second study had 25 participants use a YubiKey in their daily lives over a period of four weeks, revealing that participants generally enjoyed the experience. Conducting both a laboratory and longitudinal study yielded insights into the usability of security keys that would not have been evident from either study in isolation. Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts.
Two Factor Auth (2FA) is a website that lists popular websites and indicates whether or not they support two factor authentication. If they do not, the site provides easy links to click to encourage companies on Twitter or Facebook to add two factor authentication.
On September 22, 2017, Nintendo released two-factor authentication for Nintendo accounts. The system uses Google’s 2FA system (so it would also work with the LastPass authenticator, which is what I generally use).
So at this point, my Nintendo account is more secure than my bank account. My bank doesn’t offer any form of routine 2FA, despite me constantly harassing them about adding it.
And really, even 2FA isn’t good enough when it comes to banking. There’s no reason banks and credit unions shouldn’t offer their customers the option of using U2F.
Google Authenticator is a plugin for self-hosted WordPress installs that lets you require Google’s Two Factor Authentication application for access to WordPress.
I’m currently using it on this blog and have to enter a numerical code from the Google Authenticator on my phone very time I login to the admin area. The setup was trivial and it has worked like a charm.
The only drawback is that this renders your blog inaccessible from programs that are not set up to prompt you for a Google Authenticator code, such as the WordPress mobile apps for iOS and Android.
As I mentioned previously, my World of Warcraft account got hacked back in February 2010. One of the things I did after wiping my computer and recovering my account was to add a Battle.net authenticator to my account to add Two Factor authentication. But, of course, even two factor authentication won’t stop a man in the middle attack, and apparently just such an exploit appeared in the wild targeted at World of Warcraft accounts.
To explain in the simplest way possible, instead of data being broadcast directly to Blizzard when trying to log in to your account, that data is being broadcast to a third party via this malware. This includes your authenticator code. Rather than you logging into your account, the hacker on the other end does so. They log into your account, clear out your characters, and move around virtual funds to fulfill orders from players buying gold. This method of circumvention has been theorized since the release of the key fobs, but it has only now started to actually happen.
Man in the middle attacks aren’t anything new, but what I do find fascinating is that World of Warcraft has become so popular that there are attacks that target just it. There are apparently, for example, viruses that lurk in your system and are extremely difficult to detect except when the World of Warcraft client is launched.
In my case, someone who managed to compromise my computer could have accessed any number of accounts that could have cost me a lot more than just the small amount of gold I lost from my WoW account. That a major focus of some folks is virtual heists from a game is yet more proof that we’re all living in a science fiction novel.