Authentication isn't strong without encryption

Posted by:

admin 12 years, 1 month ago

A few days ago, Twilio posted about using their SMS service to "Build a Phone-based Two-Factor Authentication" (sic). As we have noted before, SMS-based systems are technically better than static passwords, but SMS-based authentication schemes seem to be proliferating without any consideration given to their relative security.  Twilio seems like a great service and this post shows how easy it is to use, but I think this post deserves a response, lest developers add insecure code to their application or are left with false impressions about the security of their authentication mechanisms.

First, let's look at a key snippet of the code suggested by Twilio:

$content = ('sms' == $method) ? "Your newly generated password is ".$password :
        "http://twimlets.com/message?Message%5B0%5D=Your%20newly%20generated%20password%20is%20%2C%2C" .
        urlencode(preg_replace("/(.)/i", "\${1},,", $password)) .
        "%20To%20repeat%20that%2C%20your%20password%20is%20%2C%2C" . urlencode(preg_replace("/(.)/i", "\${1},,", $password));
    $method  = ('sms' == $method) ? 'sms_messages' : 'calls';

I have asked Twilio via twitter (which is how I found out about the post) and in a comment on the blog post to comment on the use of http here, but have not had a response. I'm not a PHP developer and perhaps there is some encryption tunnel in Twilio or PHP that allows http connection calls without using https, but 1. I doubt it and 2. it should be noted on this post.

This error is easily corrected, I assume.  But even if we assume that the connection between Twilio and the carrier is encrypted, what happens then? Is it encrypted on the carrier's network? What is their incentive to secure it? Does anyone know of a carrier that guarantees the message will go to the correct device? Do you know if the user is using an SMS-to-email service such as Google Voice?

Let's compare this to how a PHP developer could add two-factor authentication. WiKID is different in that you have to set up a WiKID server. You can't just add it to your program. In fact, we recommend that you set it up on a separate box or instance. While this is 'extra work', it also adds to security by providing depth and specialization (that is, a breach of your app server does not mean a breach of your two-factor auth server)..

Your application is a wAuth Network Client on the WiKID server. Once added, you can download an X509 certificate for your application. The certificate provides encryption and identifies the network client to the WiKID server.

Add this code to your application to create the connection:

$servercode_default = "127000000001";
$server_host = "wikid-server.example.com";
$server_port = 8388;
$client_key_file = "issued-client-cert-and-key.pem";
$client_key_pass = "changeme";

$status = '';

$clean = array();
$valid_params = array('action','user','regcode','passcode','servercode');
foreach ($valid_params as $k) {
    $v = $_REQUEST[$k];
    // pull out the first word-chunk, and drop the rest
    $v = preg_replace('/^\W(\w+)./', '$1', $v);
    $clean[$k] = $v;
}
if (!empty($clean['action']))
{
    $clean['action'] = strtolower($clean['action']);
}


$wc = new wClient($server_host, $server_port, $client_key_file, $client_key_pass);
//print_r($wc);
if (!$wc)
{
    echo "Unable to load wClient!!";
}

Now, to allow users to login with their WiKID one-time passcode add this:

$isValid = false;
if (isset($clean['action']) && ($clean['action'] == "check online"))
{
    $isValid = $wc->checkCredentials($clean['username'], $clean['passcode'], $clean['servercode']);
    if ($isValid)
    {
        $status = "Success";
    } 
    else 
    {
        $status = "Authentication Failed";
    }
}

The communication between your application and the WiKID server is encrypted with SSL using client certs and between the WiKID software tokens and the WiKID server using asymmetric encryption. This means that it doesn't matter what network they pass through - you control the encryption.  Oh, and this is with both our commercial Enterprise Edition and the open-source Community Edition.  We have LGPL-licensed packages and example code for our API in Java, Ruby, PHP, Python and C#.

While setting up the server is more work, you get more benefits. We have a complete two-factor authentication API that allows you register new users, register users in a group, allow users to have multiple software tokens, delete a user, etc. In addition, the server supports standard networking protocols, so you can use the same two-factor authentication system for VPNs or remote access without having to add to your program.  WiKID also provides mutual https authentication where the token validates the web-application's SSL certificate for the end-user (if there is potential MiTM attack, the user gets a warning).  So, with WiKID you get two-factor authentication for the session and strong host authentication.

That being said: maybe you don't need to also protect your VPN; maybe you're not worried about MiTM attacks; maybe you only want to not send password resets through email in plain text.  Fine, but please at least use encryption where you can!

• Tags:
• Information Security,
• Mutual Authentication,
• Two Factor Authentication

• ← Do factors really factor anymore?
• Where to keep the keys? →