Two-Factor Authentication

Updated 11/22/03

Two-factor authentication is simply a more advanced method of password-protecting access to a computer or file. Under standard methods of accessing a protected computer or file, you prove to the computer that you have access to your account by providing your password (something you know). However, passwords are often not secure, and can in many cases be cracked fairly easily (especially on NT systems with outdated password hashes). Another method takes some piece of electronics (such as something the size of a USB flash drive that you can hook onto your keychain), that when connected to a computer, allows you to log in (there are other devices that work in similar ways, such as challenge-response keypad devices). The problem with this is that if someone steals your key, they have access to all your files.

The solution, then, is two-factor authentication: using both something you know (a password) and something you have (a certain pattern of bits stored on a device) to give you access to a restricted account or an encrypted file. For more information on how this works, you may want to look at this article.

While you can use a variety of commercial (i.e. expensive) products to do this type of authentication, there is a simpler (if less foolproof) way of creating your own "homebrew" two-factor authentication process, at least for standard password protection (for files or encrypted disks - this particular method cannot be replicated for computer logons, although it could be adapted for a PDA device if you are determined enough).

Let's start out with something you want to encrypt - in this case, we'll use a database where a lot of your internet passwords are stored. Given that you don't want most people getting ahold of this information, you don't want to use just a simple password, that could either be guessed or possibly brute-forced fairly easily. So, we are going to use two-factor authentication.

First, we need to create our first factor - something you have. For this scheme, that something is a unique computer file - a pattern of bits that only you have access to. For something like this, use something unique that only you would be likely to have - say, one of your personal digital photos rather than some mp3 you downloaded. The idea behind this is that you should pick a file that people wouldn't think of as being used for encryption (this doesn't matter if you use the variation on this method below). One thing you could do, to be unique, is to write an original story or essay into a file and save that (or save a file full of randomly generated bits of data). For this example, we will be using a JPEG image of Mr. Name On Hat.

The next step in processing this file is to hash it (try DropTBZ2 for the Mac, or digestIT 2003 for the PC). I would recommend using the SHA-1 hash, as it is readily available, gives you a longer string, and is less likely to be broken than MD5. The key point of this hash is that it produces an original string of characters through a mathematical one-way process: only the original file will produce the original hash. Mrname.jpg gives us a hash of 5f56249accad7ee0833858155279c41e3486fff3 - not too bad of a password right there, but we can make it better. Short of being crazy enough to memorize this, only our key file will generate this particular string.

Now, for the part about something you know - i.e. your password. For something like this, try to create a password that is fairly complex, but not needlessly so - a passphrase consisting of a unique group of words known only to you should suffice. Have this phrase ready to type in.

Now comes the part where you put it all together. For the final stage of this process, I use a freely available online script that I wrote called AsciiWeb (use this version if you're on a PC), although any non-session-key symmetric encryption algorithm will work (albeit with a bit more effort). For maximum security, you might want to download the source of that page and run it locally, rather than submit submit your key over the net to my site (which, being the good computer user that you are, you should not trust by default).

The next stage is simple - take your pass phrase (for this example, the phrase "The clock dings two candles at dinnertime" without the quotes) and enter it into the box where it says "Step 1 - Enter A Password." Then, take the SHA-1 fingerprint string from your file, and paste it into the box under "Step 2 - Enter Your Message." Once you've done this, simply click on the "Encrypt" (or "Run Asciiweb") button to run the program. If you're interested in adding even more security with a third thing to remember, you can change the number of iterations that the algorithm runs as well (the default is 4).

If all went well, you should now have this string:

Xj~%h^Qno@ iZjydNiITBDG@H;Qg$^gjShCR0&A"

The string above is made by using an encryption algorithm to combine the data from the thing you have (the checksum from the unique file) and something you know (the string of data from your password) into a unique string of text. Looking at this string, it is a very strong password - it is long, and it combines upper- and lower-case letters, numbers, and special symbols. As such, it should be very hard to brute-force this in a timely fashion, especially with the security built into modern encryption algorithms. Also, it should be noted that by using this method, the only thing you actually type is your pass phrase, and not the actual finished password - because of this, the password that is generated cannot be captured by keystroke sniffers or most keylogger trojans (although it may still be vulnerable to more advanced trojans that capture the screen). Finally, the nice thing about this is that either your key or your passphrase could become compromised, but the password you actually used to encrypt the file would still be secure - each factor is worthless without the other.

So, in the end, you now have a very secure password that is very hard to crack, which should make your IT people (and yourself) happy - but all you have to remember is an easy-to-recall passphrase and the location of a singe file.

Variant: The procedure outlined above assumes that you just grab a file off of your hard drive to use for the key. This is security by obscurity, and is not proof agaiinst a very determined attacker - if your passphrase is compromised, someone could try to run ASCIIWeb with a checksum from every single file on your disk until they found the key. The more secure way to do this is to purchase a USB keychain drive - they're small, light, and can be carried with you at all times (such as, literaly enough, on a keychain - you can also get watches and pens that have USB storage in them).

To use this, first, insert the drive into a USB port so that it mounts on the desktop. Now, the next step is to create your unique key - you can create a new text document and write up your own unique story - or, better yet, generate a pseudorandom (type in some random text and hit the generate code block button) or random data (I personally like the random bitmap, as it's less easy to manipulate by mistake).

Once you have that data in the file, save the file directly onto the USB drive - DO NOT save the file to disk first and then drag it onto the drive, as this negates some of the security (unless you securely wipe the file with a Gutman algorithm afterwards). In fact, if you have space on the drive, you might want to also include a VERIFIED copy of a checksum program and the ASCIIWeb or other encryption algorithm source so that you can ensure that your processing of the final password is done with programs that have not been compromised. Then, remove the disk, lock it (or password-protect it if you feel the need, just don't use your pass phrase to do it), and now you have a key that can be carried with you at all times, and can't be snooped even if a malicious individual checksums every single file on your PC. Just make sure that that key doesn't fall into the wrong hands.

I hope this tutorial has been of use to you, and that your passwords are safer because of it.

- David Kibrick

Think this technique has some vulnerabilities or aspects that should be addressed? Email me and I'll look into it. Spot any spelling errors? Let me know as well. Think I use too many dashes when I write? Try this address.