Implementing multi-factor authentication (MFA) is increasingly common and in many sectors has become a de facto or actual standard as part of logins to web applications (check out https://twofactorauth.org). MFA, sometimes referred to as two-factor authentication (or TFA) when only two factors are used, is a critical method of reducing the risk of account compromise. Dwolla has rolled out some new updates that provide additional protection for our clients using MFA. This blog will explain those enhancements, what MFA really is and why MFA is so important.
What Dwolla is Doing with Multi-Factor Authentication
Over the past year, Dwolla has established a standard requiring our clients to use MFA for logins to accounts that can access sensitive information or initiate the movement of money (unless the client has adopted a higher password complexity standard). This has been done in response to evolving industry trends and risk data, but also directly as a result of threats Dwolla and our clients have experienced first hand.
When you have a platform that moves over a billion dollars a month, you are a target.
For those reasons, we maintain this baseline for clients and will continue to adapt to changes in risk factors and available technologies. But it wouldn’t be fair to hold our clients to a standard we don’t uphold ourselves.
Dwolla has rolled out mandatory MFA for all logins to https://accounts.dwolla.com. If you have never set up an MFA device or app, no problem! Upon login, we will send a one-time use code to the email stored on the account profile and provide the option to remember that browser and device combo for 30 days. If an account user is unable to receive that code for any reason, please reach out to your Dwolla Account Manager and let them know.
Additionally, Dwolla has supported soft tokens for multi-factor authentication into the Dwolla Dashboard for some time, and we strongly encourage you to adopt this as a more robust and secure method of authenticating yourself—without the potential delay of an emailed code.
With this strategy we are immediately taking steps to ensure all Dwolla account users have the benefit of this enhanced protection without having to do anything at all, and have the option to take it up a notch further!
What is Multi-Factor Authentication?
Pretty much as long as we’ve had logins to computer systems, we’ve had passwords. And of course passwords of various forms predate IT by probably at least a couple of millennia!
So why rock the boat?
Simply put, passwords have outlived their usefulness, at least when used by themselves. Suffice it to say, these days it’s very hard to come up with a password that will be easy to remember and yet strong enough to not be guessed or brute-forced by an attacker. Yes, password managers (you are using a password manager, right?) are a huge help here, but they aren’t a complete solution. You can’t force your users to leverage a password manager. The longer and more complex you make passwords, the more likely users are to either come up with clever ways to get around your complexity schemes (looking at you “Passwd2020Q2!!”) or punt to the ol’ sticky-on-the-monitor method of password management.
So what’s a security-conscious developer or administrator to do?
When we talk about “authentication” we’re talking about the process of validating that the person our system is interacting with actually is who they say they are. All of our subsequent authorization decisions depend upon that fact.
Passwords are one way to authenticate a user’s identity. They’re an example of a secret that only that individual human is supposed to know. And yet, they get compromised. Why?
- We share our passwords.
- We pick bad passwords.
- We re-use passwords between sites.
- Systems are built that don’t appropriately protect password storage (see Implementing A Secure Way to Store Passwords).
But there are other ways to authenticate identities. Generally, we talk about three categories:
- Something you know – a secret such as a password, passphrase or— inadvisably but commonly—less secret things such as your mother’s maiden name, your social security number, the name of your pet, etc.
- Something you have – a physical token that only you possess. Usually this consists of a device that has secret material embedded in it, whether that’s the notches in your house key, possession of your mobile phone or the cryptographic key in a hardware token.
- Something you are – some attribute of you, as a human, that no one else can reproduce. Your fingerprint, the pattern of veins in your retina, the shape of your outer ear, your specific vocal timbre, your gait, etc. These are often called biometrics, literally “biological measurements.” They have the advantage of being built into humans “by default” (though cannot always be assumed as a matter of accessibility). The disadvantage is they cannot be changed. If someone gets your sequenced DNA, you can’t just add “Q3!!” on the end and keep truckin’.
MFA then relies on a combination of these types of authenticators. For example, a password you know along with a code from an app on your phone. Sometimes these are separated in time, such as an iPhone requiring a PIN to boot, which unlocks storage of biometric data that is then used going forward unless there is a specific risk indicator.
Why is Multi-Factor Authentication important?
By combining factors of multiple types we can say that a user’s password being compromised is not an immediate risk. We’d still like to ensure that doesn’t happen, which is part of why periodic password expiration is still relevant—but it isn’t as critical.
If you steal my password, but my login also requires a physical device that I keep in my pocket, you haven’t gained much ground and my account is still secure. If all users are required to use MFA, we can pretty safely assume the risk of compromise of some user sooner or later has gone from nearly 100 percent to nearly zero.
This is great! But not all MFA methods are created equal. Some are very easy to use, and recent features have made it nearly transparent in some cases (e.g., Apple auto-filling SMS-based codes for you without leaving the app). Others are a bit more cumbersome, requiring you to carry another “thing” around with you or have specialized hardware to read a biometric signature. Thankfully, mobile phone makers have lowered the barriers around both of these things by making biometric sensors with nearly 24/7 connectivity essentially ubiquitous in the modern workplace.
The security of MFA methods can vary, too. For example, SMS tokens (a code sent via text message to a user’s phone) are often used. It’s pretty easy to assume that most users of many applications will have a mobile phone that can receive these. However, there has been a lot of attention given to the ease with which an attacker can intercept these messages.
This is how Twitter CEO Jack Dorsey lost control of his Twitter account in August 2019, and that was far from the first (or last) time this has happened.
Similarly, email-based tokens may be subject to interception by intermediary system administrators, administrative assistants or others with access to shared email inboxes. Email-based tokens can get lodged in clipboards or accidentally be displayed while screen sharing. Still, they are a significant improvement over a lack of MFA entirely (as are SMS tokens, though email is arguably a bit more secure assuming reputable email providers on both ends).
The gold standard of MFA is a hardware token that either injects—via USB or Bluetooth—or displays for the user a code that is entered into the login form. This code might change periodically (time-based one-time passwords, TOTP) or upon each subsequent use (hash-based one-time passwords, HOTP). These schemes ensure that literally that exact device would have to be stolen for the account to be compromised. These devices have little to no attack surface of their own and often come as keychains, micro-form factors or other methods to ensure keeping them on-hand at all times is fairly convenient.
In the middle are “soft tokens.” These are the virtual equivalent of a hardware token, and contain similar logic using the same algorithms without requiring another device. They might also allow a system to push an authentication request to the device through a secure channel or even just present a confirmation dialog to the user that will report back to the requesting application and allow the request to proceed.
On modern mobile devices with appropriately applied security controls, these apps are arguably just as secure as a hardware token, though they do require diligence on the part of the device owner. There is some risk that the device itself could be compromised to allow an attacker to grab tokens from the app itself or via screenshots, but the risk has shown to be relatively low for commonly used apps of this sort.
And yet, we’re never done.
Passwords might never go away entirely—at least not anytime soon. MFA has become part of our daily routines and increasingly is assumed in financial contexts such as the one in which Dwolla operates.
MFA drastically reduces the risk of account compromise as a result of compromised login credentials. Along with a mature security program, multi-factor authentication is an essential component of protection.
At Dwolla, we know that we are never done and security is no exception. We’re excited about this evolution to one of the many ways we protect our clients and help them better protect themselves and their end users.