Unfortunately 2FA security still goes over most people's heads
Two-factor authentication (2FA) should be the cornerstone of today’s online security and yet the vast majority of users continue to rely on old-fashioned usernames and passwords despite ample evidence that this is now wide open to attack. In anticipation of the day the technology catches on, the UK Government some time ago decided to add 2FA authentication into its flagship GOV.UK Verify service, a new and more secure way for citizens to access services such as tax self-assessment, passport applications and driving license renewal.
It’s early days for GOV.UK Verify but there is no doubt that it offers a glimpse of a future in which all citizens will need to authenticate themselves for a range of online services in a more careful way.
The range of technologies offered by GOV.UK Verify to perform 2FA matter because some are easier to use but slightly less secure while others are more secure but add cost and a greater initial complexity. This week GOV.UK Verify provider Digidentity added a new option to the several that are already on offer in the form of a FIDO Alliance U2F (Universal Second Factor) security token called the YubiKey.
The significance of U2F's arrival is that it is a technology based on a physical device, an idea that has proved very successful in the world of business security. The design of U2F also greatly enhances the level of security available compared with authentication that depends on alternatives such as generating a code on a smartphone app or sending an SMS.
GOV.UK Verify close up
Launched in 2011, GOV.UK is an important initiative even if the number of users remains small for a service that seems stuck in a state of perpetual beta testing. Its noble purpose is, as already noted, to verify the identity of any citizen accessing important government online services to secure these from identity fraud.
Currently, UK citizens log on to these services using a traditional ID and password authenticated using nothing more secure than a name, home address, reference or National Insurance number, and email address. Determined criminals can steal all of these, which is why GOV.UK Verify uses any one of a dozen or so approved providers (The Post Office, Citizen Safe, Experian, Barclays, Digidentity, etc) to check that someone is who they say they are during a 20-minute sign-up process.
The user creates a profile with the chosen provider, scanning their passport and driving license into the company’s system using an Android/iOS smartphone app. On Digidentity, the system also takes a selfie of the user, including asking them to move their head to prove they are a real person and not a photograph.
From this moment on, every time the user logs into a government service such as tax self-assessment, they will be asked to verify themselves through their identity provider using their chosen form of two-factor authentication. Currently, using this authentication remains optional even for those who register.
Where do FIDO U2F security keys fit in? A number of two-factor authentication (2FA) options are offered, mainly based on smartphones. From this week, a new option has been added in the form of the U2F security key, a small USB token, each one of which is digitally unique. These can be bought from several makers, although Yubico’s YubiKey is the most prominent.
The user plugs the key into their PC to authenticate during logon, with a different onetime password (OTP) encrypted and automatically sent to the remote server each time. For a criminal to bypass this security would mean having physical access to that specific key as well as the user’s user ID and password.
What is U2F based on? U2F is based on the FIDO Alliance’s ‘U2F’ (Universal Second Factor) protocol. Computerworld and Techworld have covered the leading YubiKey U2F key extensively in the last year and we’ve been impressed that the key can be used to secure a range of other services such as Google, WordPress, Salesforce and the LastPass password manger.
Downsides? Apart from the cost – £12.99 on Amazon for the YubiKey – and the fact that it only works with Google’s Chrome browser 38 or later, not many. It is necessary to have the U2F key to hand, which could prove an issue if people mislay them between uses.
Will GOV.UK Verify boost takeup or 2FA? In the long run, yes, but the current beta status of GOV.UK Verify suggests this is still some way off. It also depends how many people are put off by the cost and modest complexity of having to use a token to log into an online service. More likely, people will opt for the easier-to-understand option of receiving an SMS code or generating one via a smartphone app.
Two-factor authentication: A larger issue is whether the average user grasps the issue of authentication in the first place. Two-factor authentication via SMS and app is already available for major services such as Google, Twitter, Microsoft, Facebook and PayPal and yet the firms are coy about how many use it. We’d guess the answer is not many. With hackers running amok, apathy still reigns.
UK Government boosts GOV.UK Verify security - What next?
It sounds experimental but a lot is at stake here. The Government needs UK citizens to start using online services that are nevertheless secured to higher standards than were seen as necessary in the past. Meanwhile, the industry of security service providers has spied a potential market for its products and services but must overcome widespread complacency and ignorance about security.