Authy OneTouch: Simply Strong Security

March 22, 2016
Written by
Authy
Twilion

Scrabble tiles spelling Simply Strong Security on a brown leather-like background.

Authy OneTouch: Simply Strong Security

It’s great to see the reactions of people when we show them Authy OneTouch. The speed and simplicity of Authy OneTouch are perfect for those times where using tokens are too much to ask of users, such as transaction approvals or settings changes, or even manager or parent approvals. People are wowed at how quick and easy to use it is compared to other forms of two-factor authentication. And we like to wow people.

Many people think that in order have convenience, you have to give up security, or vice versa. Authy OneTouch is not only easy to use, it’s also more secure!

How is that possible?

First, to be clear, SMS and soft token security technologies are SIGNIFICANTLY more secure than using just username and password. Even a long complex password is no longer safe, as shown by the recent compromises at LastPass, ICANN & AshleyMadison.com. Without additional controls like SMS and soft token, once a hacker steals the password hash tables, those stolen usernames and passwords can be used by anybody, anywhere in the world, which limits (if not eliminates) any level of assurance.

 

Text message showing Humble Bundle verification code on a smartphone.

SMS

SMS token delivery as a second factor was a huge improvement over passwords alone, raising the level of assurance. This method does a good job of confirming that whoever is using the username/password combo is also in possession of the phone number, which is the second factor, and it works without installing anything on the phone. SMS delivery has also become more reliable over the years, but is far from assured, which can impact usability.  

But SMS has some weaknesses, including the frighteningly common incidences of hackers convincing a phone company to transfer a phone number, SIM card cloning, SMS network compromises exposing clear-text tokens, and (even more frighteningly common) capturing both factors through a phishing website.

Soft Token

Soft tokens improve upon SMS both in usability and security, raising the level of assurance once again. The tokens are generated on the device, so a user’s phone does not need to have connectivity to be able to get a second factor, using a key/seed that is shared by both the device and the service validating the code.

One potential weakness when using soft token is in how the initial key is distributed.  Different vendors use different methods to distribute these keys. For example, the Google Authenticator method displays a QR Code on a website, which the user scans with their 2FA app on their phone. Inside this QR Code is the symmetric key. The issue at hand is that this QR Code can then be scanned multiple times with no knowledge of how many devices it is on or where those devices are located. Or, the QR Codes might be cached on a workstation and reused, or otherwise intercepted, and the original user might never know.  The only way to change the symmetric key is by re-enrolling the second factor, which can sometimes be complicated when devices are lost or stolen. Most sites that use Google Authenticator also provide a set of recovery codes – which is a nice way of saying the are just passwords that never expire, ultimately reducing the solution down to a single factor. Users often store these codes in unsafe places, like on a post-it note on your laptop or desk, or just plain lose track of them.

How Soft Tokens Work With Authy

Authy has implemented soft tokens using a few different technologies than the Google implementation. First, a phone number is needed to register the device, which adds an initial level of assurance. Next, the device generates a 2048-bit RSA key pair, with the private key stored securely only on the device, and the public key shared with Authy. The soft token symmetric key is generated securely on Authy’s servers, and then delivered encrypted via SSL to the device, which decrypts the symmetric key via the device private key.

Authy supports multiple devices (Google Authenticator does not), and each device has its own private key AND its own symmetric key (per application). One huge benefit of the Authy SoftToken architecture is our ability to change all symmetric keys for every user, invisible to the user, if the Authy symmetric key database is ever compromised, even potentially. New keys can be delivered in the same way they are initially distributed, using the secure RSA key pair, which cannot be compromised by a hypothetical breach of Authy’s servers.

Smartphone screen showing Coinbase app with token code 3485764 and various linked services.

Hard Tokens

It’s important to note that in terms of both security and usability hard tokens (like RSA or Vasco) fall somewhere between SMS and soft tokens. hard tokens need to be replaced periodically, and may need to be replaced if the seed database is ever compromised, or if the token serial number mapping is compromised. You might recall that this happened to RSA’s tokens not too long ago: they had to replace nearly 30% of their active Hard Tokens over the course of 6-9 months, costing them over $66 million and a ton of public trust. Additionally, hard tokens frequently are lost, misplaced, or left behind when they leave home for the day. (At least when a user forgets their phone, they probably know it right away and head back for it!) Finally, hard tokens are generally only good for one application, or one vendor’s applications. Carrying dozens of hard tokens to protect dozens of different applications in our new cloud-centric world is just not practical.

Authy OneTouch

Bank alert screen showing attempted login from someone using username jdoe on December 26, 2015, at 14

At last, we get to Authy OneTouch! Prior to the convenience of today’s smartphones, generating a 2048-bit RSA key pair on a device in your pocket was just not practical… or even possible. But this key pair is at the heart of Authy OneTouch security. So, just how does it work?

On the surface, a user receives a push notification after accessing a protected function (login, purchase, etc), which launches the Authy application (or the vendor application with the Authy SDK) and displays transaction details. The user then presses either Approve or Deny, automatically informing the application to take the appropriate action.

Under the hood, the application calls Authy when it wants 2FA assurance. Using Apple or Google, Authy sends a push notification to the user’s device, which improves the user’s experience by leading the user to the mobile app.  This push notification does NOT contain the transaction details. When the mobile app is launched, through a secured independent channel from the vendor application, the app and Authy server mutually authenticate by verifying each other’s RSA key digital signatures, and only then is the app allowed to retrieve the transaction via SSL and display it to the user.  

When the user presses Approve or Deny, the entire transaction (including all details) is digitally signed by the device, which proves the specific device used and ensures that the transaction details cannot be subsequently altered.  The signed transaction is then sent back to the vendor, and the callback can be verified by checking the Authy HMAC signature.  There is no opportunity for compromising the solution via phishing, man-in-the-middle, or privileged infrastructure access. All of this happens almost instantaneously, and the user just presses approve and watches as the application proceeds automatically, with no codes to enter, and no additional application interaction. The user is pleased, and so is your security officer!

So…Authy OneTouch is significantly more secure than SMS, soft tokens, and hard tokens, which are (as shown above) much more secure than username and password alone.

Developers can start a free trial using Authy two-factor authentication.

Users can download the Authy app that makes sense for them: desktop, laptop, mobile, IOS, Android…

Enjoy Authy!