Two-Factor Authentication and the Police State
By @edent
· 2fa security · 15 comments · 900 words · read ~11,470 times.
In Britain - and many other countries - the police can legally force you to divulge your passwords. Whether it's to an encrypted file, a social network, or your email account, the state can legally rifle through your most intimate thoughts and (potentially) pose as you online.
As we've recently seen, this can be done under the threat of prison - even if you've not been charged with any crime:
"They got me to tell them the passwords for my computer and mobile phone," Miranda said. "They said I was obliged to answer all their questions and used the words 'prison' and 'station' all the time." David Miranda in The Guardian
The BBC also say he was forced to give up his passwords to his Social Network accounts, however in the interview he says they were able to access his accounts once they had access to his machine - not that he specifically said his Skype password was "0n3d1r3ct10n".
How can a normal, innocent citizen protect themselves from such an invasion of privacy? It's the same question we should be asking whether our laptop has been stolen by criminals.
One of the hot topics at the moment is "Two Factor Authentication" (2FA). Simply put, after entering a correct password, the service texts you a one-time code to verify that you are who you claim to be. In the case of Facebook, every time I log on to a new computer, or a new phone, I get an SMS like so: 
For those people who don't or can't receive SMS, there are 2FA apps like Google Authenticator. These continually generate new codes. Each time you want to log in to the service, it generates a new secure code for you. 
If someone has your laptop - or even just your password - they still won't be able to access your account. But, of course, if they have your phone as well - 2FA provides no additional security whatsoever.
How To Solve This Conundrum
Classic multi-authentication security is based around the idea of:
- Something you know (e.g. a password).
- Something you have (e.g. a smart card)
- Something you are (e.g. a fingerprint)
Firstly, we have to consider how likely it is that an attacker could have more than one of the above. If your laptop or phone is merely stolen, it's unlikely that the attacker would be able to get past your password screen. Assuming you bothered to lock your laptop, didn't write down your password, and your phone isn't easily hackable.
In the case of The State compelling you, your options are limited. Setting all of your services to log-out automatically when you close your browser, or making sure they ask for a password on start-up is possible. It presents you with a daily annoyance - but it prevents the sort of broad fishing expedition which happened to David Miranda. From his interview with the BBC, it seems he "only" gave the police his laptop's password - because Skype was set to auto-login, they were able to access that with ease.
If all your services force confirmation of a password, it forces an attacker to get you to divulge every single password for every service you use. That's certainly possible, but it's time consuming and error-prone.
Perhaps we need to change the way we think of multi-authentication security.
Something someone else can verify
Suppose, for example, that Miranda had 2FA set up on Facebook. Only, rather than sending an SMS to his phone, it sent it to his partner's phone. Every time he wanted to log in to Facebook, he would have to ring his partner and ask for the one-time code.
It's reasonably safe to read the code out over an unencrypted telephone line. Anyone listening in would hear the code, but be unable to make use of it - unless they already had access to the password.
Suppose that Miranda's partner knows that Miranda is being forced to reveal his passwords against his will. The partner can refuse to give out the one-time code. He is not legally compelled to reveal it.
Of course, this could lead to a variation of this security issue: 
If Miranda is being threatened or tortured - would his partner capitulate?
Of course, this also relies on the trustworthiness of the 2nd party. It's bad security practice to share passwords - but sharing a token... well... Neither party has full access to the account. If the person with the token is uncontactable, it's impossible to get in to your account - but is that a worse inconvenience than having your account accessible by all and sundry?
Either way, the lesson here is clear. Two-Factor Authentication won't provide any meaningful security if the attacker has both your laptop and your mobile.
If you don't want to be compelled to reveal your passwords, you need to ensure that you do not know your own passwords. That presents a different set of challenges, but as we now live in interesting times, distributing receipt of your one-time codes to trusty allies may be a step worth considering.
I'm sure I read that Facebook were doing something similar for forgotten passwords. You hit the button, it then contacts three (pre-defined) friends and asks them to contact you in person to provide you with the unlock keys. No idea where I saw that though.
There's "Trusted Friends" - is that what you were thinking of?
I'd want my friend to deliver a slightly off-code that triggers a breach alarm starting a 9 hour lockdown. I hear you can't be held longer than 9 hours before charges need to be brought.
The idea of distress codes isn't new - although they're rarely implemented well. A lock-out code would be useful - although if it's truly a serious matter, I'd expect "them" to go directly to Facebook and ask for access.
Imzey Benichou says:
I have 2FA enabled but not using SMS but using OATH Toolkit. The keys are stored in a TrueCrypt file system protected by a password locally. I think your article missed one big point is that what if Facebook/Gmail/... gave those things without even asking the person.
You make a good point about a Service Provider being compelled to provide access. In such cases, one would hope that a warrant would be applied for - which is a little more difficult than just intimidating someone into giving up their passwords.
How about the service provider having a feature that lets you lock yourself out for predefined periods during which you know when you will be vulnerable, for example when crossing borders? “Don’t let anyone log in for the next 24 hours, and after that only from my destination.”
Imzey Benichou says:
That depends how much torture you can handle in those 24 hours.
Instead of distress codes, why not a second set of accounts? There's the set of accounts you use publicly and then there's the set you do private things with you don't want the State to know about.
You could set that up with a VM on a TrueCrypt disk (with the hidden partition) and then you'd likely be fine. Heck, set it up with a plain disk and mix it in with a bunch of development VMs that you might use for testing or releasing code. I know that's dev or ops specific, but for those of us who are that, there's definite scope to present them with so many targets they'll get bored/overwhelmed looking.
Sandy says:
I like the idea of second accounts... in fact I have "second" Facebook and Gmail accounts. One is really me, the second set is what I use to sign-up for stuff I'm not sure I really want, spammy sites, etc.
If I were to be detained, I could just give them access to my second set of Fb and Gm accounts and be on my way.
Besides, if I were doing anything that I don't want to be linked to, why the heck would I use an email account easily traced back to me? You could easily establish some sort of algorithm of changing email addresses and use a service like Mailinator. So today I would check aug212013myname@mailinator.com, tomorrow aug222013myname@mailinator.com, etc. Could even be a random number generator such as Google Authenticator.
Except that it's fairly obvious what your email address is - especially if you publicise it. It's also fairly easy to see which Facebook accounts your friends follow. Giving false information is (probably) a lot worse than not being able to give any information.
I think it's worth quoting from the Regulation of Investigatory Powers Act 2000 here, from section 50: Effect of notice imposing disclosure requirement.
On the matter of having 2FA:
(1)Subject to the following provisions of this section, the effect of a section 49 notice imposing a disclosure requirement in respect of any protected information on a person who is in possession at a relevant time of both the protected information and a means of obtaining access to the information and of disclosing it in an intelligible form is that he—
(a)shall be entitled to use any key in his possession to obtain access to the information or to put it into an intelligible form; and
(b)shall be required, in accordance with the notice imposing the requirement, to make a disclosure of the information in an intelligible form.
Looks like if you have a 2FA key and it's on your person, that's fair game too - give it up or face the consequences.
On the matter of giving someone else your 2fa key, the law is a bit more unclear:
(3)Where, in a case in which a disclosure requirement in respect of any protected information is imposed on any person by a section 49 notice—
(a)that person is not in possession of the information,
(b)that person is incapable, without the use of a key that is not in his possession, of obtaining access to the information and of disclosing it in an intelligible form, or
(c)the notice states, in pursuance of a direction under section 51, that it can be complied with only by the disclosure of a key to the information,
the effect of imposing that disclosure requirement on that person is that he shall be required, in accordance with the notice imposing the requirement, to make a disclosure of any key to the protected information that is in his possession at a relevant time. (emphasis mine)
This depends on what at a relevant time is actually defined as (something I can't find - anyone care to help?). Seems like it might buy you time, but nothing else. If they really want access, they'll get it.
I don't cross international borders much (I'm an American after all), but give the increasing frequency of this kind of thing I wonder what the response by a police state would be to the following:
I encrypt my drive and place the key on an SD card (or something similar). I securely transmit a copy of the key to my lawyer. Before entering customs, I remove and destroy the SD card (perhaps handing the broken pieces to the stewardess in a hand-full of garbage if I am concerned about my ability to truly destroy the data.)
When asked by the government thugs fro my key I explain that the only copy still in existence is with my lawyer and I will need to contact him/her in order to decrypt the drive.
Assuming I make it through costumes without incident, my lawyer can send the key to me.
@Edent that’s how the online passport countersigning works. Email to a trusted person who vouches for you and provides info to verify themselves and evidence they know you.
@Edent I see Facebook Trusted Friends mentioned in your blog comments, It was discontinued last year. I found it useful with my elderly parents.
Wonder why it was shelved? Not seeing any info about that specifically. It was an overly complicated version of your idea.
Reading through how it works, I’m betting the required customer support for it most likely outweighed how often it was used.
How to Set up and Use Facebook Trusted Contacts