In Britain – and many other countries – the police can legally force you to divulge your passwords. Whether it’s to an encrypted file, a social network, or your email account, the state can legally rifle through your most intimate thoughts and (potentially) pose as you online.
As we’ve recently seen, this can be done under the threat of prison – even if you’ve not been charged with any crime:
“They got me to tell them the passwords for my computer and mobile phone,” Miranda said. “They said I was obliged to answer all their questions and used the words ‘prison’ and ‘station’ all the time.”
David Miranda in The Guardian
The BBC also say he was forced to give up his passwords to his Social Network accounts, however in the interview he says they were able to access his accounts once they had access to his machine – not that he specifically said his Skype password was “0n3d1r3ct10n”.
How can a normal, innocent citizen protect themselves from such an invasion of privacy? It’s the same question we should be asking whether our laptop has been stolen by criminals.
One of the hot topics at the moment is “Two Factor Authentication” (2FA). Simply put, after entering a correct password, the service texts you a one-time code to verify that you are who you claim to be. In the case of Facebook, every time I log on to a new computer, or a new phone, I get an SMS like so:
For those people who don’t or can’t receive SMS, there are 2FA apps like Google Authenticator. These continually generate new codes. Each time you want to log in to the service, it generates a new secure code for you.
If someone has your laptop – or even just your password – they still won’t be able to access your account. But, of course, if they have your phone as well – 2FA provides no additional security whatsoever.
How To Solve This Conundrum
Classic multi-authentication security is based around the idea of:
- Something you know (e.g. a password).
- Something you have (e.g. a smart card)
- Something you are (e.g. a fingerprint)
Firstly, we have to consider how likely it is that an attacker could have more than one of the above. If your laptop or phone is merely stolen, it’s unlikely that the attacker would be able to get past your password screen. Assuming you bothered to lock your laptop, didn’t write down your password, and your phone isn’t easily hackable.
In the case of The State compelling you, your options are limited. Setting all of your services to log-out automatically when you close your browser, or making sure they ask for a password on start-up is possible. It presents you with a daily annoyance – but it prevents the sort of broad fishing expedition which happened to David Miranda. From his interview with the BBC, it seems he “only” gave the police his laptop’s password – because Skype was set to auto-login, they were able to access that with ease.
If all your services force confirmation of a password, it forces an attacker to get you to divulge every single password for every service you use. That’s certainly possible, but it’s time consuming and error-prone.
Perhaps we need to change the way we think of multi-authentication security.
Something someone else can verify
Suppose, for example, that Miranda had 2FA set up on Facebook. Only, rather than sending an SMS to his phone, it sent it to his partner’s phone. Every time he wanted to log in to Facebook, he would have to ring his partner and ask for the one-time code.
It’s reasonably safe to read the code out over an unencrypted telephone line. Anyone listening in would hear the code, but be unable to make use of it – unless they already had access to the password.
Suppose that Miranda’s partner knows that Miranda is being forced to reveal his passwords against his will. The partner can refuse to give out the one-time code. He is not legally compelled to reveal it.
If Miranda is being threatened or tortured – would his partner capitulate?
Of course, this also relies on the trustworthiness of the 2nd party. It’s bad security practice to share passwords – but sharing a token… well… Neither party has full access to the account. If the person with the token is uncontactable, it’s impossible to get in to your account – but is that a worse inconvenience than having your account accessible by all and sundry?
Either way, the lesson here is clear. Two-Factor Authentication won’t provide any meaningful security if the attacker has both your laptop and your mobile.
If you don’t want to be compelled to reveal your passwords, you need to