Obama says passwords aren’t strong enough, urges use of 2FA

library
crime | hacking | security

President Obama says that we’re right: passwords aren’t enough.

We need two-factor authentication (2FA) to protect ourselves online, he said on Tuesday in an editorial in the Wall Street Journal.

Granted, he didn’t mention Naked Security per se, but he did announce a slate of federal initiatives to improve the nation’s information security.

That includes a new national awareness campaign to get Americans to do what security people keep urging them to do: use 2FA whenever possible.

From his editorial:

[W]e’re doing more to help empower Americans to protect themselves online. In partnership with industry, we’re launching a new national awareness campaign to raise awareness of cyberthreats and encourage more Americans to move beyond passwords – adding an extra layer of security like a fingerprint or codes sent to your cellphone.

The op-ed coincided with the release of a broad cybersecurity plan that proposes boosting federal cybersecurity spending by more than a third, to over $19 billion.

The White House is so intent on improving the country’s security that it’s going to woo Silicon Valley types, the president said – relaxed business attire and all:

[W]e’re stepping up our efforts to build a corps of cyber professionals across government to push best practices at every level. We’ll do more – including offering scholarships and forgiving student loans – to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office.

The president also issued an executive order to create a new Federal Privacy Council: an interagency forum to improve the privacy practices of government agencies and entities acting on their behalf.

They sure do seem to need it.

The same day that the president’s editorial ran, news broke about a PIN-stealing attack on the e-filing app on IRS.gov, the site of the Internal Revenue Service (IRS).

The attack, carried out last month by an automated bot, affected 101,000 taxpayers.

As Naked Security’s Paul Ducklin noted, the attack was ironic in that it involved a sort-of, not-really form of 2FA.

The e-filing PIN is a type of second authentication factor needed for 2FA.

You need the PIN, along with other personal data, when submitting online tax returns.

But that’s not exactly how 2FA’s supposed to work, in that you shouldn’t be able to request one of your factors by using the other factor.

The way 2FA should work is that you need to prove yourself in two different ways before you can log in or use a service.

For example, in order to withdraw money from an ATM, just inserting your card (your first factor) isn’t enough. You also need to enter a second factor – your PIN.

The IRS actually offers a special, stronger form of 2FA, known as the IP Identity Protection PIN (IP PIN).

But for whatever reason, the IRS doesn’t hand out an IP PIN to just anybody.

Rather, it’s only available to taxpayers who’ve already suffered some kind of identity breach.

Other things in the president’s plan:

A proposed $3 billion fund to overhaul dusty old federal computer systems. As it is, government IT is “like an Atari game in an Xbox world,” President Obama said. “The Social Security Administration uses systems and code from the 1960s. No successful business could operate this way.”
Creation of a new federal infosec position. The title will be Chief Information Security Officer.
A new cybersecurity Center of Excellence. It will “bring together industry and government experts to research and develop new cutting-edge cyber technologies,” Obama said.
A national testing lab. Companies will be able to test their systems’ security under simulated attacks.
Training for small businesses. The training, offered by the Small Business Administration, will be available to over 1.4 million small businesses and their workers, the president said.

We’re cheered by the president’s backing of 2FA.

It’s an acknowledgement that passwords are often the weakest link in authenticating that users are who they say they are.

As the yearly lists of the top bad passwords show, many don’t use passwords that are complex enough.

Others reuse passwords, setting themselves up for account break-ins when online crooks acquire logins from breaches or third-party sites, such as happened last month to Fitbit.

Even complex passwords can be susceptible to brute-force attack: we saw that when researchers recently managed to pry 18,000 Bitcoiners’ passwords out of their wallets, running the attack off a mere $55 worth of Amazon Server.

2FA can help.

Hopefully, so too can blue jeans-clad Silicon Valley types: the kind of people who can do things like convince the IRS to proactively hand out strong 2FA – like the IP PINs – to all who ask, not just to those who’ve already suffered identity theft and/or tax fraud.