May 5, 2011

Introducing AlterEgo – 1.5 Factor Authentication for Web Apps

For those who don’t like videos: AlterEgo provides an easy way for consumer web applications to extend their security just a little bit beyond the standard username/password combo.  Unlike more traditional two-factor authentication solutions, AlterEgo is designed to be simple, easy, and free for both users and applications.  Using AlterEgo, you add an additional layer of security to your accounts by generating simple one-time codes that must be entered before allowing login into an application.

Presuming that you don’t use the same credentials for AlterEgo that you use for your protected account (and ideally access them from different machines), it makes attacks on your account harder – not impossible, just a bit harder.

Why Multi-Factor Auth

Multi factor authentication is a relatively simple way to increase the amount of work an attacker needs to do before they can break into your account.  It accomplishes this by adding a completely independent system that the attacker must also breach before being able to get in.  Because the two systems are separate, with different designs and potential vulnerabilities, it reduces the likelihood that they both will be vulnerable to the same attack.  This is particularly important with the current system of usernames and passwords.  People tend to use the same username and password for all or most of their accounts online, for practical reasons.  A side-effect of this is that any attack on a service that grabs usernames and passwords will allow attackers to break into not only the application that had a security vulnerability, but also any other service that those users have ever used.  Adding an additional layer of authentication before login helps reduce this possibility, and it may be easier than getting all users to start using unique usernames and passwords for each site they visit.

Diversion: typically, two-factor authentication refers solely to two independent methods of authentication: things you know (username/password), things you have (key cards, phones), or things you are (fingerprints, biometrics).  The intended way to use AlterEgo is to access it from a separate smart phone solely, but it does not lock accounts to the phone alone and it does allow username/password logins.  This was enabled for the sake of ubiquity and cost, but opens the argument on whether AlterEgo is "real" two-factor authentication.  In many ways it isn’t, but two-factor authentication is the closest category we could find to what AlterEgo is, so we’ll generally refer to is as 1.5 factor authentication.  As AlterEgo matures, we’ll add more features to make it behave more like a traditional two-factor authentication product, but release early, release often and all that.

Backstory

A few months ago, a major blog network was breached, and about 3 million usernames and passwords were lost.  But this time, the usernames and passwords were published to the Internet in a way that anybody could download them.  This made the attack much worse for the blog network, but it was great for us because it allowed us to run an experiment.  We downloaded those 3 million accounts, then tried to cross reference those accounts with MailChimp accounts.  Once we found a matching username or email address, we cracked the password from the blog network and compared it to the MailChimp account password.  This gave us a very targeted list of users that we could force to reset their password, and it gave us a good idea of how big of a vulnerability these sorts of username/password breaches are for us.

Of the 3 million accounts, about 25,000 of them also matched a username or email address in MailChimp.  That wasn’t too bad, and we calmed down somewhat about the possibility of hundreds of thousands of accounts being hacked.  Then we started cracking and comparing passwords, and our calm dissipated.  Of those 25,000 accounts, about 7,000 of them were using the same password in MailChimp as they used for their blog commenting account.  This was a much larger percentage than we were expecting.  We immediately notified those users and forced them to reset their passwords, but this was just one breach.  Breaches like this occur all the time, and we frequently don’t get to download and compare their accounts.  Do we force all of our users to change their passwords every time we hear of a breach like this?  No, that’s absurd and users would rightly revolt.  But we can’t force all our users to not re-use passwords, either.

Two-factor authentication immediately came to mind as a possible feature that might help with some of these issues, as well as being a decent security feature anyway.  So we started looking for consumer-level two-factor authentication providers that had a free or cheap API we could piggy-back off of.  However, as we investigated the options, it became immediately clear that the two-factor authentication products on the market were very much not designed for consumer-level web apps.  The APIs were written in enterprise-speak.  The app registration process was complex and long.  The cost was too high without significantly reducing how many of our users would be allowed to use it.  It became clear that we required a different balance than what the market seemed to be providing.

AlterEgo provides that different balance.  It’s designed solely for protecting web apps and other online applications, which makes the security of the algorithms somewhat simpler.  Registration is free for both applications and users.  The API is dramatically simple and easy to integrate with.  In every design decision we made, there was a focus on making it easier, simpler, and free for users and apps to be able to use AlterEgo.  In some cases, even at the expense of the security it provides.  If you truly want to protect something sensitive, don’t use AlterEgo; go with VeriSign or RSA (who we use to protect some of our important backend assets).  But if you want to offer something that lets users have just a little bit more peace of mind in your authentication or if you’re a MailChimp user looking for a way to protect your account a bit more than your MailChimp username/password, AlterEgo might be just what you’re looking for.

Create an account at AlterEgo, then you can activate it from the Integrations screen inside MailChimp:

 

and then AlterEgo will ask for permission to allow MailChimp:

 

Neither AlterEgo nor any other multi-factor authentication system can completely protect your account from attack.  AlterEgo itself certainly has vulnerabilities that could be used to help break into your account.  Not to mention phishing attacks or trojans that can get your AlterEgo credentials in much the same way they can get your MailChimp credentials.  Notifying users when security-sensitive actions have been taken and watching traffic for "hacker-ish" patterns are also necessary, and thing’s we’re working on.  AlterEgo is just a way of making attack a little bit harder and a little bit less likely to happen by increasing the number of layers some attackers needs to break through before they can get in.