6 November 2014
At a first glance Twitter’s Digits authentication service seems to be a major step forward to secure authentication in the web. But if you dig deeper you find a vulnerability that could not be accepted.
Classic Webshop Model. Click to enlarge.
In the classic web shop model the customer’s username, password and account details are stored in Shop Customer Database (7). When the customer clicks the checkout button the mobile app prompts for his username and password (2) and sends a request for authentication to the Web Shop Service. The Web Shop Service encrypts or hashes the password and compares (5) it with the password stored in Shop Customer Database (7).
This is the weak point in those systems. User passwords and account details are stored in some tables inside the database. The security depends only on a password stored in encrypted of hashed format in one of this tables.
If an attacker steals the user’s credentials, e.g. by a phishing attack, there is no chance to prevent the attacker from shopping with the stolen credentials. Only with an additional factor for authentication, such as a fingerprint in addition to the password, fraud could be prevented.
Twitters Digits service seems to eliminate this weakness. Passwords are neither stored in the web shop database (7) nor in the Digits Authentication Service (15). Even usernames are no longer required.
Web Shop Model with Authentication Provider. Click to enlarge.
Digits is based on the idea that the user’s phone, more precisely the phone number, uniquely identifies the user. The user inputs his phone number (2) into the app (8). The app sends (10) the phone number to the Digits Authentication Service (15) and receives a One-Time Password (11) if the phone is known to the Digits service. The user inputs the One-Time Password (12) which is used (13) for final authentication. Finally the Digits Authentication Service (15) returns an AuthToken and user details to the app. The AuthToken is used for creating the session with the Web Shop Service (9).
Phishing attacks will become obsolete because persistent passwords are no longer used or stored. If the networks connections between the app (8) and the Digits Authentication Service (15) are secured this is a very secure method for user authentication.
The first factor in the Two Factor Authentication (TFA) process is the users phone number, the second factors the One-Time Password generated by the Digits service. Sounds really good.
Unfortunately this is a very weak form of Two Factor Authentication. Since the phone number is the sole source for authentication a lost or stolen device might end up in a catastrophe. The passwords used to unlock the devices are as weak as the passwords used for user authentication. And even biometric methods, e.g. with fingerprints, for unlocking are not 100% secure ….
But the worst is yet to come: For the management of risks the TEAM approach is frequently used. TEAM is an acronym for Transfer, Eliminate, Accept or Mitigate the risk.
With Twitters Digits service the entire risk is transferred to the customer!
Fortunately it’s easy to convert this weak TFA into a nearly unbreakable TFA. Just add a four to six digits PIN (Personal Identification Number) to the One-Time Password.
Web Shop with Authentication Provider and PIN. Click to enlarge.
But customers are not very enthusiastic of PINs because they are hard to remind. The authentication service provider is not enthusiastic of PIN management because of the increased effort. It’s always a balancing act between comfort and security!
In my opinion Twitter is well advised to enhance the Digits service by a PIN. This will create a real gain in security for the customers and a competitive advantage for Twitter.
Never use the same PIN twice!