Editing 2522: Two-Factor Security Key

{{comic
| number    = 2522
| date      = September 29, 2021
| title     = Two-Factor Security Key
| image     = two_factor_security_key.png
| titletext = The bruises on my fingertips are my proof of work.
}}

==Explanation==
{{w|Multi-factor authentication|Two factor security authentication}} (also see [[#Trivia]]) is something that [[Ponytail]] has clearly been talking to [[Cueball]] about. In this strip, Cueball is telling her that he has finally buckled down and gotten the two factor security key that she has pestered him to get.

He recites the trials that he endured in "installing" the key, all of which seem plausible configuration issues for setting up a proper two-factor authentication from scratch.  However it is then revealed that all this work was just the task of attaching the 'key' (which looks like it could be a common brand of physical two-factor key fob or dongle) onto his metal keyring.

Metal {{w|keyring}}s are reliably secure as far as keeping a key attached, but this is in part because of how notoriously difficult it is to add a key to or remove a key from them. The rings must be forced apart and ''held'' apart while the key traverses however many layers the ring has (usually two or three, though keyrings with more layers are not unheard of). Cueball confidently asserts (to off-screen Ponytail, who probably was expecting something more practical) that his key is ''not'' coming off, indicating both a (well-founded) faith in the keyring's ability to keep his key, and a desire to not go through the same process in reverse.  Presumably all his effort was in "installing" the key onto the keychain, and he probably hasn't actually set it up for any of his accounts, leaving them just as insecure as they were.

The title text has a similar double meaning.  Cueball would of course use it to the "proof" of his efforts installing the key--though difficult, metal keyrings can be forced apart physically by human hands, at least if the human in question has fingernails sturdy enough to slip between the rings, at which point the insertion of a finger would be enough to keep it apart until the key is inserted. However, keeping the rings apart can be strenuous on the fingers, and can result in bruising, which Cueball is all too familiar with. {{w|Proof of work}} alludes to the cryptographic concept, which ties (sideways, as proof of work is a security term for a concept intended to deter denial of service and similar volume-based attacks but not directly related) back into the two-factor authentication.

Additionally a third meaning could be that while he spent a lot of time setting up 2FA he totally overlooked the possibility of him losing his whole keychain thus locking him out of all the services that requires 2FA if he didn't set up yet another layer of backup.

==Transcript==
:[Cueball and Ponytail stand facing each other.]
:Cueball: I got one of those two-factor security keys you've been bugging me about.
:Ponytail: Great!

:[Cueball and Ponytail continue facing each other.]
:Cueball: It took a lot of work, fiddling with configurations, annoying setbacks, and general pain,

:[Closeup on Cueball holding a keychain.]
:Cueball: ... but I '''finally''' got it onto the metal ring of my keychain.
:Ponytail [off-panel]: At least now it's secure.
:Cueball: Yeah, this thing is '''not''' coming off.

==Trivia==

An authenticaion 'factor' is a distinct method of proving your legitimate use of a service or product. They can be broadly be grouped into three main groups.
* '''What you know''' - Some knowledge that you have to remember. Susceptible to being learnt by someone else, or forgotten by yourself.
** Passwords (or PINs) are the usual incarnation of this, usually static (although some people may change them periodically, or be required to), overwhelmingly user-chosen.
** Challenge Questions such as the answer to "What was the name of your first pet?" are given by the user for later supplemental authentication (see below). Such questions and similar Knowledge Based Authentication (for example, the place you live, your social security number, last digits of your banking card, or your yearly income) are considered insecure, because much of such information is either easily guessable, can be scrapped from social networks, or is available on the dark web because of security breaches.
*** It is speculated that the "What is your Porn Name?" game has been used to gain precisely the information required to defeat this security method.
** Other personal knowledge has been occasionally tried for such uses, such as a grid of sixteen distinct faces (randomly placed) that you ''know'' to select (say) your Mother, Cousin Albert, Grandad and your niece Lucy. Others may recognise these (and other red-herrings) but not know the sequence, or be able to easily duplicate it from just observing where on the touchscreen you made contact (as you might with numberpad-entry) in some unguarded situation.
* '''What you have''' - Some physical item that is linked to your authorisation. The possession of the key must be guarded against both theft and loss to continue to be useful.
** A popular item at one time for financial logins is a {{w|Security token|numeric key fob}}. Displaying a {{w|rolling code}} of numbers that change pseudorandomly, synchronously with the expectations of the authentication routine at the server. Any attempt by an eavesdropper to {{w|replay attack|'replay'}} a previous code will no longer be valid.
** A printed set of {{w|one-time password}}s has a similar intention, gaining technical simplicity but also additional problems/susceptibilities.
** Hybrid solutions such as {{w|Google Authenticator}} and a possibly similar one from {{w|Okta (company)|Okta}}, and other examples of mostly mobile applications (software tokens) implementing some kind of {{w|One-time_password|one-time password}} (OTP) algorithm for authentication.
*** This might be time-based OTP (TOTP), which means that the code is valid only for a short time.
** Prior to ubiquitous use of the internet (or other dial-in networks), software companies might protect their products with a {{w|software protection dongle}} to replace or augment the more easily-sharable licence keys(/passwords) and enforce the use of no more copies than had been paid for. - With the advent of the connectivity needed, a "phone home" technique has largely replaced the necessity of this, a central server vetting the use (and/or transfer) of sofware between machines. But {{w|Universal 2nd Factor|related technology}} is a modern implementation that is ''probably'' what Cueball's keyringing efforts involve.
** A device similar to the fob/dongle could also use short-range wireless communications (Bluetooth, RFID, Near-Field Communication or some proprietry method) to indicate the proximity (and identity) of the token to a receptive system. Some high-end car models offer such a system in place of an ignition key for... some absolutely valid reason.{{citation needed}}
** With "Remember my password" options in browsers and {{w|password managers}}, ostensibly to prevent over-the-shoulder attacks and/or the prevalence of weak passwords, increasingly the 'known' password has become more of a possession tied to a particular device (and any other device that has been linked by the synchronisation of such internal information).
** A code sent to a further service, such as emails to a (different) email account, or SMS message to a phone, or push notification sent to a smartphone. Retaining the possession of (and access to) these systems is often left more up to the end-user than with vendor-controlled systems, which can be an issue when used as a fall-back reauthentication method (see below).
** A non-computing example is the {{w|Token (railway signalling)|Railway Token}}, sometimes combined with quite ingenius {{w|Annett's key|key-and-lock}} systems, to enforce safe line-use.
* '''What you are''' - Some quality that relates to your {{biometrics|physical person}}. It may very hard (but not {{w|amputation|impossible}}) to lose this, or to have someone else use it. Physical coercion may be the greatest threat to this attempt to maintain security, much as it could be used for the others as well. Until recently, the hardware needed made this more of a cinematic 'solution' (to be foiled by resourceful antagonists/progatonists) or in a limited number of high-security situations, but it has also started to make inroads into consumer use. They are rarely used directly for online verification (though they can be), but more often are used to authorise the device to communicate it's intrinsically possessed verification key (or just to generally use that device).
** Fingerprint scanners are an old standard, and may even now be able to protect against the [https://whatis.techtarget.com/definition/gummy-bear-hack Gummy Bear trick].
** Eye-scanning (using iris, retina or scleral vein patterns) is a favourite movie version, and perhaps possible with sufficiently high-resolution macro-lensed cameras.
** Facial recognition is certainly possible, and touted, with current technology. With greater or lesser proof against someone wearing a printed 'mask' of the authorised user's face, according to implementation.
** Voiceprint analysis is sometimes used to verify repeat callers to helplines/service-centres, or at least to weed out the more obvious intended-impersonators.
** Gait analysis, that analyses the walking action of a person. Perhaps not likely to be so portable a solution.
** A signature could be considered a (weak) biometric. It is possible to forge a known signature, while a person may be inconstant in each attempt at their own. When done in person it may be more of an esoteric test as to the confidence and fluidity in making the scrawled claim as to your identity - which can also be faked!
** Similarly, a photo-ID could be taken as a very basic biometric verification. - Though whether it is easier to impersonate a photo (perhaps in a different way from the Facial Recognition exploit) or to forge physical ID to bear (something closer to) your own likeness.

One-Factor Authentication now may trying to avoid the shortcomings of the Password system (including the intervention of a 'remembered' password) by developing {{w|passwordless authentication}} techniques based upon "have/are" factors only.

Two-Factor Authentication was usually the addition of a physical/biometric authentication method to augment ''each'' use of a known password/PIN (e.g. the 'rolling token' number).

Conversely, the physical authentication of a bank-card has required backing up by its remembered PIN when used in cash-machines/ATMs. (In shops, checking against the signature ''written on the same card'' was for a long time the verification of valid ownership, this recently progressed to Chip-And-Pin, but then in many cases has been superceded by Contactless (NFC) versions, making it a Single-Factor solution in sufficiently low-value transactions.)

Many people may be more familiar with an occasional Second-Factor ''Re''Authentication, when (for one reason or another) they are no longer able to provide a valid password for some login or other, and activate the "Forgot my password" request which sends a link to their backup email account. Where one is set up, is still active and and you have not also lost the ability to access that. (This is not the situation that Cueball is in, or may be in.) This has largely replaced the infamous "Challenge Question" (though may still be combined with it)  probably to defeat replay-attacks or the more clever phishing attacks.

Three-Factor Authentication should really be a "know" ''and'' "have" ''and'' "are" combination. Imagine the cinematic scene of the 'President' granting authority for a nuclear attack by inserting a physical key into the required device, typing in their code and then presenting their eye to a retinal scanner.

Anything that is (seriously) quoted as Four-Factor, or above, is going to either duplicate the number of required verifications of a similar scope (towards diminishing returns) or is describing a setup of a number of ''optional'' methods from which a lesser number would be considered sufficiently valid to provide. e.g. registering all ten finger/thumb-prints in case of some random future digital injury.



{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring Ponytail]]
[[Category:Computer security]]