The Conundrum of 2FA meets the Enigma that is PAM
“It’s a mystery. Broken into a jigsaw puzzle. Wrapped in a conundrum. Hidden in a Chinese box. A riddle.”
– The Riddler, The Long Halloween
Yesterday’s hack of the AP’s Twitter account was big. Not only did the impact it had on the stock market prove Ranjeet’s thesis that Twitter is now a SOX (Sarbanes-Oxley) application, it added to the long list of Twitter hacks that have led to repeated calls for Twitter to add two factor authentication (2FA) for their accounts. And the news that came out in the immediate aftermath of the AP hack is that Twitter is working on adding 2FA.
But this creates an interesting issue. Pretty much everyone that added 2FA after the now legen…wait for it…dary Mat Honan hack implemented the same mechanism: add a mobile number to the account, and supplement the normal password based authentication with a verification code that is sent to that mobile device via SMS. Works pretty well for your Google mail, your Facebook account, your iCloud account. But Twitter has an interesting challenge here (which may be why they didn’t rush to add it).
This method works pretty well when we’re talking about a personal Twitter account. But the accounts that are most likely to be attacked, and therefore in most need of stronger authentication, are the channel accounts – for brands, celebrities and organizations (like the AP). These accounts are usually not operated by an individual, but rather by teams of people. Twitter has no feature to support this, though there are any number of Twitter tools out there that facilitate this by adding a management layer on top. However, whether you’re using a tool or just managing this ad-hoc, it all relies on the sharing of login credentials – the Twitter username and password. So what happens when 2FA is added to such accounts? Whose mobile number will be provided to Twitter? As Eve Maler pointed out in an excellent blog post, 2FA effectively kills any password sharing based approach.
It’s a far more interesting question to consider when you expand the arena to include enterprise applications. The IAM suite of products includes Privileged Account Management or PAM (aka PUM) products that are specifically designed to tackle the problem of shared accounts, usually highly sensitive (and therefore needing stronger protection) admin accounts. PAM products usually work by taking over the use and management of the shared password, either signing the user in transparently (without revealing the password) or revealing a one-time use password after the user has authenticated themselves using their own unique credentials. There’s a very direct impact on these tools if the application they are managing authentication to suddenly changes their authentication model. And with more and more enterprise applications now in the cloud, and adopting this kind of 2FA, one wonders what the future of PAM will look like (welcome to my world).
Maybe this is why Twitter didn’t rush to add 2FA to their accounts, because they realized that doing so would break the usage model of some of their most valued users – channel managers. And if they now roll out fast and cheap 2FA (as Eve put it) in response, then it’s likely that the accounts they are doing this for are unlikely to turn it on because of the impact it has on their operational model for using/managing Twitter.
The only real short-term answer for Twitter (and similar applications) is to roll out true delegation of usage rights to multiple identities. The model by which Facebook Pages are managed, where people authenticate using their individual Facebook identities and are granted fine-grained (!) admin rights, comes to mind here. This then ties back to Twitter being a SOX app and the need for IAM systems to treat these applications like any other enterprise application.
The only real long-term answer for all applications is to do real (not fast and cheap) MFA (multi-factor authentication) and eliminating shared accounts by combining a delegated authorization model with claims-based recognition of identities. That, unfortunately, is a much harder problem to solve.
[UPDATE 5/23/2012] – So Twitter has finally added two factor authentication. And it is, as expected, not done the way that they needed to do it (and why are they calling it “login verification”?). Let’s see how channel managers respond, and if Twitter notices (when they track who turned it on).
Here’s one possible approach to this problem: