Your Smartphone Is Your Token: A Cautionary Tale
I'm a big fan of using mobile phones, especially smart phones, as security tokens. If the user locks the phone with a passcode, then it's a pretty good bet that your token is in the right hands. And, unlike little hardware tokens, nobody leaves home without their phone anymore.
In addition to applications that might send me a token by SMS, I have three token apps on my smartphone:
- Symantec VIP which I use for Ebay, PayPal, Symantec MSS, remote login to one of my clients, and some others.
- Google Authenticator for various Google accounts and for WordPress.
- Duo Security which I use for my own SSH logins.
This was cool until I went into a swimming pool with my iPhone in my bathing suit pocket. The rice trick did NOT work, so I thanked what ever voice told me to buy AppleCare, paid the $79 stupidity tax to replace my phone, and went about rebuilding my digital life. Even with a backup, VIP generates a new token ID when it detects that the backup was restored to a new phone. Two of the services required a help desk call to update the token, although if I had setup a backup token on my desktop I might have been able to avoid that. The other services could use my phone number for a token reset. For Google and WordPress, I needed to authenticate with either a backup token or SMS to my phone. Fortunately I had the right phone number in all of those accounts. For Duo I was able to establish the replacement token with SMS.
I came out of this with some practices to reduce the pain of replacing a phone with a lot of authenticators on it:
- For Google Authenticator, print out and save the backup tokens for each account so you can log in while your phone is still dead.
- For any account with SMS backup, make sure at least one mobile phone number is specified.
- Consider using a number from a service like Google Voice. The Google Voice app lets me receive a test message on any IP-connected phone regardless of its number or on my tablet.
- For tokens such as VIP or RSA SecurID that have a desktop version, consider registering an additional token for services where you need a token to reset a token (and that support multiple tokens). This could save you a helpdesk call.
A little preparation can save you a lot of pain when the unexpected happens.
And Don't Panic!
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.