Multi-factor Authentication

Many padlocks on a cable.

Basics:

As lawyers and legal professionals, most of us understand that we are entrusted with a lot of sensitive information about our clients. And, generally, we know how to protect it. At least in the real world. We have security systems in our offices, locks on our files, and we limit access to certain rooms or floors of buildings. We redact information as it leaves our hands, we get permission to release medical records, and we fight tooth-and-nail to protect the integrity of our privileges. We are well versed at protecting what we can see, however, we are not as calculating and thorough with our digital information.

As part of a series of issues of great significance to attorneys, we need to discuss how to protect this digital information in our day-to-day practice. And we need to start at square-one.

So, before I lay into one of my biggest pet-peeves relating to attorneys and their digital information — the privilege killing minefield that is the use of free-mail in attorney/client communications — I need to create a bit of a foundation for internet security hygiene. The first topic, everybody’s favorite efficiency killer — two-factor authentication. Commonly expressed on the internet (and at posh cocktail parties) as 2FA.

Why do I need this?

Before we start, you need to understand that every password that you use – Every. Single. One. – is capable of being compromised through a brute-force attack. Eventually, your discrete series of numbers, letters, and characters will be guessed. It’s not rocket science, it’s just a matter of trying every possible combination of numbers and letters until the right one is found. Given enough time, your password, no matter how hard you make it, will be discovered.

Which means that the game is not how to keep a bad-actor from figuring out your password, rather it’s, how to keep someone, who has your password, from breaking into your account? And then, more importantly, how do you discover when they attempt to do so? You see, once you change your password the bad-actor will need to start all over again – which could take some time.

Two Factor Authentication:

This is where two-factor authentication comes in. The idea behind 2FA is that in order to gain access to your account, you must present two of “something” to a validator. These “somethings” generally take one of three forms; 1) something that you have (i.e. a cell phone or a thumb drive), 2) something you know (i.e. a password or PIN), or 3) something that you are (i.e. a fingerprint or your smiling face). If you only present one of these things, the validator will not let you in. It’s very much like account validation at an ATM, and this concept has been around for quite some time. If you simply went up to an ATM and put in your access number, you wouldn’t expect to get to your account, would you? Likewise, if you only presented your card to the ATM, without your PIN, you’d be appalled if you could withdraw money, right? I know I would.

Keep in mind, however, 2FA is by no means fool-proof. There are ways around it, and there have been some high-profile hacks of accounts with 2FA. But that doesn’t mean that you shouldn’t use it. Just because someone broke into a house that had a security system doesn’t mean that security systems are now useless. At the end of the day, the ultimate goal of any security mechanism is not to completely keep someone or something out. It is to make it so difficult to get in that they prefer to try somewhere else. Or to make it where it takes so long to do so, that they will inevitably get caught. Much like having a guard dog – it doesn’t make your house impenetrable, it just makes your house less appealing to burglars. As legal professionals, we need to make sure our accounts are not appealing to bad-actors.

2FA is a pain to set-up and use on a day-to-day basis. I know it, you know it, and even the good people of Rice University know it (https://www.cs.rice.edu/~dwallach/pub/2fa-usability-2018.pdf). In a 2018 study conducted on 20 undergraduates from Rice University, researchers concluded that the usability of 2FA was so poor, that they were concerned people would discontinue its use even knowing of the vast benefits. But even this sad conclusion was IF the user set it up in the first place (which, they determined, was the greatest barrier overall to its use).

But we, as legal professionals, are no strangers to difficult set-up, or inefficient usability in the name of security (think: Federal Electronic Case Filings). And the success rate in 2FA set-up is in the 70th percentile. Don’t you think you’d be one of the winners? It’s nothing for our field to be afraid of.

Now, I am not saying that everything you own or care for needs to be protected by 2FA. Your gym locker is likely doing just fine with your combination lock, your car probably doesn’t need a key and a PIN to let you in. But the more valuable your (or, more importantly, your client’s) information is, the more likely it needs to be protected by at least 2FA. It’s a balancing test, where once the need for security outweighs the need for easy access, you should use 2FA.

Two-factor Authentication in the practice of law:

This obviously isn’t a treatise on multi-factor authentication and we don’t need to get into other, more complicated aspects here (we will save for another time the deep dive into tokenization, session hijacking, and man-in-the-middle attacks). We’re mainly here to discuss how this affects our practices.

And the start, middle, and end of that discussion is, ethics. Ethics, ethics, ethics, boring stinking ethics. It always seems to be the reason that we must do more work and be more careful than our peers. If the average company has a breach of some sort (I don’t know, let’s take Equifax as an example), they simply get a slap on the wrist and some public embarrassment. People may get fired. That’s it. But for anyone in the legal profession, regardless of practice area, jurisdiction, or firm size; there are far greater consequences. We could easily lose our licenses, our clients, and our businesses. And the people who work for us could lose their jobs.

As a result, determining if 2FA is necessary for your information is relatively easy. Ask yourself, “do I have an ethical obligation to protect this information?” Or more specifically, “is this someone else’s non-public information?” If the answer is “Yes,” then you need to use 2FA, at a minimum. It’s that simple. If you’re not using 2FA to protect client information and your account is breached, you likely have an ethical mess on your hands comparable to mishandling trust funds – if not worse. (You’ll notice, here, that I haven’t mentioned that you need to use 2FA on all of your online bank accounts – that’s because it doesn’t relate specifically to your practice, and, frankly, I shouldn’t have to tell you that one.)

Where to start:

You can learn more about 2FA and other forms of authentication at https://fidoalliance.org/.

In thinking about where you should or shouldn’t turn on 2FA, you should start by going to https://twofactorauth.org/. It’s a list, albeit not comprehensive, of websites that allow for 2FA. If a site you use is on here, it’s probably best to turn on the 2FA (I’m looking at your Google and CLIO). Additionally, you probably don’t want your staff using their cell phones as an authenticator. In that case, you can use a thumb drive (like the ones HERE) for authentication instead.

That’s not all, though. Not every place that you store client information is a website. If you store client information locally, on a computer that has access to the internet, or a server, then your local users probably need 2FA as well. A later article will discuss this further, but for now, many of you can simply go to the Microsoft documentation HERE for help setting it up on your Windows 10 machine.

Closing:

There are a lot of people out there encouraging you to set up 2FA on your personal accounts. Many times, when you log-in to your Gmail, or your Facebook account, you get a prompt or a warning of some sort that you have to ignore. I really don’t care if you ignore those prompts. However, you may have an ethical obligation to set those up on your non-personal accounts. Take the five minutes. Set it up. Just do it and be done with it. We’ve got bigger fish to fry.

Next up:

Free-mail, End-to-End Encryption, and Your Attorney-Client Privilege.

Further Reading:

  1. 2FA Might Be Secure, But It’s Not Usable: A Summative Usability Assessment of Google’sTwo-factor Authentication (2FA) Methods, Claudia Ziegler Acemyan1, Philip Kortum1, Jeffrey Xiong1, 2, and Dan S. Wallach, 2018 in Proceedings of the Human Facrots and Ergonomics Society 2018 Annual Meeting.
  2. https://www.wired.com/story/two-factor-authentication-apps-authy-google-authenticator/