6

When a user has logged in to a system using their primary password, is there any value in asking for a distinct second password when performing sensitive functions?

Does it provide any benefit over asking for their primary password again?

I consider a second password to not be two factor authentication (2FA), but in what way does it benefit (if at all) over asking for the password they just used to log in?

NULLZ
  • 11,446
  • 18
  • 80
  • 111
Craig Curtis
  • 699
  • 1
  • 7
  • 11
  • 3
    For assistance in defining what 2 factor actually is, [readers may find this link helpful](http://security.stackexchange.com/q/3796/396) – makerofthings7 Apr 10 '13 at 02:18

3 Answers3

6

Agreed. Definitely not two factor.

The three factor classes are something you know (a password), something you have (a security token of some sort) or something you are (iris pattern, fingerprint etc).

Whether a second password is of any use depends on your application and environment.

In many ways the 2nd password may be less secure from a social aspect since it is less often used so more likely to be written down. How less secure would depend on whether an potential attacker is likely to be hanging around your users.

If you are worried about a brute force attack then having two passwords would help, but no more than insisting the first was as long as the combined password lengths. Brute force can easily be detected and prevented in your application.

It might offer limited protection from sniffing if used infrequently enough, since the sniffer might not have been running long enough to see both passwords. Although if you are using SSL then it implies either a man-in-the-middle attack, or a compromise of either the users or servers environment. Either way, you have problems.

Asking for re-entry of the original password does ensure that the person who is about to perform the high security function is still the same as the one who logged on. Useful in some circumstances.

Finally, it may give the perception of greater security, which may be of marketing value in some circumstances.

Overall though, the chances are that any increase in security is marginal.

DodgyG33za
  • 765
  • 3
  • 6
  • Does it provide some security against phishing, or would an attacker try to get both passwords out of the user instead of just the one? – Craig Curtis Apr 11 '13 at 00:03
  • The latter. If you can fool your target into thinking the site he is at is real, you can get both passwords. – DodgyG33za Apr 15 '13 at 04:01
3

A 2nd password (ie. Security Question) can ensure extra security when used properly. For example, RBC uses 3 security questions, chosen at random during login. This is a sort of safety net that if the password has been compromised (sniffing, brute force, etc.) the 2nd password is unrelated, "unpredictable" and could prevent the account from being used.

However, the 2nd "password" is most likely handled in the same manner as the first. So, if the first password was compromised it is likely the 2nd can also be attacked in the same manner. In this sense it is more a deterrence than actual prevention. Unless both passwords are handled and stored in completely different ways...

That's my understanding of it at least. Hope it helps in some way or another.

drunkenRabbit
  • 251
  • 1
  • 5
2

You are right. A second password is not a second factor in a 2FA scheme.

Like @drunkenRabbit mentioned, a user will most likely treat the second password in the same way he treats the first password. If the first password is compromised, it is a safe assumption the second password is compromised as well. In fact, if the second password is in the form of a security question, it might even be less secure than the first password as the user might not treat the security question the same way they have been trained to not give out their passwords.

A 2FA scheme only works if the factor is something completely different. If the second password in your scenario is changed to a one-time-password, that would fulfill the requirements of a 2FA scheme as the OTP is no longer something you know. Instead it is something you have - the device on which you receive the OTP, be it an app in your mobile phone or a dedicated hardware token.