TLDR: August really doesn’t have two-factor authentication, but what they have maybe good enough.
I recently got my hands on the new August Smart Lock, but not to put on my door (well at least not yet). Instead I was interested in the security of a product which is claimed to be “completely secure”. No joke their promo video says completely secure! By definition adding a second way to open a lock can only weaken the security of your house. Adding a new way to unlock a lock always reduces over all security as it adds complexity.
A little bit on the August Lock
What first peaked my interest was a company claiming to make a “completely secure” product. With that being said though I do think their approach to the smart locks is one of the more reasonable ones I have seen. Rather than replacing the entire lock, the August replaces the deadbolt knob and utilizes the existing locking mechanism. This is a very nice feature, but it is essential for those living in apartments who want a smart lock as replacing the entire lock is not an option. Additional August uses Bluetooth LE for all communication between the lock and the user’s phone. This phone to lock communication is what underpins the ability to provide create and provide guest keys.
On the August Company
I have been auditing the August lock since the middle of December 2014. When multiple security issues with the August lock became apparent I reached out to August (the company). Their response was very mature and did leave me with an overall positive opinion of the people at August in spite of their “completely secure” claims. They seemed genuinely interested in creating a secure experience, and did hire a security consulting company to review the August prior to releasing. (If you are reading this and work for that security company I deeply disappointed in you.)
Bla bla bla details time
I will not be releasing any of the more serious concerns I have with the August lock today as I would like to provide August a little more time to address them. However, I would like to publicly address a comment made when I mentioned to August they should use two factor authentication.
Me: For any application where security is paramount two factor authentication is a must. As passwords tend to be shared between sites, and key-loggers, brute-force attacks and server-side exploits can signficantly weaken password based security systems.
August: We do have multi-factor authentication in place. When first logging into the account, or when logging into another new device, an SMS or email verification code is required before allowing the user to proceed. There are other factors which are permitted to be used as the second factor during the authentication process, such as certain tokens previously stored on the user’s device, so this may be why you may or may not see a request for an SMS/email verification code if you are logging back into a device that you have previously used.
On the surface it would seem August does indeed have multi-factor authentication. So article over, nothing to see here right? Well no, but before I get into details let’s review what it means to have multi-factor authentication. There are three factors that are commonly used for muli-factor authentication, something the user has, something the user knows, and something the user is. In order for a system to have multi-factor authentication two or more factors are required to authenticate a user. If it is possible to authenticate a user with only a single factor then the system does not use multi-factor authentication. It is important to remember that two things you have only count as a single factor, and two things you know also only count as a single factor.
If you can create another factor, such as a special token on a particular computer based upon a set of something you know or a single biometric reading, this is effectively single factor authentication. For example, some banks implement a scheme that requires you to type a username, passwords and answer a personal question, and if you get those right, your computer will be marked as a physical factor. It’s obvious that this scheme is open to many attacks, but the primary weakness is that the system is not truly a two factor solution as it is based upon a simple set of “something you know” and thus you can make any computer a second factor if you know these details.
“For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two factor authentication.”
Going back to the response provided by August we see they believe their multiple factors are something you have (a phone or email address) and something you know (a password). Now if I could show the one only needed one of these things to gain control of an August lock than this claim of multi-factor authentication would be falsified.
How August’s authentication works
During log the sign in process your phone provides the August web servers with a randomly generated installId. This installid is never shown to the user. Whenever the user logs in from a new phone they will be sent a verification token via email or text message. Upon entering the token into the August mobile application they are allowed to log in.
Given the entering a user’s password represents a proof of knowledge, August must be assuming access to an inbox or text message represent a proof of possession. For the time being let’s accept this to be true and look at the forgot my password feature implemented by August.
When a user indicates they forgot their password while using a phone which has previously logged into their account August will send a token to the user’s email address. Upon entering this token the user will be able to change their password. If however, this same process is done from a phone which has never been used to access their account after entering the token sent via email a second token will be set via text message. This second token must be entered prior to resetting the password.
Looking at this process we see the user only provided proof they control both the email address and phone number tied to the account. In order for August to have two factor authentication we now must assume either control of an email address or control of a phone represents proof of knowledge. If we do this though we will create a contradiction. Thus August can not have two factor authentication.
Here is a more formal statement of my proof August does not have two factor authentication:
Let p be proof of possession Let k be proof of knowledge Let e be proof of control of email address Let f be proof of control of phone Let w be proof of knowledge of password Let a be an authenticated user Define multi-factor authentication 1) m=k+p Define I forgot my password authentication 2) a=e+f Define normal sign in process 3) a=w+f 4) a=w+e Assume proof of knowledge of a password as proof of knowledge let w=k Substitute w for k 1) m=k+p 2) a=e+f 3) a=k+f 4) a=k+e If we assume control of a phone number is proof of possession let p=f Substitute e for p 1) m=k+p 2) a=e+p 3) a=k+p 4) a=k+e
If we assume control of email address is proof of possession let e=p
Substitute e for p 1) m=k+p 2) a=p+p 3) a=k+p 4) a=k+p However if we assume control of email address is proof of knowledge let e=k Substitute e for k 1) m=k+p 2) a=k+p 3) a=k+p 4) a=k+k
Even when one attempts to claim control of an email address is proof of knowledge August does not have multi-factor authentication.
Text messages and email as proofs
I would be remiss if I did not take a moment to comment on the use of text messages and emails as proofs of identity. Today’s email is largely unchanged from the early days of the internet. It remains a fundamentally insecure communication channel akin to sending a post card across the internet. Even if we were to solve the problem of secure email delivery most users do not lock their home computer, and full disk encryption does not have great adoption. This means gaining physical access to someone’s computer is sufficient to gain access to their email. Furthermore, users are notorious for rampant password reuse and poor password selection. If one were able to recover a user’s password for one of the countless data-breaches which occur every year they would be able to use this password to access the user’s email account. And what of the possibility of the email provider being compromised, or malicious? In either of case any system utilizing control of an email address as proof of identity could be compromised.
As for text messages the story is not much better. It to is built on an insecure protocol and is reliant on the integrity and operational security of wireless carriers. (When was the last time you thought of a phone company being high in integrity?) Additionally, the wireless communication between cell towers and phones has shown to be insecure on multiple occasions. The problem is even further clouded by services like Google Voice which allow access to text messages and emails through a single sign on. (Apple also appears to be moving closer and closer to a Google Voice like solution with phone calls and text messages being accessible from all Apple products.)
It may well be good enough to have a well constructed single factor authentication system for a home lock. After all, any lock only requiring a physical key is by definition a single factor authentication system (possession). Smart locks like the August do expose users to a new class of threats. With a traditional lock an attacker would need physical access to the lock to compromise it. With internet enabled smart locks it becomes possible for an attacker to compromise one or many user’s locks remotely and then sell not only access but when the users will be away from home. This threat however unlikely is a distinction possibility which manufactures should seek to mitigate before it ever comes to fruition.