Is 2FA Broken, or Just Evolving?
Earlier this year, only days after KnowB4’s chief hacking officer Kevin Mitnick demonstrated how to bypass two-factor authentication (2FA) on CNBC, security researcher Piotr Duszynski warned about a new penetration testing tool that was being used to automate phishing attacks. Of great concern was that the Modlishka tool allowed hackers to bypass 2FA.
Not surprisingly, these revelations sparked concerns. Bringing to light the fact that hackers are finding new ways to bypass 2FA has raised questions about the tool’s effectiveness, but Google’s head of account security, Mark Risher, believes that not all 2FA is created equal.
Risher is not alone. “2FA has come under fire as new attacks are making it easier than ever to lure unaware victims to real time phishing sites. Not all 2FA solutions are the same and certain systems remain strong when used correctly,” said Will LaSala, director of security solutions and security evangelist at OneSpan.
A New Variety of 2FA Flavors
Because user accounts are so easy to compromise—given the consistent use of weak passwords—some form of 2FA is better than nothing at all. The solutions have evolved from SMS-based authentication that provided a one-time code to biometrics and mobile multi-factor authentication (MFA) apps that communicate over TLS.
“SMS-based 2FA is not nearly as secure as other methods as we all saw with the Reddit breach of 2018. SMS-based authentication was proven unsafe because the SMS message can be easily intercepted by attackers,” Dana Tamir, VP of market strategy at Silverfort.
While SMS codes, push-based notifications and security keys are all viable forms of 2FA, they vary greatly in effectiveness and, as Mitnick demonstrated, some are in danger of losing their ability to defend. To combat the attacker’s ability to bypass 2FA, providers including Google are advancing their protection programs by leveraging security keys combined with advanced security settings that will better protect high-risk targets.
As such, 2FA technologies have evolved beyond the one-time code to send a PUSH notification to a mobile application. When the user opens the mobile application and approves the request, the mobile application reaches back to the backend and allows access to the web page the user was attempting to access.
According to LaSala, an added benefit of this authentication method is that there is nothing additional to type in for the user, and nothing that the attacker can capture to attempt to login with. “However, this still has some flaws, but an aware end user should be able to avoid these flaws and this is stronger than the email/SMS solution.”
Something You Know, Something You Have and Something More
Because many organizations aren’t able to replace legacy authentication solutions with more advanced solutions that can provide better security, many servers and applications still utilize the more basic authentication methods of passwords or legacy MFA methods, despite their known vulnerabilities.
The problem is that mainstream 2FA/MFA solutions were designed to be implemented system by system, and they require agents, proxies or custom integrations that make the implementation on sensitive systems very difficult, Tamir said.
“Superior MFA methods are being introduced into the market, offering stronger and safer 2FA/MFA without having to re-integrate with each individual application. These solutions can not only improve the security of already protected systems, but also seamlessly extend protections to other sensitive systems that organizations couldn’t protect with 2FA/MFA until today,” Tamir said.
Most 2FA solutions combine something you know with something you have, but many solutions have evolved to also include something you are, such as a biometric. These three factors of authentication allow for different combinations to meet different security needs, LaSala noted.
Enter the evolution of new types of hardware authenticators, such as dynamic linking, which is what the PSD2 regulations mandate. Dynamic linking takes input from the user about the site or transaction and enters that information into the hardware device, which then generates a one-time use code, said LaSala.“This solution helps ensure that information that is required can’t be changed or modified and can only be used during that session.”
Hardware devices that may be connected via USB, Bluetooth or NFC fall into the FIDO U2F and FIDO2 category. Often connected via a USB, Bluetooth or NFC, “these hardware devices exchange security credentials in a secure mechanism with the site that is requesting the authentication and have the added value built in to the protocol of the FIDO specification to help prevent many of the attacks we are seeing today,” LaSala said.
End Result Depends of End User
Ensuring that the solutions implemented have at least two different authentication factors is critical to the its effectiveness, but no technology is unhackable. That’s why it is important to maintain training and keep open lines of communication with users. As new threats emerge, users need to be taught how to spot them so that they can avoid them.
“End users need to stay vigilant and be aware of what they are entering and where. These tools mask certain components, but with proper training and a general awareness on behalf of the end user, many less secure 2FA options are still viable,” LaSala said. In the long run, there will always be a new attack and there will always be a new solution, so it is important for end users to be educated on all of this.”