Following some high-profile password hacks, companies like Apple, Twitter and Evernote have moved to shore up their systems with two-factor authentication. Said to be a great missing security link in many password-driven systems, two-factor authentication technologies that are most widely used today are actually fraught with many of the same risks as password-driven systems.
If you’re considering two-factor authentication, you should consider some of the most common attacks, identified by Jim Fenton, CSO at digital identity provider OneID, on two-factor authentication. Of course, there are many more than five attacks in the world, but these should give a starting point for evaluating others. These examples illustrate the importance of thinking broadly about how two-factor authentication can be defeated. You can be assured that the attackers are doing so.
Click through for five of the most common security risks associated with two-factor authentication today, as identified by Jim Fenton, CSO at OneID.
The keystroke logger permits an attacker to monitor your typing to retrieve login credentials (typically username/password). Two-factor authentication is typically effective against these passive attacks, since they include a one-time password component obtained from the device (e.g., hardware token or phone). However, malware could also redirect some of those keystrokes to an attacker, whom you have just enabled to log in as you.
Network-based man-in-the-middle (MITM) attacks are typically dealt with by cryptographic network protocols (SSL/TLS). However, forgery of fraudulent cryptographic certificates, while relatively rare, has shown flaws in this dependency. This can be accomplished by injecting fake root certificates in the browser’s trusted certificate database, or by compromising any of the many root certificate authorities already listed there. If an attacker is able to become an undetected intermediary, they can perform all of the capabilities of the key logging and redirection threat, but with less presence (and detectability) on the user’s computer.
Sophisticated malware known as a man-in the-browser – such as Zeus – allows an attacker to falsify a user’s browser display, making the user think that the website is doing what they intend while actually it is doing something completely different, directed by an attacker. The best countermeasure for this is the use of a two-factor technology that independently and securely displays to the user the nature of a transaction being approved. Ideally, this independent display would be on a different device using an independent communications channel.
You also need to consider what happens if you lose one of your authentication factors (or if an attacker pretends to). If the response is to temporarily disable two-factor authentication, then an attacker might be able to social engineer the account recovery process to get access to the account. Worse yet, if you’re using knowledge-based authentication (“What was the name of your first pet?”) for account recovery, these answers are often very easy for an attacker to guess and provide much worse security. Remember that the attacker will pick whatever is the weakest point in your authentication system to attack. It was account recovery more than the lack of two-factor authentication that exposed Mat Honan of Wired Magazine to a widely reported and devastating attack last year.
Some two-factor authentication systems rely on third parties for the issuance, verification, or communication with verification of physical tokens. The vulnerabilities inherited from third parties are best illustrated by the breach of RSA’s SecurID authentication system in 2011. Although the extent of the RSA breach isn’t fully known, it is thought that the attackers could have gotten access to information to create counterfeit tokens.
Authentication using SMS text messaging and other telephony-related means is dependent on the mobile carrier’s practices for assigning and reusing phone numbers. If an attacker can convince the carrier that they are the user and they lost their phone and need a new one, they would be in a position to intercept text messages and phone calls, providing the second authentication factor. This has led to a request from some Australian telecoms that banks not use SMS for two-factor authentication.
