We are frequently given advice on creating complex passwords, never re-using passwords, and setting up two factor authentication, but we need to consider the 2 factor authentication risks – which come about through both technology limitations and with the ever-present security weakpoint of human factors.

What is 2FA?

Firstly, it is important to understand what two factor authentication is. When you log in to a service, you identify yourself – your username, an email address or with an account reference (such as your client number, etc.). Then, you need to authenticate yourself with something only you know, which is normally a password. As the password information can be stolen or guessed, a second level of authentication can be used – something that you have, this is multi factor. This ‘thing’ that you have can be a physical item such as a USB dongle, a battery-powered unit that generates changing PINs, a matrix card, a keyfile (or any file), or your phone / mobile device.

A two factor matrix card – the user is challenged with a reference (e.g. “C5”) and they provide the response from the card
A two factor token from RSA, where the six digit PIN changes every few seconds. This is synchronised to a server which knows which PIN will be provided at a given time.

In the 90’s and early 2000’s, the most common second factor was a token, as shown above. There are multiple problems with this approach, as the devices can be lost, stolen, damaged, run out of battery, or become out of sync with the central security server (particularly if they have not been used in a while). And there is the human factor of simply not carrying it, sharing it with others etc., and they can be expensive for businesses to send out and maintain, meaning they were often only used by businesses and not consumers.

Biometrics

In the past 10-15 years, the availability of using a second factor of something you are has become available – biometrics. This is most commonly a fingerprint, or your face, but can also be a retina scan and other technologies. This is highly convenient (if it works first time!), however it is possible for your biometrics to be stolen or faked. The German defence minister, Ursla von de Leyen had her fingerprint stolen through photos taken at a public event, and the problem she now has is that she cannot change her biometrics – and so never use her thumb print as a valid authentication method.

READ ARTICLE:   Dedicated Management Cluster

Many spy films also use the concept of cutting off a person’s fingers or hands to get their biometrics, and I know of some identical twins who are frustrated that their brother can access their phone with FaceID. There have been reports of facial recognition even not being able to distinguish genders.

SMS tokens

Now the most common MFA method is to send an SMS to the registered phone of the user. This is also convenient for people (not so much for those who don’t have a mobile phone such as the elderly or children), however there are problems with this approach. The SMS system is not a guaranteed delivery system – and sometimes an SMS message can be delayed for longer than the lifespan of the 2FA token.

Additionally, a problem exists with the ability to port a number to a new SIM. A process known as SIM jacking will take advantage of the ability a phone service provider has to move a number to a new SIM – a feature that is used if you lose or damage your phone, or if you move to a new carrier. Once the SIM swap has been done, you no longer have access to those SMS tokens, and it is very hard to get your number back.

More advanced attacks such as man-in-the-middle and SMS forwarding vulnerabilities exist. However, an SMS token remains one of the most common MFA/2FA authentication methods for both business uses and also for consumer systems, online banking and even government systems.

Authenticator Apps

With the assumption that everyone has a smartphone, there are authenticator apps available from both Microsoft and Google that can be used to generate PINs or provide push notifications to provide a MFA capability. These apps can register multiple accounts, and provide a convenient way to ensure that your authentication is really done by you.

READ ARTICLE:   Supply chain and 3rd Party risks

There are some problems with authenticator apps, mostly down to the common weak point in security – human factors. Authenticator apps can be backed up and migrated between devices. This means that the weakest point is now the password for the account that is used for the authenticator – which itself cannot be protected by MFA. Secondly, there is a type of attack called 2FA flooding or MFA fatigue attacks – where an attacker sends hundreds of prompts to the Authenticator app, and the user eventually just approve the challenge, to get the app to stop notifying them.

The Death of Passwords

Microsoft and others are trying to get rid of passwords completely, by moving to their authenticator app to replace both passwords and MFA in one step. This removes the risk of poor passwords, which has always been the weakest point – because it depends upon humans to create and use the passwords.

Share this knowledge