The Trouble With Two-Factor Authentication (2FA)
Firstly, what is two-factor authentication? Known as 2FA or two-step verification, it is an extra layer of security in addition to a password and a username.
The second authentication factor can be a variety of options including: SMS token, hard token, one-time passcode or knowledge-based questions.
After logging into your account, you would then input the second factor to gain access.
For years 2FA has been an integral component of most Enterprise security strategies. However, now that 63% of security breaches involve the use of valid user credentials and hackers have no problem bypassing two-factor authentication, both by intercepting codes or exploiting account recovery-systems, it is glaringly obvious that two-factor is no longer enough.
Examples of ways to exploit 2FA
Phishing landing page
Phishing attacks direct you to a fake login page via a fraudulent SMS or email message. It begins with the victim entering a login page for Office365, iCloud, PayPal etc. The target, believing the landing page to be authentic, enters their credentials into the fake login form. The fake login form then prompts the user with a two-factor request.
Meanwhile, the hacker, with access to all the credentials entered into this page, takes the target’s username and password and enters them into the legitimate site. This process can be automated to carry out this attack at scale.
After entering these details to try and access the account, the real 2FA protection kicks in and asks the hacker for the 2FA code. By doing this, the target would receive the legitimate 2FA code.
The target enters this code into the phishing page, thus successfully passing the 2FA prompt. Unknown to the target, any code will have worked in the field as the whole login procedure is only used for harvesting credentials and not for testing the authenticity of the target’s account information.
The code that the target enters into this field is immediately visible to the hacker. The attacker’s next step is to use this code to complete the real login process, and thus gain access to the target’s account.
Hard tokens give a very poor user experience, both due to the fact that they are a physical item that you have to keep on you at all times, and you also need to ensure you don’t lose it.
Hard tokens, probably the 2nd most popular method, of 2FA have proven to be vulnerable too and sophisticated attackers can get around them.
Due to the end-users complicated user experience they tend to circumvent the control, so will share hard tokens. They do this via webcams, filming the hard token or as within some organisations, due to the cost of hard tokens issue, one hard token to a pool of users. These users may be contractors or a 3rd party user but obviously this defeats the object of using a hard token in the first place.
Bad actors can intercept 2FA codes even when they are transmitted via voice calls, creating a backdoor communication connection with the command and control (C&C) server.
Once installed on a compromised device, the malware opens the backdoor, collects a list of system-specific information, and sends it to the C&C server to register the device and get a unique identifier for it.
Example – Android.Bankosy 2017
This personal data stealing malware, Android.Bankosy, steals one-time passcodes delivered via voice call based two factor authentication system’s. It works by using the call forwarding feature to hijack a user’s mobile device and redirect all voice traffic to the hacker’s phone.
It is a targeted type of attack that requires the malware be installed on mobile devices in order to open the back-door access to the device for the hacker.
Knowledge based questions
Knowledge-based questions and answers, such as birthdate, mother’s maiden name, town of birth, etc., are easily socially engineered as answers can be found within social media.
Text message interception
Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common.
Example – O2
O2 is a great example of one-time passcodes being intercepted and exploited. O2 confirmed that some of its customers had their bank accounts drained using a two-stage attack that exploits the signalling system 7 protocol (SS7). In other words, the hackers exploited the SS7 to intercept two-factor authentication codes sent by online banking customers, allowing them to empty bank accounts.
Push To Accept
Push-to-accept appeals to end-users because of its simplistic nature, they just have to click yes or no.
The problem with this approach is the human behaviour aspect, we tend to accept authentication requests typically without reading them, so often 60% of push to accept requests are usually accepted without the end-user realising what they’re accepting.
Most two-factor authentication technologies don’t securely notify the user what they’re being asked to approve. Therefore, it’s too easy for an inattentive user to approve an attacker’s transaction without knowing it.
The degree of reliance on third-party services (either authentication service providers or telecom companies) is also a factor to consider, since breaches in these services have in the past resulted in authentication failure.
Why Adaptive Authentication is the Future?
There has been a significant shift in how organisations view data security, 62% of organisations are opting for cloud-based managed services to provide their authentication. As phishing threats are becoming more prevalent it’s more important than ever to use additional data points to identify suspicious behavior and patterns, such as a user’s login time and location, device type, network, geographical zones, impossible situations and more, to create risk based access decisions.
Adaptive Authentication provides world-class security without impacting usability. That’s because risk checks are done without users even being aware of it — and multi-factor authentication is applied only if risks are detected.
Although multi-factor authentication has been able to minimise the risk of malware or a hack it seems the way forward for enterprises to protect their large data is adaptive authentication. Enterprises are looking for a long-term solution, and adaptive authentication takes users behaviour and fits it into the matrix of variables that provide a risk profile of them and based on this the system generates additional authentication processes before the user is allowed access.
The whole process works in real-time and is much more intuitive, with factors such as geo-location and identity assurance which combine to make the authentication process robust.
Adaptive Authentication Layers
How can Mobliciti help you?
Mobile technologies have revolutionised our working practises, as Mobliciti’s CTO, Andy Brown has been discussing over the past couple of years the world of mobile and cloud have collided and users are increasingly using personal cloud services on their mobile devices in preference to traditional work solutions.
Mobliciti want to help you secure and protect your data, using some of the most secure technologies in the industry. Get in touch today to find out have we can give your business adaptive authentication and how that will not only secure your data but also benefit your business.