Two-Factor Authentication (2FA): Secure or Not?
Passwords are generally considered to be insecure. With the sheer number of accounts that the average person has, remembering a password for each account requires weak passwords, password reuse, or the use of technology like a password manager. Even if someone has good password hygiene, a data breach means that someone’s password could be exposed by circumstances completely outside their control.
Two-factor authentication is a common method of increasing the security of online accounts. By requiring access to a physical object (commonly a cell phone or a specialized authentication token), two-factor authentication means that a weak password or a data breach doesn’t necessarily mean an attacker gains access to an online account.
In this post, we explore three of the common two-factor authentication solutions. By examining the pros, cons, and possible avenues of attack against each method, the reader can select the solution that best meets their security and productivity needs.
One of the most common techniques for two-factor authentication uses SMS messages. When you try to sign into a website, it gives you the option to send a code to your phone that you can then input to the website and get access. This method is the most convenient option for most people, but it also has the most potential for being subverted.
In a nutshell, social engineering is when an attacker uses human psychology to manipulate someone into doing what they want. They can achieve this by being charming and getting their target to like them, creating a sense of urgency that causes the person to not think through the consequences of their actions, or any of several other techniques. Social engineering can be used in a couple of different ways to bypass SMS-based two-factor authentication.
The first way that social engineers can steal a two-factor authentication code from someone is asking for it. Imagine the following sequence of events:
- A social engineer claiming to be from your bank sends a text message claiming that there has been malicious activity on your account and instructs you to text back YES to deal with it. This text message will be spoofed from the phone number that two-factor authentication messages usually come from.
- After you respond YES, the social engineer states that they will text you a verification code and you will receive a call shortly that will need the code to verify your identity.
- The social engineer attempts a login to your bank account and has a verification code sent to your device.
- The social engineer calls and requests the verification code to authenticate you. Using this code, the attacker gains access to your account.
- The attacker performs some meaningless “verification actions” to deflect suspicion, assures you that everything is resolved and hangs up.
- The social engineer drains your bank accounts.
Despite the use of two-factor authentication on your account, the social engineer can gain access simply by asking for the code. Using simple tools like phone number spoofing and a social engineering technique called preloading, the attacker deflects suspicions about their actions and convinces their target to give them what should be secret information.
The best way to defeat this type of attack is to never give verification codes to anyone, no matter how seemingly good their reason is.
Another social engineering technique to defeat SMS-based two-factor authentication doesn’t target you at all. Instead, an attacker calls your telephone service provider while pretending to be you and says you want to port your phone number to another service provider. Typically, the customer service representative will ask a few verification questions, but these are often information that an attacker can learn with minimal effort; like your mother’s maiden name, your address, or the last four digits of your credit card. If the customer service representative asks a question the attacker doesn’t know, they can just call back and try again with another one. Once your number is ported, the attacker receives all your SMS messages directly, making defeating SMS-based two-factor authentication easy.
Most telephone providers allow users to set a PIN number or password to unlock their account. It is a good idea to call in and set this to increase your account’s security. Also, using strong authentication questions is recommended. Consider setting untrue answers to them to trip up attackers but be sure not to forget what you chose!
When downloading the newest game to your smartphone, how often do you check the permissions requested by the app? One permission that apps can request is the ability to read text messages sent to your phone. Sometimes this is for a legitimate reason, like an app wanting to simplify two-factor authentication for you by automatically reading and verifying the authentication code sent to your phone.
But what if the app is malicious? If an attacker manages to install a malicious app on your phone that has access to your message history, the attacker can request a verification code from a website, have the application automatically read your messages and send the code to the attacker, and enter the code to gain access to the site.
When installing a new application on your smartphone, consider carefully whether an app really needs all the permissions it requests. If something looks suspicious, don’t install the app or reject the suspicious permissions. It’s also wise to go through and verify the permissions on existing apps on your smartphone.
The SS7 Network is the way that text messages get to your phone. If an attacker steals credentials to access the SS7 Network, they can read the SMS-based authentication texts being sent to your phone. There isn’t much you can do about this type of attack except move away from SMS-based two-factor authentication.
Authenticator apps are a newer form of two-factor authentication that give a higher level of security than SMS-based authentication. For an authenticator app, you create an account and then associate other accounts with the authenticator app. When you want to log into an account associated with the authenticator app, a verification request pops up on the app. You can then click to confirm or deny the request.
One of the biggest advantages of authenticator apps is the fact that they provide context about the authentication request. This usually includes date, time, IP address, and approximate location. If you’re in the United States but get an authentication request originating from an IP address located in Europe, then the request probably isn’t legitimate.
The biggest risk of authenticator apps is rooted phones and malicious applications. If a malicious application has root-level privileges on a phone, it’s possible that the app could subvert the security of the authenticator application.
Using physical tokens for two-factor authentication requires carrying around something physical to gain access to your accounts. Obviously, this could be a problem if you lose the device; however, if you can hold on to one, it provides a greater level of security for online accounts.
Two main types of physical tokens have become common on the market. The first is a one-time code generator like an RSA SecureID. Some devices will generate a code at the press of a button while others require a PIN number or password. When you want to gain access to an account, the token generates a one-time code that you type in, just like SMS-based authentication. Beyond loss or theft, the main security concern about this technique is social engineering. If an attacker puts together a sufficiently convincing pretext (like the one described in the SMS-based authentication section), it may seem logical to generate a code and give it to the attacker. For code-based physical tokens to be secure, it’s necessary to keep them in a safe place and never provide a generated code to anyone.
The other common type is a USB-based device like a Yubikey. These devices plug into your computer and authenticate you when you try to log into an account associated with the device. The main risk with devices like this is loss or theft. If someone gains access to your Yubikey, they can bypass all your two-factor authentication protections.
Two-Factor Authentication (2FA): Secure or Not?
Two-factor authentication comes in several shapes and sizes with varying levels of protection. The security of all two-factor authentication systems is only as good as their owner’s security. If you give away a one-time authentication code or leave a physical token where it could be stolen, then no two-factor authentication technology is going to be able to protect your accounts. However, if you stay aware and follow best practices, using two-factor authentication is a great way to improve your personal and professional security.
Two-factor authentication comes with varying levels of protection and annoyance. In general, SMS-based authentication is considered insecure and not the best option for protecting yourself. Beyond that, the type of two-factor authentication that is the best fit for you depends on your personal needs. An authenticator app provides an adequate level of security with little additional effort (since most people have their phone with them constantly anyway) while physical tokens are more secure but require keeping track of another physical object.
Sword & Shield offers our Strategic Security Assessment service to provide the critical insight and information you need in order to develop the most effective strategy possible for your organization.
Sword & Shield Enterprise Security’s Strategic Security Assessment (SSA) service is a comprehensive analysis of every aspect of your business as it relates to security. From hiring practices to physical and network security, Sword & Shield partners with you to thoroughly assess the maturity of your security posture.