Some types of two-factor authentication (2FA) security can no longer be guaranteed to keep the bad guys out, the FBI is reported to have warned US companies in a briefing note circulated last month.
FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts.
The simplest and therefore most popular bypass is SIM swap fraud, in which the attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number, allowing them to receive 2FA security codes sent via SMS text.
Naked Security now regularly covers this kind of hack, almost always because it was used to empty people’s bank accounts, steal cryptocurrency from wallets or exchange accounts, or to attack services such as PayPal.
From the victim’s point of view, it’s the ultimate gotcha – a security weakness caused by the failings of a service provider they can do little to prevent.
A second technique is the man-in-the-middle phishing attack that tricks people into entering their credentials and OTP code into a fake site which then instantly passes it to the real one. A good example of this is last months’ attack on YouTube users, some of whom had 2FA turned on.
More advanced still is session hijacking where the site is genuine, but the credentials and codes are stolen from traffic travelling to and from the user.
According to the FBI, in one case from 2019, a security vulnerability on the website of a bank allowed a hacker to bypass PIN and security questions after phishing basic credentials.
Warning overload
Do US companies really need warnings that 2FA isn’t perfect from the Feds?
More likely, they already understand the risks but adopt the pragmatic stance that 2FA security based on SMS, PINs and codes still works well for their customers and employees most of the time.
On that point, they are correct – using any form of 2FA is always better than relying on a password and username on its own.
The question is what the broader mass of end users will make of all this. Although sounding the alert isn’t a bad policy per se, there’s always a risk of exaggerating the everyday risk to users.
Perversely, that might deter the very people who would benefit from 2FA, namely the large majority who don’t use it in the first place.
Meanwhile, anyone who wants the strongest possible 2FA security will probably have to consider using FIDO2 hardware tokens, a technology that has yet to be undermined by hackers in real-world attacks.
Longer term, the solution might be to make the authentication part of logging in the primary process using a standard such as WebAuthn, which allows websites and devices (including smartphones, biometrics, Windows Hello, etc) to authenticate one another.
The plus of this approach is that users will authenticate themselves without having to really do anything, or even know this process is happening at all.
That might lead in time to the ultimate security technology – one that is so invisible even hackers struggle to see it.
Cvnk
Another thing people should be wary of is a site that offers a quality 2FA option to secure your account while also relying on SMS as an alternative. Basically this means your account is ONLY protected by the weaker SMS method.
Paul Ducklin
You get a similar issue with sites that offer an out-of-band message-reply system (where there is no app-based code needed from your phone, so no 2FA secret seed that could get spilled), but also have an option to choose ‘use a code instead’. When two different authentication systems can be chosen by the user… well, as you say, you end up with the attack surface area of both.
Bart
My bank is resisting the use of security keys. What would be a good alternative to use to secure my accounts? They are using SMS for my 2fa.
Paul Ducklin
If it truly is *two*-FA, thus a password you get to choose (e.g. via a password manager) plus an SMS code, I would suggest adopting the SMS codes even if you would prefer something different…
…but keep pestering them about supporting other options, too. In my opinion, password plus SMS code is better than password alone (providing that adopting the SMS code does not increase your liability – I have never seen a case where it does) but the fact that NIST in the US is saying, “Move away from SMS” is a good argument for you banks to add newer 2FA schemes soon…
Bart
Thanks, Paul!
JW
“On that point, they are correct – using any form of 2FA is always better than relying on a password and username on its own.”
Not necessarily. If a second weak factor allows for additional hacks, then it is worse. Most KBA approaches store a lot of this stuff and it can be repurposed easily once accessed. KBA approaches are riddled with holes that ultimately can’t be fixed using decades-old auth technologies. It is impossible to actually know, for example, if when a person authenticates with a device – and that process verifies the device itself, not the user to the account – if who is on the other end is legitimate. Major, fundamental problem.
KBA is done. The focus on solutions must shift to advanced biometrics with AI-driven liveness detection to quash these problems. This is the most effective way to ensure the user is both correct and alive during the access request.
Paul Ducklin
The real annoyance for me comes when a system requires me to give a password (stored securely as a salted-hashed-and-stretched value, not in plaintext) *and* to put in a one-time code, for example one sent by SMS (I don’t mind SMS two-factor – there’s no shared secret needed; you get automatic notification if your password is abused; and you have a fighting chance of detecting a SIM swap)…
…*or* requires me to provide a ‘recovery answer’ to a security question picked from a list of drivel such as ‘where did you go to school’ (which 1000s of people know already and 1,000,000s can easily figure out) or ‘what was your first car’ (see proud pics on social media).
In other words, there exist security systems that require (a genuine secret AND a one-time code) OR (some semi-obvious non-secret).
chrispaterson49
You don’t need to tell the truth about what your first car was though. Just make something up, it doesn’t even need to be the name of a car.
John E Dunn
But if a weak second factor allows for additional attacks then the attacker would still need the password and username. And if the attacker has that then the fact the second factor has a weakness is bad but not actually worse!
Arnnei
sms otp is not 2FA and never was. it is a 1FA unless done as a second factor authentivation – in addition to a password. Sim swap wont work if 2fa is implemented correctly. Phishing is a real problem. but there are solutions that will warn you when you enter a phishing site. use them.
John E Dunn
I’m going to dodge the semantics here and maintain that the password is factor 1 and the SMS is factor 2. Whether that means they’re secure is a different matter.
J K Birks
Hardware tokens or FIDO keys are a more secure option. Alternatively authentication apps such as google authenticator or micorsoft authenticator can also be used.
Lamara Johnson
I agree with the the author on how it depends on the type of user and if they feel that a 2FA is necessary for their type of use. I also agree with the fact that Hardware Tokens are more heavy duty and reliable in regards to keeping hackers out completely. I have experience with using Hard Tokens and Soft Tokens for my employment purposes. The Soft Token is technically a link in which the employer sends to you and it prompts you to download the required passcode app in order to log into the employer’s portal. My employer also recommends using a Hard Token as a back-up because it authenticates numerous passcodes as while, just like the soft token. Though at least the hard token is in the user’s physical possession and can not be known by a hacker on what/which passcode app to use it on.
Paul Ducklin
The disadvantage of some (currently, perhaps most) hard tokens over app-based ones is that there isn’t any “logon protection” for the hard token itself. Hard tokens tend not to have their own keypads or biometric security, so someone who steals your token can use it just like you can, without needing to provide some secret data *directly to the token* (i.e. not typed in on your laptop).
Tokens with keypads were never popular because of their bulk; tokens with a fingerprint reader are starting to appear bnut aren’t yet popular because they’re expensive.
Soft tokens on mobile phones can be shielded by the security of the phone itself, which tends to be pretty strong these days.