Some types of two-factor authentication (2FA) security can no longer be guaranteed to keep the bad guys out, the FBI is reported to have warned US companies in a briefing note circulated last month.
FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts.
The simplest and therefore most popular bypass is SIM swap fraud, in which the attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number, allowing them to receive 2FA security codes sent via SMS text.
Naked Security now regularly covers this kind of hack, almost always because it was used to empty people’s bank accounts, steal cryptocurrency from wallets or exchange accounts, or to attack services such as PayPal.
From the victim’s point of view, it’s the ultimate gotcha – a security weakness caused by the failings of a service provider they can do little to prevent.
A second technique is the man-in-the-middle phishing attack that tricks people into entering their credentials and OTP code into a fake site which then instantly passes it to the real one. A good example of this is last months’ attack on YouTube users, some of whom had 2FA turned on.
More advanced still is session hijacking where the site is genuine, but the credentials and codes are stolen from traffic travelling to and from the user.
According to the FBI, in one case from 2019, a security vulnerability on the website of a bank allowed a hacker to bypass PIN and security questions after phishing basic credentials.
Warning overload
Do US companies really need warnings that 2FA isn’t perfect from the Feds?
More likely, they already understand the risks but adopt the pragmatic stance that 2FA security based on SMS, PINs and codes still works well for their customers and employees most of the time.
On that point, they are correct – using any form of 2FA is always better than relying on a password and username on its own.
The question is what the broader mass of end users will make of all this. Although sounding the alert isn’t a bad policy per se, there’s always a risk of exaggerating the everyday risk to users.
Perversely, that might deter the very people who would benefit from 2FA, namely the large majority who don’t use it in the first place.
Meanwhile, anyone who wants the strongest possible 2FA security will probably have to consider using FIDO2 hardware tokens, a technology that has yet to be undermined by hackers in real-world attacks.
Longer term, the solution might be to make the authentication part of logging in the primary process using a standard such as WebAuthn, which allows websites and devices (including smartphones, biometrics, Windows Hello, etc) to authenticate one another.
The plus of this approach is that users will authenticate themselves without having to really do anything, or even know this process is happening at all.
That might lead in time to the ultimate security technology – one that is so invisible even hackers struggle to see it.