Two-Factor in Review

Credentials for online services and various computer systems have been exploited like every other piece of stolen property in the modern era: A criminal steals them, tries to use them, then sells them to someone else who might have more use for them. This results in billions of dollars being stolen; look no further than the FBI’s annual IC3 report highlighting that, in 2018 alone, business email compromise accounted for more than USD 1.2 billion being stolen. What if, when these cybercriminals steal our credentials, they can’t then take over our accounts? What if a password wasn’t the only barrier to entry for your bank account?

ENTER SCENE: TWO-FACTOR AUTHENTICATION (2FA).

Digital Shadows’ Photon Research team has attempted to wipe out the uncertainty clouding 2FA, for people and organizations thinking of deploying or building a 2FA solution or just wanting to check they’re getting the greatest value out of their current 2FA implementation. For security managers and practitioners, we have assessed 2FA and its various implementations. We’ve also provided descriptions and demonstrations of practical attacks against 2FA with—as always, straightforward mitigation techniques, to allow you to critically gauge whether you could be doing more to protect your assets online. Some of our key findings:

• 2FA is a complex and nuanced mechanism created to deal with the problem of credential theft and subsequent reuse, and it’s used for online banking, e-commerce, social media, and other platforms. So far, it’s the best defense we have against cybercriminals phishing for our credentials or coaxing them out of us through some other social engineering means.

• Smart cards are one 2FA option, offering strong security properties with their chips storing digital certificates, but deploying them enterprise wide can be daunting.

• SMS tokens have caught on like wildfire, sending a code to your mobile phone that you can use for your secondary login factor. But they can be intercepted by an attacker or otherwise manipulated, compromising the security process.

• Time-based One-Time Passwords, generated cryptographically through software or hardware, builds security through random number codes used for account logins. But social engineering can negate this solution, too, as can the physical vulnerability of the tokens they use (being subject to loss, battery drain, breakage).

• Universal Second Factor (U2F) hardware tokens are leading the pack of 2FA solutions, by authenticating the server used in the login communication. Because the user doesn’t need to enter their credentials when logging in, attackers can’t grab them by cloning or impersonating a website.

• What’s really standing in the way of 2FA as the end-all, be-all mitigator of account takeovers is the challenge of implementing it in companies’ internal systems, and more crucially, the ruthless attackers who constantly devise new ways to exploit 2FA. Who mitigates when the mitigator’s attacked...?

• You do. The Photon Research Team has distilled the top methods of 2FA attackers into practical advice for you to shield yourself against them, examining: SS7 hijacking, token capture and relay, WebUSB versus U2F, credential theft that enables 2FA bypass, using application programming interfaces to bypass 2FA, and social engineering. There are practical steps you can take to avoid most of these scenarios that threaten your valiant 2FA efforts.