The trouble with 2fa

With a large percentage of your workforce now working remotely, two-factor authentication (2fa) can make them (or your company data) safer online. But how you're doing it now probably isn't helping much at all.

Multifactor authentication  >  Mobile phone verification of a permission request for laptop login.
Aurilaki / Your Photo / Getty Images

I use a lot of online services on a lot of different PCs and smartphones. Every day, I would get a handful of two-factor authentication (2FA) text messages from Google, Microsoft, WordPress, etc., etc. And, while I know that this kind of 2FA isn't security theater, I also know it's not really secure either.

Yes, 2FA can help preserve your security, but it's not a security panacea. Here's what it is, what it's good for, and, how, far too often, it can be broken leaving your accounts wide open to attack.

What is 2FA?

Like them or not, user IDs and passwords "secure" our services. Unfortunately, even if we do the right thing and use unique passwords for every blessed website, computer, or service, one-factor authentication (user ID/password) simply isn't enough for any kind of real security.

At last count, one or more of my accounts have appeared in over two dozen different security breaches. Check your own e-mail ID and shudder. Not all those security break-ins include my passwords, but enough of them do to make me painfully aware that I must change my passwords every couple of months. And, even then, there's still a very real chance that one or more of my accounts will be open to attack. 

2FA is the most common way to protect your account from hackers. Even if you've never used it on a computer, you almost certainly used it in real life. For example, every time I fuel up with a credit card at a gas pump, I have to enter my zip code. Or, whenever I get cash from an ATM, I need both my bank card and my personal identification number (PIN). These transactions use both a physical factor, my card, and a knowledge factor, my ZIP code or PIN.

Commonly 2FA requires you to have two out of three kinds of credentials to access an account. These are the following:

  • Something you know or can be given, this is commonly a one-time PIN.
  • Something you have, such as a secure ID card or a hardware security key.
  • Something you are, these are biometric factors such as a fingerprint, retinal scan or voice print.

The good

Behind the scenes, most 2FA approaches rely on one of two standards: HMAC-based One Time Password (HOTP) and Time-based One Time Password (TOTP).

Log in or subscribe to read the full 1,894-word article. 

 

I use a lot of online services on a lot of different PCs and smartphones. Every day, I would get a handful of two-factor authentication (2FA) text messages from Google, Microsoft, WordPress, etc., etc. And, while I know that this kind of 2FA isn't security theater, I also know it's not really secure either.

Yes, 2FA can help preserve your security, but it's not a security panacea. Here's what it is, what it's good for, and, how, far too often, it can be broken leaving your accounts wide open to attack.

What is 2FA?

Like them or not, user IDs and passwords "secure" our services. Unfortunately, even if we do the right thing and use unique passwords for every blessed website, computer, or service, one-factor authentication (user ID/password) simply isn't enough for any kind of real security.

At last count, one or more of my accounts have appeared in over two dozen different security breaches. Check your own e-mail ID and shudder. Not all those security break-ins include my passwords, but enough of them do to make me painfully aware that I must change my passwords every couple of months. And, even then, there's still a very real chance that one or more of my accounts will be open to attack. 

2FA is the most common way to protect your account from hackers. Even if you've never used it on a computer, you almost certainly used it in real life. For example, every time I fuel up with a credit card at a gas pump, I have to enter my zip code. Or, whenever I get cash from an ATM, I need both my bank card and my personal identification number (PIN). These transactions use both a physical factor, my card, and a knowledge factor, my ZIP code or PIN.

Commonly 2FA requires you to have two out of three kinds of credentials to access an account. These are the following:

  • Something you know or can be given, this is commonly a one-time PIN.
  • Something you have, such as a secure ID card or a hardware security key.
  • Something you are, these are biometric factors such as a fingerprint, retinal scan or voice print.

The good

Behind the scenes, most 2FA approaches rely on one of two standards: HMAC-based One Time Password (HOTP) and Time-based One Time Password (TOTP).

HOTP, the older of the two, relies on two pieces of data. The first is the secret key, aka "seed," and the second is a counter. The counter is incremented every time a user generates a new secure token. Typically, a Hash based Message Authentication Code (HMAC) algorithm generates a six or eight decimal token using Secure Hash Algorithm (SHA-1). This token is then what you enter to access a site or service. HOTP tokens may be valid for a relatively long time -- say 10 minutes -- depending on the 2FA implementation.

TOTP is based on HOTP. But, instead of using a moving factor, it uses the time since the beginning of the Unix epoch to increment the counter with 30 to 120-second timesteps. For users, this means that each 2FA token is only valid for the timestep's duration.

Of the pair, TOTP is more secure. An attacker has only a short window of time to crack a system. On the other hand, a thumb-fingered user might have trouble entering the token in the time allowed. Both methods are commonly used in 2FA programs.

A still stronger form of 2FA is the FIDO Alliance's  FIDO2 Universal 2nd Factor (U2F) standard. U2F was created by Google and Yubico, with support from NXP Semiconductors. Here the token is kept in a secure hardware key. This then connects with your computer via USB, NFC, or Bluetooth.

But, as the saying goes, "Security isn't a product, it's a process." Even U2F fobs have been found to contain security problems. And, it appears nation-state hackers have even got around hardware resident security 2FA keys. Still, Google has claimed that no one has been phished at their company since their staffers now all must use physical security keys. For the best possible 2FA security, U2F is the way to go.

Taken all-in-all, all these technologies are stable and reasonably secure. At heart, 2FA works well and can keep your accounts safe from attackers.

The bad

The problem with 2FA isn't 2FA itself. It's how it's deployed. If an attacker can break any link in the 2FA chain, he can break into your systems.

Some of the methods recently used to crack 2FA are good old phishing and social engineering. For example, in 2018, well-known hacker Kevin Mitnick of KnownBe4, demonstrated how easy it was to trick a user into giving up his 2FA token for a given site.

In this credentials phishing attack, you get a message telling you to visit a site you already use. If you looked closely, you'd see the linked site wasn't really the one you thought it was but one hiding behind a typo-squatting domain. But, if you're in a hurry, you click it anyway. You're then presented with what looks like your destination and you're asked for your user ID and password. The malicious site then passes it on to the real site and it responds with a 2FA token. This, in turn, generates a session cookie, which allows secure access to the real site.

Ta-da! Armed with the session cookie, Mitnick using Chrome, visited the target site, opened Chrome DevTools, and pasted the session cookie into the console. One web browser refresh later, he was in the site and free to do whatever he liked.

In short, 2FA can't stop human stupidity.

Similar attacks, such as Charming Kitten, add polish to the basic technique. Here the fake emails and phishing websites look more like the real thing. Once on the page, attackers watched users in real time enter their data and then points to another page where the victim enters the token. Armed with that, the attackers enter it on the real page, and, once again, 2FA has been circumvented.

More recently Modlishka, a reverse-proxy program, automates attacks and makes them much harder to spot. Modlishka, Mantis in English, sits between you and whatever website you're trying to log in on. The program simply passes all the real website traffic and content to you…  and then intercepts it all.

Polish security researcher Piotr Duszyński, who thinks of it as a penetration testing tool, said, “With the right reverse proxy targeting your domain over an encrypted, browser-trusted, communication channel one can really have serious difficulties in noticing that something was seriously wrong.” He added, it's "sort of a game-changer, since it can be used as a 'point and click' proxy, that allows easy phishing campaign automation with full support of the 2FA (an exception to this is U2F protocol based tokens).

The result, as Amnesty International put it in a warning to human rights workers, is you must be wary. "Don’t be mistaken, two-factor authentication is important and you should make sure you enable it everywhere you can. However, without a proper understanding of how real attackers work around these countermeasures, it is possible that people are misled into believing that, once it is enabled, they are safe to log into just about anything and feel protected." They're not.

The ugly

The most common method is to combine your user ID/password combo with an SMS text message to your phone. It's also the poorest way to deploy 2FA.

How bad is text-based 2FA? The National Institute of Standards and Technology (NIST) warns users that you're taking a risk if you use text-based 2FA for protection. Many security experts go further. They think you should stop using text-based 2FA period.

Why? Because there are so many ways to break it.

Wireless carriers are the weakest link. It's way too simple to intercept 2FA texts.

One popular attack these days is SIM swapping. Here's how it works. Your phone's SIM card connects your phone to your cell phone provider’s cellular network. Within it, there's your phone’s unique identifying number, International Mobile Subscriber Identity (IMSI), your phone number, and other personal and phone data.

A hacker will obtain your phone number, carrier name, your logon name and password/PIN. The first three pieces are easy, and since phone PINs are only 4-digits long, that's not much trouble to get either.

Thus armed they'll call your provider’s tech support, pretend to be you, and ask that your phone number be redirected to "your" new phone. Or, an attacker might just go to a mobile phone shop and have a "helpful" assistant cancel the SIM in your "missing" phone and activate your account in a new phone.

Sound far-fetched? Think again. It happens all the time. Just ask Jack Dorsey, Twitter's CEO. Dorsey's own Twitter account was hijacked thanks to a SIM swap attack. With these attacks, until the SIM is cancelled, all your 2FA tokens are in an enemy's hands.

Yet another way exploit smartphones is by text spoofing. With this method, you get a text, which appears to come from a reasonable source, say your accountant, asking for a 2FA token to your bank account so they can work on your business books. Simultaneously, the attacker starts to log into the site. Then, when you send him the 2FA token, he can walk right in and start vacuuming out your money.

All these methods require human interaction to work. Security holes in the SS7 network, which telecoms use to manage calls and texts between phone numbers, can happen invisibly. SS7 security holes have been used in the past to intercept text messages without hacking the phone. For example, an SS7 attack was used to empty people's bank accounts at a UK bank in 2019.

That's an awful lot of ways SMS 2FA protection can fail isn't it? The moral of the story is to avoid using SMS for authentication.

Really protecting yourself with 2FA

Enough of the bad and the ugly. The good news is that there are two effective ways to protect yourself properly with 2FA.

The first is to use U2F hardware. You can buy these devices for $20 to $60. Some of the best to consider are Google Titan Key, Kensington VeriMark Fingerprint Key, Thetis Fido UCF Security key, Yubikey 5 NFC and YubiKey 5C. Just plug them into your computer, and you're ready to go.

2FA authenticator apps are also helpful and relatively safe. You can run these off your smartphone without the dangers of SMS. Popular options include Authy, Google Authenticator, LastPass Authenticator and Microsoft Authenticator.

These all work basically the same way. When you add a new account, you scan in its QR code. This is then saved. When you next login, you'll be asked for a 2FA token. Then, you just open up the app to find the digits you need to log into your account. It's not that much different than using texting for 2FA, but it's a whole lot safer.

The bottom line is nothing's perfectly safe in this dangerous online world of ours. But, used properly, 2FA security can make you safer.