2FA Is Dead… Long Live 2FA!

Is 2FA broken

Recently, a series of articles and reports has cast doubts on the efficiency of 2FA (2-factor authentication). Their conclusions differ, ranging from “You’re stuck” (sensation news reporting that “Researchers have broken 2FA”), to “Switch to cryptography-based MFA now!” (FIDO Alliance-commissioned report by Javelin Group), to the more nuanced “2FA is probably better than nothing but we wish we knew more” (Josephine Wolff’s Opinion in the NYT). Their starting point, however, is the same: something is broken with 2FA… It might not be the high protection we thought it was… Maybe it was a bitter (for users) and costly (for companies) drug that gave us a (compliant) feeling of efficiency, a mere placebo pill…

Let’s take a step back. Why is 2FA being criticized now and how doomed is it?

Rising attacks on authentication have now reached 2FA

Until recently, 2FA was considered a way to protect applications i.e., a solution – not a problem or a target for hackers. The shift we see now and that these articles and reports reflect upon is a mere consequence of the higher sophistication of the attacks against authentication.

When the mainstream authentication method was a password, attacking authentication required user passwords. That was done either with brute force attacks on hashed (in good cases) weak passwords obtained through a breach, or by luring users into revealing their passwords through scams and ‘simple’ phishing attacks. These attacks have been blocked by the implementation of 2FA since there’s no benefit in designing attacks aiming at obtaining and storing one-time unpredictable secrets. In this sense, 2FA has been and is still successful.

However, hackers were not going to give up so easily. They have adapted to the new reality by designing innovative attacks taking into account 2FA.

A first type of attack specifically targets SMS and email OTPs by intercepting the one-time codes sent to the user, either by compromising the distribution network (e.g., SS7), by corrupting the “verified address” database, or by inserting a malware in the user device. With automated attacks now being successfully implemented, SMS-OTP has become irrelevant for sensitive applications and agencies such as NIST or the European Banking Associations are urgeing their members to move away from it. It comes as no surprise though since SMS OTP has always been known to be vulnerable to these attacks, but banks (among others) had implemented it massively as a simple and (supposedly) inexpensive measure to fight online fraud. There was a window for SMS-OTP because there’s a delay between when the feasibility of an attack is demonstrated by researchers and when it’s “industrialized” by criminals for financial benefits. That window is now closed, but all in all, SMS-OTP will have been relatively efficient.

A second type of attacks targets more advanced 2FA methods including OTP tokens (hardware ones and softtokens) and push-based notifications. The attack still relies on phishing techniques but now the attacker also establishes a back-to-back session in real time with the targeted application. By entering a one-time code generated with an OTP token, or by authorizing a connection request received via a notification (push, email, SMS), the user authorizes the attacker’s session instead of authorizing his own. Unlike the attack on SMS-OTP that had been common knowledge for long, this second attack has startled many (including – allegedly – known solutions vendors promoting OTP tokens and push-based notifications since they didn’t warn anyone of the limits of such authentication methods) and has triggered most of the articles and reports mentioned in this post.

How 2FA will save 2FA

As with passwords and SMS-OTP before, the unability of OTP tokens and push-based notifications to prevent phishing attacks calls for a new kind of solution. Actualy not just a solution, unless we want the same story to repeat over and over. To avoid this, we need to stop considering 2FA as inherently secure (or inherently no longer secure) and understand that there are different kinds of 2FA solutions, each of them having benefits but also known vulnerabilities that will sooner or later be used by attackers. Furthermore, we need to adopt a risk-based approach. For instance, a client-based VPN is not vulnerable to phishing, therefore there’s no need that the 2FA solution protecting it be immune to phishing – solutions out there might still be good enough.

Bad things and attacks happen not just because of insufficiently secure solutions, they happen in the first place because of inadequate solutions and implementations. If you are an organization looking for an MFA solution to protect your applications, make sure that the vendors you are considering provide you with a security analysis in plain English, not just with marketing statements, cryptography handbooks, or analysts’ endorsements: those won’t protect your organization.

inWebo’s security analysis is available at www.inwebo.com/security. As you can see, there are many more ways to “break 2FA” than in your worst nightmares. But, the same way every cloud has a silver line, depending on your actual use cases and acceptable risks, you will still find efficient and inexpensive ways to protect your organization with 2FA.