Why 2-factor authentication isn't foolproof

Breaches happen—even with 2-factor authentication. Learn how to protect your organization from security breaches.

How to setup SSH key authentication and two-factor authentication on Linux for remote login This how to walks you through setting up both two-factor authentication and SSH key authentication for a rock-solid remote login of your Linux servers.

I've worked with two-factor authentication (2FA) for years, primarily using VPN connections and access to highly secure systems. It works via a something-you-have-plus-something-you-know mechanism whereby users enter a pin/password followed by the numbers displayed on a secure token device. 

The goal is to make it impossible for attackers to access secured systems and accounts, but it's not perfect. I spoke about 2FA vulnerabilities and prevention tips with two security solutions providers: Stephen Cox, vice president and chief security architect at SecureAuth; and Bojan Simic, co-founder and CTO, HYPR.

SEE: VPN usage policy (TechRepublic Premium)

Is 2FA secure?

Scott Matteson: How secure is 2FA?

Stephen Cox: Consumers and workforce users continue to use 2FA to protect against identity theft and corporate data breaches, but they should not be lulled into a false sense of security. 2FA is definitely a step in the right direction in today's threat landscape, but the path to stronger security and true peace of mind goes far beyond basic 2FA.

Bojan Simic: 2FA exists across many organizations, but there are extremely low adoption rates because of the cumbersome user experience. Companies are starting to provide both consumers and employees strong authentication capabilities that reduce friction and aren't susceptible to automated attacks, as 2FA currently is.  

Scott Matteson: What are some recent attacks which bypassed 2FA?

Stephen Cox: These attacks are growing. Several notable incidents have occurred in the past year alone.

In November of 2018, a database breach involving communications firm Vovox exposed more than 25 million text messages, which contained private customer information including password reset links, shipping notifications, and 2FA codes.

In August 2018, several Reddit employee accounts were breached, allowing the attacker to access back-up data. This prompted Reddit officials to write, "We learned that SMS-based authentication is not nearly as secure as we would hope."

Bojan Simic: Modlishka is a tool that allows for the automation of attacking shared secrets-based 2FA. There are also PUSH attacks, which are becoming more popular as PUSH notifications are used to approve authentication requests. 

SEE: Password managers: How and why to use them (free PDF) (TechRepublic)

How 2FA attacks work

Scott Matteson: How did these 2FA attacks work?  

Stephen Cox: Some of these attacks are blatantly simple when 2FA is the only security measure in place. In fact, attackers can use upwards of a half-dozen methods to bypass 2FA. These include:

  • Real-time phishing, in which attackers send emails, make calls and develop replica websites to impersonate others and lure authentication details from users.
  • Text and call interception, a loophole in the Signal System 7 (SS7) protocol used by phone carrier networks through which attackers can intercept messages sent to mobile phones.
  • Malware, the term for malicious code installed on PCs, tablets, and smartphones via open doors through which attackers can copy and forward one-time 2FA passcodes.
  • Notification fatigue, which is particularly effective when users receive multiple fake authentication requests and only need to click "accept." Annoyed users will often accept the request simply to remove the notification.
  • Knowledge-based authentication, also known as "shared secrets," is another form of social engineering in which attackers use easily accessible personal information to gain access to a service such as a bank.
  • Phone porting fraud (aka SIM card swap), in which a cybercriminal convinces a phone carrier to transfer control of the victim's SIM card, compromising all future phone-based authentication.

Bojan Simic: Tools like Modlishka work by impersonating a domain and acting as a proxy so that the user sees what looks like a legitimate site and is tricked into providing their 2FA. 

PUSH fatigue attacks are becoming significant because there is a growing assumption that the password was already compromised. The PUSH attacks basically spam the victim with notifications to authenticate until they get tired of it and accept one. When deployed on a mass scale, even a low success rate of less than 3% is significant. 
 
SEE: Information security policy (TechRepublic Premium)

Targets and attackers

Scott Matteson: Who was targeted and who is suspected to have carried these attacks out?

Stephen Cox: Malicious SIM card swaps are becoming quite common. In one case, near San Francisco, hackers impersonated a man and convinced his mobile phone carrier to swap the number on the SIM card and put it on the attacker's phone. Then they redirected his calls and text messages in order to intercept authentication codes. In short order, they traded his savings of $1 million into bitcoin and emptied the account.

The Vovox incident was even more ominous, but fortunately, no one's life savings were stolen. A security researcher discovered that a database Vovox managed was unprotected and easily searchable for names, phone numbers, and text messages sent from Google, Amazon, and Microsoft, among others. He notified a popular technology-based Web publication, which alerted Vovox of the open door. The database closed, but there was a brief period where a hacker could have monitored a data stream to intercept two-factor authentication codes transmitted after trying to log into someone else's account.

Bojan Simic: These attacks affect both consumers and employees and can be executed by anyone with limited computer skills. My teenage nephew is more than capable of executing these attacks with minimal effort if he was inclined to do so. The automation of 2FA attacks is becoming more popular as services are starting to require additional factors. 

What organization can do

Scott Matteson:  What could protect organizations from these attacks, and what should organizations do in the future?

Stephen Cox: Two-factor authentication is certainly more effective than just a username and password. But the risks of attack and data breach remain if 2FA is poorly implemented, especially in cases where appropriate checks aren't included before the authentication challenges are presented.

Password leakage and credential misuse is on the rise, and attackers are continuously devising new ways to improperly access organizations and systems. We need to embrace evolving approaches to identity security that improves security posture while simultaneously keeping a simple user experience.   

Modern, adaptive, risk-based approaches that leverage real-time metadata and threat detection techniques have to be the standard. Intelligence needs to be built into the authentication process that leverage dynamic controls in real time. They also need the ability to block authentication requests when they are considered to be high risk.

These risk factors include detecting anonymous proxy usage, detection of malicious IP addresses, dynamic geo-controls, device controls, and analyzing for unusual access patterns or overly privileged accounts. Once these adaptive layers are passed, the authentication controls can responsibly be presented to the user.

Bojan Simic: Organizations should deploy strong authentication that doesn't rely on shared secrets, but rather PKC (public key cryptography) or PKI (public key infrastructure). This can be achieved by deploying standards based solutions with the FIDO specification or using other methods of PKI-based authentication. Deploying authentication without a shared secret results in the hackers having to have physical access to the device that they want to get access to which is economically infeasible.

SEE: Two-factor authentication: A cheat sheet (TechRepublic)

End-user protection

Scott Matteson: How should end users focus on protecting themselves?

Stephen Cox: Users need to strengthen their passwords. Even though we believe adaptive authentication methods are the best way to foil the most insidious attacks today, passwords won't go away anytime soon. Eighty-one percent of confirmed data breaches today still involve weak, default or stolen passwords. Look at the most popular password choices: "123456," "123456789," "qwerty" and "password."

Equally dangerous is that people reuse their passwords for multiple accounts despite widespread publicity warning against this practice. Seven out of 10 users have duplicate passwords.

Beyond passwords, turn on 2FA whenever it's available (as with Gmail, Twitter and Apple, among many other organizations). Also, use biometrics whenever possible, from Face ID on the iPhone to fingerprint readers in Windows laptops.

Also see

internet data security digital safety online bank

Getty Images/iStockphoto

By Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.