A lot of people talk to me about two-factor authentication (2FA) as if it was a security panacea. But what about in the case of Man-in-the-Middle or Man-in-the-Browser attacks, or (as discussed in my last blog) when people choose weak passwords to control
their access to potentially valuable information?
As cyber attacks become more complex and intelligent, and as we move towards an increasingly mobile society, two-factor authentication is no longer enough because sophisticated fraud simply leverages the authentication process.
This means using as many of the following visible and invisible reference points about the end user as is necessary, calculated against the perceived risk involved. This could be something they know (a PIN or password), something they have (a phone), something
they are (for example your voice), and somewhere they are / are not (jurisdiction authentication based on proximity analysis).
Usage of the layers that go over and above the standard 2FA approach is becoming very real and increasingly necessary. For example, voice biometrics has been around for some time, but successful recent trials point towards much increased take-up in 2012, especially
as the worries about privacy associated with proximity analysis can now be easily countered. My own company has two Europrise seals on data privacy, for example. Deploying multi-layered security is user-friendly in terms of security and the overall, end-user
experience. As we move through 2012, I expect to see the focus shift definitively from 2FA to a more multi-layered mindset.
Organisations – banks, government agencies and companies – need to reach a position of knowledge and trust in their interaction with the public. They want assurances that the individual at that end point is the person he or she claims to be. Security is all
about staying one step ahead of the fraudsters, and authentication alone can no longer guarantee this. Instead, organisations need to build up a fuller picture of the end user by taking a multi-layered approach to authentication in conjunction with transaction
verification (where appropriate).
There's Two Factor Authentication, and there's Two Factor Authentication. Sadly, the term and the acronym "2FA" have come to mean just one specific branch of the
authentication family tree, a bunch of related one time and/or out-of-band password approaches (including SMS codes, OTP key fobs, and EMV CAP).
The more fundamental idea is still vital. Two Factor Authentication should mean access involving a physical device. When that device is a smart device, like a chip card or a phone, then possibilities open up for machine-to-machine challenge response, digital
signing, mutual authentication and so on, which eliminate the sorts of MITM attack that plague the OTP and out-of-band password solutions.
How come my comment from last week disappeared?
Stephen, not my doing. Finextra bloggers have no administrative control over comments. I can see your first comment if it is any help
Just wondering about this part of Stephen's comment:
"Two Factor Authentication should mean access involving a physical device."
Why is the traditional meaning of 2FA - something you know/have/are - not good here?
Come on, 2FA is the bees knees if it is implemented properly. What do you want 3FA, 4FA, why bother at all ... I have had a look at the new 2FA processes some companies are employing with their web strategies, they are solid, especially the systems which
are starting to use passcode generator enabled iPhone applications. It is cost effect, security effective and the passcode only lasts for a matter of seconds.
I would say 2FA with a passcode generator is as good as is it is ever going to get.
Martin, it's not the number of factors so much as the nature of the technology. The one time password generator is subject to MITM attack. A code that lasts a couple of seconds still affords a mechanised attack computer plenty of time to intercept and replay.
The "bees knees" in my opinion is the smartcard. OTPs are a toy. With built-in readers increasingly commonplace (and with NFC allowing new ways to interface cards to laptops, tablets and phones) we could be replicating the universal ATM/POS experience for
all Internet transactions. Cards are far easier to use than OTP, and technically have all manner of advantages as noted previously, including resistance to MITM and mutual authentication.
Interesting side-note: I was talking recently with a "big data" analyst who told me he knew of shady characters in places like Russia and the Ukraine that were funded by organized crime, looking at social media data to help with identity theft. All those
questions that banks and other service providers ask, like "What's your mother's maiden name?" or "What's your dog's name?" as a second factor using mere challenge questions, that kind of data can now be easily gleaned from Facebook. The idea is to build a
complete profile on an individual, and then use that data to "leverage the authentication process", as you say. Scary. But it makes me think that the definition of 2FA probably needs to be tightened.
Kenneth: Absolutely the definition needs tightening. Some have bastardised "Two Factor" authentication by counting multiple secret questions as additional factors. The most important thing is we need a physical factor (something you have) that is easily
noticed when lost, and which is also difficult to replicate or intercept & replay. A big problem with biometrics when deployed without a physical token [like in the idea of a cardless ATM where you just stare into an iris scanner] is that you cannot tell
when your authenticator has been stolen. It's important that we use more sophisticated criteria for matching applications to security technologies.
In all this discussion about definition of 2FA, what constitutes a puristic implementation of 2FA versus what does not, etc., it's equally important to assess what are the appropriate use cases for 2FA in the first place. Does a retail banking customer really
have to go through 2FA to know their account balance? Should a biller use 2FA to authenticate that the payor is indeed the subscriber? I could go on with such rhetorical questions but the primary point of a transaction is that it should go through without
causing undue friction for the customer, and I think this point often gets missed by overzealous security mechanisms. Some seven years after FFIEC mandated 2FA for online retail banking in the USA, the level of compliance may be low, but I have never come
across any solid evidence that non 2FA users have suffered greater theft as a percentage of their transaction volumes as compared to 2FA users.
Which brings us back to my point! The default "2FA" -- meaning one time password generators -- is a toy, long ago defeated by determined criminals, and of marginal benefit. But "two factor authentication" achieved by smarter means like chip cards, enables
transactions to digitally signed and rendered non-replayable, and mutual authentication too, where the chip's intelligence can detect and respond to site spoofing etc.. Then two factor authentication would offer real advantages, and be as easy to use in the
remote Internet setting as POS and ATM systems.
Not all "two factor authentication" is the same, and we should take the time to think beyond the simple key fobs and calculators that have come to mean "2FA" by default.
Thank you all for this great debate. Like some comments suggest, 2-F authentication can be defined differently. But, an effective 2-F authentication solution must use an Out-Of-Band (OOB) channel. As security technology vendor, my premise must be that the
device used to make the transaction is compromised; then you work back from there so all fraud vectors are addressed.
Of course the number of factors (2,3,4) depends on business imperatives but aren’t customers demanding security already? Let’s be real, as an industry, are we seriously going to stop at 2-F? We need to evolve with technology (especially mobiles) and with
the sophistication of attacks from fraudsters.
Multi factor authentication and OOB are just the beginning though – authentication alone does not stop the transaction from being compromised – you need transaction verification which is where the OOB comes in.
Who has not heard of ZITMO, ZEUS, sim swap, CFU?
Understanding security is no longer enough; any serious player in security will need to understand how telcos/mobile operators work to develop the right technology with the sufficient factors for strong authentication. Oh, by the way it is cost effective
as well and can be delivered under 400 milliseconds.
This is an excellent research paper around why, warts and all, passwords are here to stay and, despite their huge promise on paper, many alternatives haven't managed to move the needle on adoption.
Would anybody know if 2F mitigates token misuse in terms of tools such as incognito which can impersonate windows access tokens, which an over use of domain admins can cause to become a bigger concern? Or does two factor only really help the initial authentication
part and therefore once authenticated to AD the tokens are still up for grabs and privilege escalation from a compromised client on the network?
© Finextra Research 2014