For years the cyber-security industry has done itself a disservice, stuck in a conversation that revolves around a trade-off between usability and security - where neither is ever given the priority it deserves. For example, it is well known within the banking industry that retail banks have knowingly developed applications with decreased security to avoid the user experience hindering adoption.
This trade-off only exists because the industry as a whole is unable to think beyond basic two-factor authentication (2FA) and passwords. Over the last year, we've witnessed a sharp increase in how 2FA is not strong enough to prevent against even the less sophisticated cyber-attacks. We don't have to look too far into the news to see specific examples of where stolen credentials and 2FA were exploited by an attacker. In fact, today it is reported that 81 percent of all reported breaches involve the use of stolen or weak credentials.
The underlying issue here is that the industry continues to implement outdated and insecure approaches to authentication. These include "out-of-band" methods that rely on one-time passcode and push-to-accept mechanisms. So, why are the most commonly used 2FA methods failing to protect users and organisations?
One-time passcodes (OTP)
This is probably the most common group of simple second-factor methods in use today. These methods can be cheap to implement, are "acceptable" from a user experience perspective, and are used across a variety of workforce and consumer use cases.
Out-of-band methods that use an OTP really describes any 2FA method where the user has to provide a one-time passcode, usually four to six digits in length, during the login process. This includes, OTPs displayed on hardware tokens; OTPs received via SMS, a telephone call, email, or OTPs generated in a mobile application (like Microsoft Authenticator, Google Authenticator or Duo Mobile).
Let's examine how OTPs can be subverted by attackers:
One of the simplest and most effective ways in which attackers can circumvent basic 2FA is via real-time phishing.
With a real-time phishing attack, it is relatively easy for an attacker to coerce the user to give up their username, password, and one-time-passcode, with the intent of gaining unauthorized access to an organizations systems and data.
It has been shown during investigations (Mandiant reported this while investigating threat actor groups APT28 and ATP29) that attackers will even enroll another basic 2FA method for future persistence in the victim's environment.
Recently, FireEye released a real-time phishing tool - ReelPhish which they claim to have used successfully during their red team engagements. In fact, the FireEye article calls out that IBM Security Intelligence first reported on the use of real-time phishing in 2010. The research from the report concluded that 30 percent of attacks against websites that are using 2FA were being bypassed.
While simple and effective, real-time phishing isn't the only proven way of subverting a basic 2FA method.
SMS and voice call interception
An inherent weakness in Signal System 7 (SS7), the protocol that allows carrier networks to communicate, can be used by attackers as a means of intercepting SMS messages and voice calls. SS7 has been designed with little security in mind, and in the absence of authentication controls as part of its design, it relies on trust between the operator's networks.
It is this trust and a lack of authentication control that can be exploited and ultimately provides attackers with an opportunity to directly access SMS and voice-based OTPs. This is a proven approach used by attackers in Europe to obtain access to victims' bank accounts by stealing their credentials and OTPs. Arguably, the SS7 weakness was one of the driving forces behind NIST's original proposal to phase-out SMS based OTPs.
The concept of using mobile-based malware to obtain OTPs is not new. In the 2014 Emmental attacks directed at Swiss and German banks, attackers leveraged malicious code to scrape SMS OTPs from the inboxes of customers' Android devices and gain access to their bank accounts. At the time this was considered to be a sophisticated attack, however, there have been numerous incidents since then.
More recently there was a case where the Bankosy Trojan was leveraged with call forwarding to allow attackers to obtain voice-based OTPs.
Phone number porting fraud
One attack vector against basic 2FA is phone number porting. This type of attack utilises social engineering with the aim of obtaining users personal details. In this instance, an attacker who has access to information of an end-user can convince a cellular company's representative into issuing the attacker with a new SIM card, or moving the victims' phone number to a SIM card that the attacker already has. Recently, T-Mobile warned customers to be vigilant of the rise of SIM card scammers, following reports of increased SIM-swap fraud.
Push-to-accept based 2FA is usually reserved for enterprise users because of the requirement to download and enrol a third-party 'authenticator' application. This 2FA mechanism relies on the user hitting 'accept' or 'deny' during the login process.
While there are user experience benefits to push-to-accept authentication, the method leaves organisations exposed to risk. Push-to-accept authentication is prone to exploits by attackers who may overwhelm users with push-to-accept requests, getting them to hit 'accept' to make the requests "go away".
And for attackers, it's a numbers game - bombard as many users with requests as necessary until the desired outcome is achieved.
What should organisations do since basic two-factor authentication is not enough?
Authentication security can no longer be static, relying on 2FA is not a robust security measure in today's threat landscape. Instead, a modern approach to identity security should bring context and identity data into the mix. Security defenders are on the back foot against the increasing sophistication of attackers' techniques. A more integrated and automated approach is needed.
Here are seven guidelines that businesses should consider when deploying authentication technology:
- Avoid all simple 2FA methods that use OTPs delivered by SMS, email, or voice calls.
- Avoid all simple 2FA methods that use push-to-accept without symbol recognition. Symbol-to-accept requires a more thoughtful action by the end-user. Instead of simply hitting 'accept' or 'deny' when prompted, the user is asked to validate their identity by selecting a symbol or letter on their mobile device that matches the one shown on their browser.
- Access Management vendors should provide adaptive access control capabilities to better secure the login process. Adaptive access control techniques layered with 2FA can provide better levels of protection than just basic 2FA alone.
These methods of risk analysis include the ability to:
- Detect and block authentication requests from non-standard geographic locations.
- Analyse and detect improbable authentication requests as a result of improbable travel, for example, log-ins from London and New York in the same 30 minutes.
- Detect the device the user is attempting to log in from, and verify that it's a trusted device for that user.
- Detect whether the users phone number has been subjected to 'SIM swap' fraud or account take over.
- Detect whether the login is originating from an anonymity network using Tor or VPN, which allow attackers to masks their location and their IP address.
- Detect whether the login is originating from a known malicious server and could be an attacker associated with using anomalous Internet infrastructure.
- Access Management vendors should provide advanced support for FIDO Alliance-based hardware tokens, like Yubikey for added security.
- Access Management vendors should provide anti-phishing training and best practice guidance for their workforce.
- Ensure that any end-user facing self-service functionality (such as password reset or account unlock) are protected using adaptive access controls.
- Ensure that any OTPs are single use only.
Basic 2FA is currently recommended as an industry standard as it offers an added security layer. However, given the weaknesses detailed here, relying on 2FA to secure your business and users is fundamentally irresponsible.
Instead, organisations need to adopt better identity security by using adaptive access control capabilities. This new approach allows organisations to better protect, discover, and respond to security breaches through the misuse of credentials much more quickly.
The time is now to look beyond 2FA and adopt an adaptive approach to identity security.