Not All 2FA is Created Equal
Cities full of hatred, fear and lies
Withered hearts and cruel, tormented eyes
Scheming demons dressed in kingly guise
Beating down the multitude and
Scoffing at the wise
— Rush “A Farewell to Kings”
We live in an interesting time. We live in a time when we are more connected than ever — and yet have trouble connecting. We live in a time where we have all this great technology at our fingertips — yet this same technology is sometimes weaponized and used against us.
I’ve discussed before how passwords were never designed to be a security construct and how they continue to plague us:
BYOD Passwords and the Law of Unintended Consequences
I’ve highlighted some examples of where passwords have been compromised to cause great harm to our democracy:
Breaking Down the DNC and DCCC Cyber Attack
I’ve also highlighted many times that we need something better. We need to combine our password affliction with the healing salve of simple, effective two-factor authentication (2FA). But hey, I work at Duo, so I’m supposed to say that. Here’s the thing (and I tell people this all the time)....I don’t say these things because I work at Duo…I work at Duo because I believe these things to be true.
Here’s Another True-ism. Not all 2FA is Created Equal
Now, don’t get me wrong, ALL 2FA is better than no 2FA at all. The goal of 2FA is to make it hard (impossible would be nice) for attackers to get what they’re after. In other words, don’t make their job any easier than it already is. But some 2FA solutions are only marginally better.
For awhile now, we’ve known that savvy attackers would just find another way in to bypass the lower-level 2FA capabilities deployed by most web sites. Things like SMS two-factor authentication and one-time password (OTP) based on two-factor authentication really only forced the attacker to move a little higher up the stack.
We’ve known for some time that these types of bypasses were possible, long before well-known hacker guy Kevin Mitnick showed the world how easy it could be:
PSA: Keep in mind that this still isn’t trivial. You need some pretty decent skills to set all this stuff up, but it is a vulnerability and I applaud those who go out and break things in order to make it all better. But, I am not a fan of the “gotcha security” folks that while providing a valuable service also perpetuate a culture of fear. Nobody needs that.
I won’t go into gory details about how this gets set up, but suffice to say, if you sit in the flow between the user and the app, and can capture not only the primary authentication (password), and the secondary authentication (a passcode that the user enters — or even better/worse the session token) then yeah, you get access.
The important thing to keep in mind however, is that while that is not a good thing, the session tokens have a limited life span, so this attack would have to persist to be useful. There are all kinds of things that would raise red flags should this kind of “man in the middle” attack be present. Things like location tagging, behavior analysis, etc. So, what I’m saying is that the sky is not falling, and all is not lost.
This is why it is so important, as an enterprise, to deploy an enterprise-grade two-factor authentication solution. By using a cryptographically connected token or security key like a Universal 2nd Factor (U2F) key, you don’t hand over the 2FA “crown jewel” to the attacker and the secondary authentication is completely “out of band” and out of sight from the attacker.
But wait. There’s more. Duo is also committed to applying it’s “simple and effective” security philosophy to upcoming, game-changing authentication technologies such as WebAuthn — which has recently been ratified as an open standard by the W3C. This technological shift will be fundamental to changing authentication dynamics and shifting the balance of power in the user’s favor.
Misleading Headlines Proclaim Phishing Attacks Bypass 2FA
As I said, not all 2FA solutions are created equal. It’s up to the enterprise to pick the right one. This won’t stop some news outlets from posting headlines like, “Phishing attacks that bypass two-factor authentication are now easier to execute.” And so on. Because the job of the press is to inform, and I respect that, but sometimes in order to do that you need a scary title. And that one is pretty scary. If I didn’t know better, I would believe that was true based completely on the title, and that 2FA was useless. But it’s not. Quite the opposite.
We security folk are a resilient bunch. We roll with the punches and manage to maintain an optimistic outlook, regardless of all the “evil” we see in the world. As a group, we can do this — and oh by the way — we are ALL security folk. In today’s world, preserving company security is everyone's responsibility.