Two-Factor Authentication Isn't Secure: The Benefits and Risks of Different 2FA Plans

Implement two-factor authentication. ”This is the advice cybersecurity experts around the world offer when a major phishing attack hits the news again. 

It's true that two-factor authentication (2FA) is a legitimate secondary security method for businesses to consider, but it's not as foolproof as one might think. Cyber ​​criminals are often one step ahead of the experts and they have learned to circumvent the 2FA.

The Technology Behind 2FA

2FA is a process in which a user is authenticated using two separate methods. For example, a username/password combination and a separate method. An example of this is withdrawing from an ATM: you need your passcode (PIN) and the physical debit card in the machine. Many financial institution websites use two factors, in which you must authenticate yourself using a PIN provided to you unless a cookie is stored in your browser. This PIN can be transmitted via email, text message, or voice call.

There are also hardware devices such as Yubikey, a USB device that plugs into a computer and transmits a one-time hash passcode (OTP) when the user presses a button on the inserted key. The authentication service must be configured so that this hash can be used. However, the service is widely supported and the integration code is open source. Microsoft offers it as a 2FA path for all Office 365 web services.

Another form of the key is the rotating passphrase key. This is a piece of software or hardware device that is synchronized with a server and registered for a user. This device outputs a rotating multi-digit code that must be appended to the user password. The recipient of the combined code splits the passphrase into two parts and authenticates the code against the authentication server. This external passphrase is similar to receiving a text message with a one-time registration code.

The advantages of 2FA are obvious: An additional layer of security for a transaction or an account means that a potential hacker would need both keys to access the account. If your card is stolen or lost without the 2FA of a PIN code, as in the ATM example above, a fraudster could quickly empty your account. Likewise, a malicious user who does not have your password but does not have your 2FA key could not access your email account, break into it and use your details to access banking services or others.

The Limits of 2FA

The first major disadvantage of the 2FA process is that it requires some sort of transaction sets. For example, if you use a VPN service that requires 2FA, your established session is authenticated until you log off. When you use it to access your insurance company's website, a session cookie contains information that identifies you to the server. After you have logged out and deleted the cookie, you will need to authenticate yourself again. This is not a disadvantage of this setting, but if you use your mobile device to access e-mails, for example, using the 2FA method is always quite problematic when you want to check your e-mails or send a message.

The problem with 2FA is that any authentication method is only as good as the trust you have in it. When users receive a phishing message and are asked to log into their own bank account, the phishing email contains a link to a temporary website that looks like the actual bank's website. The users are redirected to this phishing website where they enter their username and password plus their 2FA details. The phishing site then uses these two parts to log into the financial institution. Because the user “trusted” the phishing website, they disclosed their login information and so the second factor is useless.

Kevin Mitnick, a security advisor, and former hacker demonstrated how 2FA data is recorded in session cookies. As soon as a phishing victim enters their 2FA code on a website, the hacker can retrieve the session cookie from a developer tool in a web browser, e.g. B. Chrome, tap. With this session cookie, the hacker no longer needs the victim's username and password; it is sufficient to copy the session cookie into a browser to log into the victim's account.

Even more dangerous, however, is the deceptive sense of security that has developed. Phishing attacks are successful because of the psychological manipulation that works. With the help of a well-known, well-hyped security method like 2FA, the cybercriminal was not only able to manipulate the victims into giving out their personal data, it also put them to sleep.

Although two-factor authentication can be a secondary layer of security for many applications, it is not sufficient. By implementing Protegent360's antivirus software for Office 365, which uses AI, including machine learning, to detect targeted phishing attacks, and an auto-remediate the feature that automatically reclassifies any threats that bypassed the filter originally the end-user protected from potentially costly threats.