Two-factor authentication (2FA) is an indispensable cybersecurity measure used to protect data. Most of the modern information security standards despite the area of application such as PCI DSS, PSD2, HIPAA, etc., demand the multifactor authentication (MFA) among other data protection methods.
This approach allows mitigating the danger coming from such attack vectors as brute force password cracking, keylogging, social engineering, phishing, and some kinds of man-in-the-middle attacks. Nevertheless, two-factor-authentication is not a cure-all solution by itself. This is just a single component in a major set of requirements for high-quality data protection. Taking care of data security means implementing a complex plan of actions. For example, this is clearly seen in the in the article 10 Steps to Eliminate Digital Security Risks in Fintech Project where we analyzed the components needed to protect payment gateways from cyber threats.
In the current article, we’ll unveil all the weaknesses of two-factor authentication you have to keep in mind when strengthening your security infrastructure with MFA. And, of course, we’ll discuss all possible solutions to these weaknesses.
1. SMS authentication is not secure
The US National Institute of Standards and Technology (NIST) recommended every company to abandon SMS authentication as insecure and no longer suitable strong authentication mechanism long ago. But many companies worldwide still opt for SMS to deliver the one-time passwords in their 2FA infrastructures. And it was only three months ago that Reddit has admitted this method to be not as effective and secure as the company was hoping.
No doubt, SMS authentication is convenient for companies and users alike. But is this a reliable option? Unfortunately, no. Let us review the SMS authentication vulnerabilities.
In most cases, it wouldn’t be a hard task for a dedicated culprit to use a mobile operator’s SIM-card replacement service and intercept a victim’s number. The information needed for this fraud can be found in public sources or bought on the dark web.
Network Protocol Vulnerabilities
The next potential risk hides in the cellular protocols. And the fact that SMS exchange is not encrypted in any way.
The security of SMS transport depends on the cellular network security. There is a number of vulnerabilities in consumer cellular networks as well as methods of exploiting them. Some of the most advanced ones do not even require costly hardware or specific skills. From this point of view, using SMS for security is rather dangerous.
Moreover, if to take into account the fact that a usual SMS exchange is not encrypted in any way, an employee of a network center with a proper access can freely read all the messages. Not to mention all the possible ways to intercept the radio transmissions.
There are tons of fraudulent software aimed to steal the sensitive data. And mobile device trojans intercepting SMS messages are nothing new. Infection is immediate; the consequences are dire.
Malware that ingrained itself into the gadget can play a variety of roles:
- Intercept the entered login credentials and one-time passwords as well;
- Track all the sent and received messages;
- Record the voice calls;
- Copy the SIM card parameters and contact information;
- Provide capabilities for remote control;
- Turn a device into a member of botnet or crypto-currency mining agent, etc.
The tech-savvy attacker has nearly unlimited opportunities especially it concerns making use of open access to SMS messages on smartphones. Remember at least such trojans like Zeus, Zitmo, Citadel, Perkele, etc. And this is one more proof that today SMS is not the best choice for mobile two-factor authentication.
What are the Solutions?
Use Multi-Factor Authentication Applications
One-time password generated directly on your device will fix the problem with SIM-card replacement and intercepts during transmission in unencrypted form over a quite vulnerable cellular network.
Recently we reviewed 10 most popular multi-factor authentication apps. This article will help you to choose the best 2FA app for you if you don’t use any.
And if you already use Google Authenticator make sure you know how to backup it.
Use Hardware OTP Tokens
This is the type of stand-alone security devices for generating one-time passwords. Hardware security tokens generate one-time passwords independently and don’t need any network connection – neither cellular nor the Internet. Keyfobs, plastic cards, and USB flash drives are the most common presentations of hardware OTP tokens. One of the best examples is reprogrammable hardware TOTP token Protectimus Slim NFC.
It’s the most secure option. Stand-alone security tokens do not interact with networks, so one-time password interception is impossible. Neither via a cellular network, nor with the help of Android or iOS malware, nor using a SIM-card replacement.
Use the Modern Messaging Services
Messaging services such as Telegram, WhatsApp, Viber, and Messenger transmit encrypted messages only. So, even if a hacker intercepts the message, there’s nothing to do with it. This can be a great alternative to the traditional SMS. As it’s just as convenient as SMS messages but more secure and free for the company. However, to minimize the risk, users should not log into their accounts on devices other than their own. And unfortunately, the danger of trojan infection still exists.
2. Users are lazy and don’t like two-factor authentication
One of the greatest problems is that the end users do not even understand clearly what is two-factor authentication and how to use it efficiently. This is the reason they avoid enabling two-factor authentications on their accounts even if the used service supports this. Thus, they endanger their privacy and stay vulnerable to risky security gaps. People just get bored with minding all the potential Internet risks and inconveniences caused by increased security measures. There are also problems arising when a smartphone or OTP token is lost or stolen.
Google two factor authentication research demonstrated that less than 10% of Gmail users turned the free two-factor authentication on their accounts on.
What are the Solutions?
There are several beneficial methods of OTP delivery that minimize user efforts but still protect a system.
- OTP delivery by messenger chatbots (Telegram, WhatsApp, Viber);
- OTP delivery by push notifications;
- Trusted devices.
Let us review the topic of trusted devices, their pros, and cons for internet security.
3. Trusted devices require responsibility
What does the trusted device mean for two-factor authentication? For a device that is trusted within a certain network, the multi-step authentication may be required only occasionally.
Trusted devices are the partial though popular solution to the above-mentioned issue as they diminish user inconveniences.
But at the same time, trusted devices reduce the general security level. If the access to the trusted device is compromised, the access to every account which considers the current device as trusted is compromised too.
Besides, it takes time to find out that the device is compromised, lost or stolen. The attacker may have enough time to steal all the needed information without any effort.
What are the Solutions?
It is vital to protect the trusted device itself.
Users must update antiviruses and operating systems frequently and change their passwords periodically (the passwords should be strong, of course).
It’s also vital to protect access to your device with a strong password, 2FA, and biometric authentication if possible.
For Windows devices, there is a notable solution – Protectimus Winlogon that enhances the standard system security routines with the two-factor authentication.
If to talk about corporate security, it is necessary to remind the users about the potential risks regularly increasing their attention to the suspicious websites, emails, apps and other potentially dangerous resources. And, of course, it’s better to make all the above-mentioned recommendations mandatory.
| Read also: Windows Computer Safety Tips
4. You are never fully protected
Once more: two-factor authentication by itself is not everything you need to keep your users safe. Like any other security method, actually. It is a great step forward; however, new fraudulent ideas are born every day. Risks will never disappear. And you should always be ready for an attack.
The users themselves are the weakest link in every security system. You should always be aware of phishing, social engineering, etc.
What are the Solutions?
Let us see what actions can be taken.
Attention and awareness is a way to the heightened data security.
CWYS (confirm what you see) method is one more way to protect the system from phishing and different kinds of malicious software. The system can create one-time passwords based on current operational data. For instance, if it goes about a financial transaction, the software takes the transaction details when generating the OTP password. With this password, one can confirm a single operation that takes place at the moment. Even if the attacker intercepts the password, there is nothing they can do with it.
To protect your business, use two-factor authentication software everywhere you can. But – in conjunction with other data security supply methods. Add it to the list of requirements for the users, clients, partners, and employees.
Remember the following essential tips:
- Stop using SMS authentication; there are many other high-quality reliable solutions for the generation and exchange of OTPs;
- Watch your own device and remind your users about it;
- Be vigilant.
What do you think about 2FA? Does it work well for you? In case you need a competent advice, just let us know. Protect your business today to grow your profits daily.
- 10 Steps to Eliminate Digital Security Risks in Fintech Project
- Hardware or Software Token – Which One to Choose?
- Doxing. What Is It? How to Dox? How to Protect Yourself from Doxing?
- How to Protect Facebook Account from Being Hacked
- The Most Common Ways of Credit Card Fraud
- 10 Basic BYOD Security Rules