Is 2-Factor Authentication (2FA) Broken?
Recently, ThreatPost reported on how an open source tool can be used to hack 2-Factor Authentication and gain access to secure sites.
Modlishka, an open source, reverse-proxy tool that is freely downloadable from Github, acts as a man-in-the-middle attack, stealing credentials as well as defeating 2FA.
In layman’s terms, think of a simultaneous translator inserting itself between you, the user, and the secure website, which is what Modlishka does. Without your knowledge, everything you send to the secure website is intercepted by the by the translator first, get processed and then sent to the secure website. So without knowing, you send your login credentials, and secure 2FA tokens, like a one time code you receive as an SMS message, to the translator. It may create its own login session into your bank account and initiate transactions behind your back. Or capture your credit card at an eCommerce site, or capture sensitive health data (which is worth more than a credit card in the black market) at a healthcare provider.
So how come 2-Factor Authentication is not protecting you? Is 2FA broken? As Stephen Cox, VP and Chief Security Architect at SecureAuth points out, while it is not broken, “it falls short in addressing today's threat landscape”.
I don’t think 2FA is broken. What is broken is how we classify the authentication products. The old classification looks at three factors:
Something you have
Something you know
Something you are
Say one of the factors was whether you have money in your bank account. I have a $1 in my bank account and you have $1,000,000 in yours. We both qualify. Obviously I am no match for your financial strength. But 2FA or 3FA does not make this distinction. We are both equal.
In the case of Modlishka type man-in-the-middle attacks, the communications channel used to send and verify the 2FA information is what makes or breaks the security.
In the most common scenario, you receive a one time code as an SMS message, and when you type it in the browser, you are handing the keys to Modlishka. You just got hacked.
If you receive a text message or a Push Notification asking you to verify your login request and you respond to it on your mobile device, the communication is taking place on a different communication channel than the one being intercepted. You went around Modlishka. If all sensitive transactions require this type of out-of-band authorization, you’ll be much safer.
We are aware of this issue when we design authentication products. Since SEKUR.me eliminates passwords, the products had to be extra secure. Whether you look at the Mobile Push Login, the no-app SMS Login or my favorite, the QR Login, they are all examples of how out-of-band authentication can be implemented for a more secure product.
So is 2FA broken? No. Just the 2FA products that do not use out-of-the-band authorization are. Unfortunately a large number of 2FA products in the market today fall into this category.
In today's threat landscape where we hear of a brand being breached every week, isn’t it time for the security conscious companies to up their game and use the more secure out-of-band authentication? A good, easy to use 2FA is still one of the most effective protections against breaches.
While we are at it, let’s get rid of passwords too. If you don’t have a password, it can’t be stolen!