2FA fail

2FA FTW? Two-factor authentication ain't all that

Is two-factor authentication (2FA) a mess? Some say it is, because too many developers rely on insecure second factors.

2FA adds “something you have” to “something you know” (i.e., a password). That added factor used to be a strong, crypto-based, time-limited-PIN generator. But lately, we’re seeing more and more systems resort to weak, SMS-based authentication, where it’s assumed you have sole control of your phone.

Sadly, text messaging isn’t terrifically secure, for a host of reasons—not the least of which is social engineering. But, in this week’s Security Blogwatch, we wonder whether SMS is really as harmful as they say.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Get off my lawn

What’s the craic? Russell Brandom opines, Two-factor authentication is a mess:

Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. … It’s time to be honest about its limits.

There are dozens of different varieties. … Some send verification codes over SMS. … Others use email or … verification apps like Duo and Google Auth. [But] it’s become clear that most two-factor systems don’t stand up against sophisticated [hackers].

Two-factor’s trickiest weak point? Wireless carriers. … [NIST] quietly withdrew support for SMS-based two-factor in August, pointing to the risk of interception or spoofing, but … if anything, services are relying more on SMS [because] it’s … easier to use.

Is SMS really all that insecure? Just in time, here’s Justin Williams: [You're fired! -Ed.]

How did I, someone who is reasonably secure, have … his PayPal account compromised, and a few hundred dollars withdrawn?

I checked my email and saw two new emails. The first is from Google with a security reset code. … The second email I see was from PayPal stating that $200 AUD was transferred from my bank.

Finally, it clicked: someone has taken over my cell phone. I … called AT&T's customer service line. … Someone had been dialing the … call center all day … but was repeatedly rejected because they didn't know my passcode, until someone broke protocol [and] didn't require my … passcode. The intruder had the … call center rep switch my number … to his/her burner phone.

For all the advances that we have made … online security still has a ways to go.

Ouch. But an AT&T spokesperson said:

Protecting customers and their accounts is a top priority. We … have various security measures and protocols to prevent this. In this case, those protocols were not followed [so] we are taking additional steps to prevent it from happening again.

What sort of “additional steps”? Here’s the pseudonymous kain preacher:

I've worked at an ATT call center. … What he did is a fireable offence.

Wait. Pause. How did we get here? Mike Stewart thinks he knows:

I'm of the opinion that the accelerant for this dumpster fire is that companies are allowed to define "two-factor authentication." … It comes down to money.

Fobs, biometric systems, they all cost money and [add] inconvenience. Well, we can't have that, so we'll implement a JS library we found on github, reset passwords over the phone for anyone that says the right things, and we save money.

Still relying on SMS? krakenx advises thuswise:

Sacrifice your virgins now because, ultimately, Xenu’s graces are the only thing preventing your phone number from being ported to a 12-year-old in Syria.

But let’s beware of the baby+bathwater hazard. Alex Stamos analyzes with a thread of tweets (ironic, given his employer is now Facebook):

this is account lifecycle mgmt issue, not auth. … Most of the practical 2FA hacks are abusing the ways services have invented ways to let people back in after catastrophic event.

This causes huge churn, hard balancing decisions. … We need totally new ways of allowing accounts to be recovered.

I get queasy when the InfoSec elite and media cast SMS 2FA as "insecure." … we need to walk a very delicate line of pushing forward to a better future without discouraging most people from SMS 2FA.

Meanwhile, grok this throwaway quip from DontThrowMeYaWeh:

It's like the Mongols going up against the Great Wall. Why go through or over the Great Wall when you could just go around it? Doesn't mean the wall is bad.

The moral of the story? Make sure you can properly trust any second factor you rely on. Think hard about the weakest link in the chain.

And finally …

Why young people hate old TVs and monitors

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk.

Image source: Doug Kline (cc:by)

Topics: Security