Not all forms of multi or two factor authentication are “bulletproof”

With most medium and large websites offering two factor authentication for free it is very much in fashion. Let’s travel back well over a decade to see why two factor was introduced. Everyone who has been working at least ten years will have seen the RSA key fob tokens and that was mainly what was available for securing Microsoft Exchange OWA or a VPN then. Disadvantages of the password a decade ago or today are that they are: guessable, written down on paper or saved in electronic clear text format, repeated throughout many websites, shareable, listed in password leak lists online, interceptable (maybe not a word), phishable (also likely not in the dictionary) and more.

After people figured out passwords were not sufficient for securing remote connectivity, RSA was widely used and got very big & rich. The problem with RSA tokens is that people can or do leave them in the laptop bag and possibly with a Post-it note next to them with a password on. RSA codes change every x seconds so it is a little hard to use a code from 5 seconds ago since when you come to use it, it has changed. If you found or stole a laptop with the RSA token then it is a different story since you have you have the laptop and token, and then you just need the username & password which could be in the bag. Yes, this does happen!

Hardware tokens today are reducing due to the cost and management time. In 2017 soft tokens are mainly used which are installed on a smartphone and either give a static code which is not time sensitive or one which changes every 30 seconds. Google and Microsoft Authenticator are free to use and once setup are intuitive and do not really break by themselves. SMS, phone call or email is also used as a delivery method. With SMS authentication a code is sent once you enter your username & password, email is the same and with a phone call, your phone rings and either a code is spoken out or you press any key to approve the login request. With these methods being based around a smartphone it is less likely the smartphone will be stored in the laptop bag, thus both are unlikely to be together.

In some cases the soft token is placed on the laptop itself, something which many people do not understand. If the laptop has the VPN agent on, why place the two factor method on the same device? A mystery really, it should be blocked and forced on to a smartphone. Talk about all your eggs in one basket. All methods have disadvantages and possibly can be defeated, often by the user’s actions. Two factor authentication is based upon three something’s: you know (password & PIN), you are (eyes, fingerprint or veins etc.) and you have (hard or soft token). Let’s explore disadvantages of common methods in the table below:

There is a pattern above. Anything which has few yeses today is being used less and less. Why? Cost and management time.

A lot of the above can be defeated by email phishing or someone phoning up and posing as an employee asking for the code. Some hardware or software tokens have a four digit PIN on top of the app or device. Biometric is excellent unless you have stared in a Mission Impossible or James Bond film and can chop off someone’s head or hand! High end biometric do check for a pulse thus this method should be defeated.

Apart from biometric as in: palm/hand, fingerprint, iris/retina, voice, facial or vascular, challenge response is excellent. The most common challenge response method most consumers will know is when you add a new payee on your online banking profile and attempt to transfer money. You enter name, account, sort, amount, date and reference, then on the next page it says insert your debit/credit card in the reader, press respond, enter PIN, enter code on screen and then it gives you back a code to enter on the website which is based on an algorithm. For this you need the banking username/password/PIN, credit/debit card, card read (often generic) and the PIN for the card in question.

Challenge response can be a little easier than the above example. Think of a well-known affordable open source Swedish manufacturer which hardware does an assortment of options. One is challenge response, where you enter your password, enter your simple USB token and then the software on the laptop presents your hardware token with a code, the device does a calculation and presents back a different code. What actually happens in simple terms? The laptop gives the hardware token the number 5 and it gives back 26. The private key on the token is set to times by five and add one. In reality it is way more complex than this.

Everything should be based on a company’s risk profile though even then things can change. Let’s imagine your company was solely using SMS authentication and the smartphones were not Android, and were hardened. This means malware is less likely though SMS interception is still possible. Imagine the company only has offices within the United Kingdom and all staff never travel thus the worry of the state intercepting SMS’s is very unlikely. One day a few staff go travelling to countries where the intelligence services are more aggressive and target foreign firms. Now malware is still unlikely but SMS’s maybe intercepted. What happens if the airport “search” or confiscate smartphones on arrival?

Conclusion... The cheaper, easier to use and manage the authentication method is, the weaker it likely is. This rules applies to anything in security. If your staff are super well trained and smart, and your devices are hardened then the chance of malware grabbing the code or your staff handing it over to the bad girls or guys is reduced, however other problems still exist.