With a seemingly unending list of high-profile data breaches in recent news, many organizations are reevaluating their security posture and seeking additional protection. In times like this, reexamining the fundamentals of your security posture is just as important as adopting new developments in the industry. Today, we want to discuss one of the most important of those fundamentals: two-factor authentication (2FA).
Adding a 2FA method to your user authentication system is a highly recommended method to prevent unauthorized access. To summarize from our previous article on multi-factor authentication (MFA), 2FA is a sign-in system which requires users to provide one additional proof of identity besides their password with the goal of preventing malicious hackers from authenticating into your network.
Common secondary authentication factors used in addition to your password for 2FA include the following:
- A physical token (e.g., a security token, bank card, or key)
- A phone call to a verified phone number associated with the user to provide “proof of life”
- A PIN or security code provided via SMS/text message
- Use of an authentication app
- Biometric authentication via fingerprint, eye iris, voice, etc.
On the surface, each of these methods may seem like a great way to increase security with minimum disruption to user productivity. However, several of these methods come with significant flaws which make them “better than nothing” but far from the most secure and reliable option available. In this article, we will examine the advantages and problems with each method to determine which are the best options for businesses to rely on.
The Phone Call Method
Using the phone call method, or “proof of life” as I like to call it, is better than not using 2FA at all, but can create a dangerous set of circumstances that allows a legitimate user to unknowingly allow an attacker to access their account. In fact, the phone call method has at least two major vulnerabilities which even an amateur cyber-attacker can use to trick you into letting them access your account.
This method generally consists of the following steps:
- You access an app or resource that requires authentication
- You enter your username and password
- The app validates your login information and if accepted you are presented with a 2FA challenge via phone call
- Your phone rings, you answer it, and an automated prompt tells you to press any button to complete the transaction
- You get access to your app or resource
Exploiting the Phone Call
The process described above for phone call 2FA may sound secure enough- after all, how can a hacker get into your account without access to your phone? But it gets more complicated as you access different apps and resources using this method throughout the day, different sessions periodically time out, and you have to continually use the phone call method to sign back in. Many users get accustomed to the routine, and the phone call method offers no context in terms of which application or session you are approving when you answer the call. Did the session for your work email on your mobile expire? Was it the chat app session on your laptop? If you aren’t paying close attention, isn’t always clear, making it easy to accidentally approve an access request coming from a malicious third party.
Unfortunately, threat actors know about this weakness and have learned how to abuse the system to trick you into letting them in. The attack is a remarkably simple and low effort with a potential for high yield. If the attacker has your username and password –which can be obtained from successful phishing campaigns, credential leaks from other compromised companies, or dictionary attacks – they can complete the first part of authentication and get to the 2FA prompt. Now you get a phone call, the same phone call you get multiple times per week or even per day. Maybe you are careful and realize what is going on in time, or maybe you are distracted or in a rush and press the button, letting the attacker into your account.
The type of attack described above works especially well when the attacker has the foresight to time it correctly, so the call happens during your normal business hours when you expect to receive it. A determined attacker can also attempt authentication repeatedly to keep sending you the phone call in hopes that you will answer the call to make it stop.
Hijacking a Phone Call or SMS
Remember when we mentioned there were two major vulnerabilities within the phone call method? The second is actually a shared vulnerability which applies to both phone call and SMS/text message 2FA methods. In addition to tricking you into approving their authentication attempt via phone call, more sophisticated attackers can actually hijack the phone call or text message itself. This requires the attacker to either clone your phone’s SIM card or compromise a virtual phone number provider like Google Voice to get access to the incoming 2FA call/text message. These options are both significantly higher-effort on the part of the attacker than the phone exploit vulnerability described above, but still present a real threat to the integrity of your accounts.
Authenticator Apps and Hardware Tokens
Authenticator apps and hardware tokens are generally considered to be the most secure options available. By requiring you to input the PIN or code into a box and click Submit, these methods have the ability to provide context behind the authentication attempt, drastically reducing an attacker’s ability to game the system by tricking you into approving a malicious authentication attempt. It may seem simple, but the added context and security makes authenticator apps a significantly less attractive target.
At Dataprise, we recommend that our customers disable the phone call and SMS 2FA methods in favor of authenticator apps and tokens whenever possible. If extenuating circumstances render phone call and SMS the only 2FA methods available, we highly recommend educating users to ensure users to understand the risks, the attack vectors, and the vulnerabilities they are exposed to. Encourage your employees to self-report suspicious or ill-timed 2FA challenge calls or text messages to your security organization, especially when they happen after hours.
Using a password management app to store and manage your passwords, using different passwords for every application/account, and following password complexity best practices also helps to reduce the likelihood of compromise. For more information on how to protect your organization against cyber attackers, continue reading our blog or contact our Managed Cybersecurity team.