real level of security, vulnerabilities, myths
Today it is customary to talk about two-factor authentication (2FA) as a panacea for all types of hacker attacks. As usual, not everything is so simple here. As a matter of fact, 2FA really greatly increases the average user’s chances of being protected. At the same time, news continues to trickle out as the most secure technologies are being hacked, including the flagship of the market – Google Authenticator. There are a number of problems with this system that will continue to be used to steal our passwords. We will talk about the security of the main types of 2FA protections and how really effective they are.
Basic types of two-factor authentication: pros and cons
In fact, the real degree of technology protection directly depends on the type of additional verification that the user undergoes. Today we have come up with several varieties: SMS, applications, notifications, hardware keys. And each service maneuvers between two extremes: safety and comfort of use. The least effective security tools are the most convenient to use. The safest methods are associated with a number of inconveniences. At the very least, you should be aware of the dangers of using 2FA, and you shouldn’t rely too much on 2FA.
The most popular, easiest, fastest, most widespread and at the same time the least reliable option.
How it works:
- The service generates a temporary password, saves it in its logs and simultaneously sends it to the phone of the person who owns the account.
- The recipient sees the code and enters it into the appropriate field on the website.
- The web browser compares the passwords; if they match, it skips further.
The downside to this simplicity is that a scammer is most likely to get your hands on your code. This technology has a lot of vulnerabilities, and here are the main ones:
- SMS messages cannot be encrypted. They are transmitted using a standard open protocol. If someone receives it, it will be readable on any device.
- Messages can be intercepted. At the time of transmission, it is quite possible to duplicate the signal to another device and gain access to your account.
- Anyone with direct access to the phone can see the code. Often it is displayed even on the lock screen, that is, you do not need to enter a pattern.
- SMS are stored in the open and visible on the servers of the cellular operator. If they are stolen from there, there is a high probability that the accounts will be hacked.
- Someone else can recover the SIM with your phone number. The scammer just needs to convince the consultant in the office of the mobile operator that it is you and simply lost the smartphone. They often put pressure on pity and overwhelming circumstances.
Yes, there are many vulnerabilities, but you shouldn’t be so harsh about SMS, because they were never designed as an authentication method. They are simply not meant to be. At the same time, all the listed risks are covered by only one plus – ease of use, which is why most services use it.
The use of additional applications for authentication has already become a kind of trend. The most famous tool is Google Authenticator, but there are also Authy and others. Compared with the previous type, there is a much higher level of protection, and comfort is at a height. They implement a sophisticated password generation system that is kept secret.
Principle of operation:
- The application generates a temporary code.
- The exact same code is generated on the server.
- After entering the received password and confirming it, access to the account opens.
This technology has several positive aspects:
- Offline password generation system is protected from interception. It is simply impossible to intercept what the Internet does not use for its creation. To be more precise, you are protected only at the moment of generation; during transmission, the code can still be stolen.
- There is one central password for applications. The utility for 2FA authorization can be installed on several devices.
There are also no downsides here, we are not talking about the need for a smartphone with a camera, most likely we all already have it. Here’s what’s really important:
- Interception is possible at the stage of sending the code. Internet data in general is easy to intercept.
- The risk of being caught by a phishing resource that looks like the original, but steals your login information.
- Difficulties in restoring access if the smartphone is lost.
- The risk of breaking the encryption algorithm. From the logic that the application and the server can independently generate the same code, it suggests that someone else is able to repeat the result. Yes, it is very difficult, but in the event of a hack, all users will be in danger at once.
This is a system for sending pop-up messages to your mobile phone. Usually it is accompanied by the text: “Is it really you?” or “Allow the action” or “Someone is trying to do … Allow?” Only a few options pop up: yes or no. On the one hand, the system is very convenient, fast, and reasonably safe. The flip side of the coin is the need for a constant connection to the network and the presence of the phone in sight. Today, it is not often heard that this system is hacked, although this will happen. Thus, we have both a relatively safe and convenient 2FA option.
Entering the hardware key into the appropriate reader on a laptop or computer is the most reliable method of authorization. It looks like a flash drive. In contrast to the high degree of safety, it is inconvenient to use it. But it is not susceptible to phishing or hacking. And there are even ways to set up a backup or alternate key.
There are several problems here:
- Most services simply do not support this type of authorization.
- The option requires spending money on the purchase of such keys.
- Serious consequences if the key turns out to be in the possession of one of the intruders. However, it is virtually impossible to steal it, which is a plus, you only need direct contact.
The main vulnerabilities of 2FA on real examples
Many of the above hacking methods may sound like science fiction. Someone will think that there is no person who wants to do something like this to steal passwords from multiple accounts. In fact, all of the listed vulnerabilities have been exploited before.
Here are a couple of examples:
- SIM swap – forwarding SMS from your phone number to the attacker’s SIM card. Read more at Wikipedia…
- Cerberus Is a program for Android that was able to steal Google Authentificator codes.
- TrickBot Is a banking Trojan that intercepts one-time codes. Works for both SMS and push notifications. It infects the device and duplicates received / sent messages from certain addresses, and then sends them to the attacker.
Social engineering carries the greatest risks when people, for a variety of reasons, are persuaded to hand over the code to them. You don’t even need to be a hacker, just a little charm is enough.
Two-factor authentication myths to dispel
Too strong is reliable for protection from two-factor authentication or a lack of understanding of the features of its work provoke myths.
Here are a few of the ones you should stop believing in:
- 2FA alone is enough for protection. If a fraudster has your username and password, you are already 50% trapped in it. Further, it is already a matter of technique to lure out the authorization code. Not everyone will be stopped, many hackers will go further. The password must be unique and sufficiently burglary.
- Two-factor authentication requires 2 devices, so the system is secure. Everything is done from one smartphone, its loss, hacking or infection can lead to hacking.
- Without an authorization code, a hacker cannot do anything. The truth is that even some large web resources allow you to perform some actions for a given key, only with a password. For example, hackers on Webmoney could expose your funds for an exchange through the Exchange at an undervalued rate. Whether they then redeem them or simply harm them this way is not so important.
How safe is 2FA really?
Of course, 2FA is a much better solution than abandoning this technology. But you shouldn’t rely too much on the system, the technology can be bypassed. As before, you need to be careful, use preventive measures against infecting your devices and install antiviruses. With an integrated approach, two-factor authentication is reliable enough so that you don’t have to worry about your Internet security. The best solution today is push authorization in terms of comfort and protection. The most secure option is encryption using a hardware key.