Last updated: 03 September 2019
Is Two Factor Authentication a Waste of Time?
Not All MFA Methods are Created Equal
Over the past few years, people have been advised to replace the passwords they use to access cloud services, with two-factor authentication or ‘two step verification’. This is because the majority of data breaches to cloud services are the result of compromised passwords. But as evident in the takeover of Jack Dorsey’s Twitter account , the SMS two step verification that was in place for Dorsey’s account, didn’t provide the expected protection and hackers were able to take over his account nonetheless. Does that mean MFA is overrated as an effective method for securing cloud accounts? Turns out that not all MFA methods are created equal. Dorsey was using SMS-based two-step verification. When logging into his account, an SMS code was sent to his phone. In the Twitter case, the hackers succeeded in carrying out an ‘SMS Swap’ attack: they likely bribed or persuaded an employee of Dorsey’s mobile phone carrier to transfer his number to a phone in their possession. The SMS code was then sent to the hacker’s device, and was used to get into Dorsey’s account.
Two factor authentication is still the best way to protect your account. But not necessarily SMS-based MFA. In 2016, NIST determined based on extensive independent research that redirecting and intercepting SMS messages has become too easy and can be operated at scale. As a result NIST has deprecated SMS-based authentication advising that it is not secure. . Paul Grassi, who at the time was senior standards and technology advisor at NIST said then, “We don’t want you to use SMS as a second factor, but we absolutely want two-factor authentication, in fact, we recommend it for all levels of assurance.”
If Not SMS, What Kind of Two-Step Verification Should You Use?
For mobile phones, the easiest and most secure method, is PUSH OTP, using an OTP app that is installed on a smart phone. With OTP technology, the cryptographic secret that generates the security code is highly secured within the app, and the app is securely tied to the physical device. Unlike SMS, this technology doesn’t rely on the mobile carrier to deliver the security code. Even if the phone number were to be transferred to another device, the malicious actor would still not be able to generated security codes using the app. So what should you look for when evaluating OTP and Push based two factor authentication?
- Make sure the OTP app cannot be backed up to an external drive or copied to another device. Apps that allow this don’t have the built in security to ensure the apps can only be used on a specific and intended device. So always make sure that the OTP app is encrypted, protected and tied cryptographically to a specific mobile device.
- Make sure the OTP app supports secure app enrollment and activation: In order for the security code to be protected and secured when a user installs the app, the app installation process needs to be encrypted. Otherwise, the cryptographic module that generates the security codes could be at risk. Some vendors carry out an OS check before allowing the app to be installed on the intended mobile device. However, if the app can be copied to a malicious device that complies with the OS rules, this kind of workaround wouldn’t be of any help in protecting the integrity of the app itself.
To sum, when developed with the best built-in security, PUSH OTP-based two-factor authentication is a highly effective way of protecting apps and cloud services, and overcoming the weaknesses of passwords. It offers both security and an easy and convenient way of logging into apps – check it out for yourself in this video showing how PUSH OTP can secure your O365 account.