Too Fast, 2-Factor
Summary:
Two-Factor Authentication is a security solution, but not without it’s own problems.
Multi-Factor Authentication is far more secure, but not the cyber security silver bullet.
MFA comprises of three factor types:
Knowledge Factor: Something you know e.g. password
Possession Factor: Something you own e.g. mobile device
Inherence Factor: Something you are e.g. fingerprint
Companies and services need to enforce strict password requirements, MFA use for access to sensitive data, and foster a security culture.
Introduction:
For as long as we can remember, the method we would use to secure access to our digital data was by using a password. So as a cyber attacker, all you would need to breach into an area of a network or application would be the credentials of a user who has the appropriate access permission. Whilst only needing to remember a few passwords was convenient for users, it was also convenient for hackers. Still to this day, weak passwords contribute to 91% of reported security breaches (Lindner 2023). As more services and applications are developed, the users are required to remember more credentials. But humans are generally efficient beings, so rather than creating complicated passwords and struggling to remember or manage them, we typically make our passwords memorable, simple, and similar or the same as others. This increases usability, but dramatically decreases security, and the best way to understand this is to view the security from the hacker’s perspective.
There are many tools at a hacker’s disposal as well as different methods for cracking a password, but the more ‘popular’ method is with a brute-force attack, which involves a trial-and-error approach by continuously trying different character combinations until the correct combination is found (Drapkin 2023). The main limitation of this method is the hacker’s computer processing power, which has been illustrated below by cyber security firm Hive Systems:
(Source: Drapkin, 2023)
As you can see, the more complicated a password is, the longer it will take the hacker to gain access. The second common fault users have is using the same password for multiple services, this is particularly convenient for a hacker, because they are able to use credential stuffing and attempt to access other services using the previously hacked password (Drapkin 2023). It is far quicker if the hacker only needs to crack one password to gain access to all the victim’s accounts. Whilst these flaws in user common practice can be mitigated with training and password management applications, we can further increase security by adding an additional layer of defence. Introducing: 2-Factor Authentication (2FA).
A Basic Understanding of 2FA:
2FA elevates security by requiring the user to provide two different forms of authentication which can be something they know such as a password, and something they physically have such as a phone or smartcard, or a biometric factor such as a retinal scan or fingerprint. Other factors include location data such as GPS coordinates at the accessing device or time-based authentication data; however, these two factors are mainly used for Multi-Factor Authentication (MFA) (Linda Rosencrance, Peter Loshin & Cobb 2021). A form of 2FA we are all familiar with is interacting with an Automated Teller Machine (ATM), where to access bank information and execute transactions, the user is required to use their bank smart card (physical factor) and input their PIN (knowledge factor). This provides user verification and session key agreement using protocol interaction (Kaijun Liu et al. 2023). In this blog I will explain why this is not the case, and why 2FA is not the silver bullet for user cyber security.
(Source: Imperva, 2024)
The first iteration of 2FA for use was released by the security company RSA, which was a key fob that featured a rotating six-character display, which users would add to the end of their current password (Kevin Bankston, Ross Schulman & Woolery 2017). For many years this technology was adopted by companies handling sensitive data including the U.S Government. But in 2010 Google took the concept of 2FA and made it digital and accessible for a wider range of users, after they were victim to a Chinese cyber-attack. In 2011 the Internet Engineering Task Force (IETF) issued RFC 6238 which made Time-based One Time Password (TOTP) as the standard method of generating 2FA codes (Kevin Bankston, Ross Schulman & Woolery 2017). This was followed by Google making the ‘Google Authenticator’ mobile application widely available to the public, with there now being many different applications filling this role. Since then, most reputable tech companies including Amazon, Meta, Microsoft, and Apple have added their own 2FA in their services, with many having it as a compulsory setting.
Nobody Is Perfect, and Neither Is 2FA:
Despite being widely adopted worldwide, 2FA is not without flaws or limitations. Whilst the knowledge factor also includes PINs and security questions, the primary and most secure method of knowledge authentication is with a strong password or passphrase. However, if knowledge factor information itself is not secure (for example, passwords and PINs written in an insecure notes file on a phone) then the factor can still be easily compromised regardless of the complexity. To mitigate this risk, knowledge factor information should be secured and encrypted using at least SHA-2, bcrypt, or PBKDF2 algorithms, which are widely adopted in password management applications (Vakulov 2023).
The possession factor of authentication will use a token usually in the form of a USB device such as the ‘Yubikey’, a smartcard such as a bank card or RFID card, or a more accessible mobile phone application such as ‘myGovID’. The least secure form of possession factor is an SMS one-time password (OTP) to the user. This has become a prominent attack vector for cybercriminals by using SIM swapping, where the attacker will convince the telecommunication provider to port the number to a ‘burner’ SIM, and then request a password reset from the service they are attempting to access, in which the reset code will be sent via SMS to the burner SIM, granting access for the cybercriminal (Joseph Williamson & Curran 2021). Contactless possession factor devices can also be used for authentication utilising Radio Frequency Identification (RFID) and Near Field Communication (NFC). These technologies are commonly used for proximity access and contactless payments, but are vulnerable to ‘man-in-the-middle’ attacks. This is where a threat actor can be ‘listening’ for these communication wavelengths, then intercept and tamper with the information being sent.
Inherent factors of authentication include most commonly biometric scanning, with the most widely adopted form being a fingerprint scan. This adoption of fingerprint scanning is largely due to the reliability and accuracy of the scanning technology. Most modern smartphones today are quipped with at least one form of biometric scanning capability. Fingerprint authentication works using the minutiae algorithm, where it stores the ridges of fingerprints as dots in a coordinate system (Joseph Williamson & Curran 2021). When a finger which has coordinates that exactly match the print stored on file, the user is authenticated. Facial recognition works in a similar way, but instead measures the distances between prominent facial features such as eyes, nose, chin, and brow. Retinal scanning plots the blood vessels in the user’s retina which are unique for each individual; however, the technology requirements for this make it less adopted than the user-friendly fingerprint for facial recognition (Joseph Williamson & Curran 2021). Inherent factors are a very strong form of authentication and are very difficult to bypass even with considerable investment, however they are less adopted by some users due to reluctance to have their biometric data stored on the internet. This is amplified by a lack of control of said data as it is a third party’s responsibility to secure that data.
(Source: Spiceworks, 2024)
Security vs Usability
As mentioned in the introduction, the biggest weakness of 2FA is reliance on user compliance. Cyber security is a constant balance between securing the digital assets, and usability for the end user. For example, locking down a network and not allowing almost any inbound traffic would make it very secure, but the end users would be limited in what services they could access, not to mention the additional processing power being used by security software and hardware. Many services that adopt 2FA have systems in place to streamline the user experience at the detriment to user security (Kaijun Liu et al. 2023). An example of this is the optional concept “remember me” where users can opt to have the website ‘trust’ the user’s device in order to streamline future login attempts (Matt Tolbert, Elie Hess & Nascimento 2021). This form of streamlining creates a vulnerability, which was exploited in 2019 when hackers tricked a U.S online banking website to ‘trust’ the hacker’s device which completely bypassed 2FA (Cimpanu 2019). Whilst this is an extreme example of what can go wrong, it shows that efficiency can sometimes come at a cost to security.
It is expected to be difficult to gain rapid adoption for a digital innovation which systematically slows the user’s experience. So, it is understandable why organisations and users are reluctant to effectively use MFA when it increases the time it takes to login. Though in the past five years we have seen a steady increase in the number of services with mandatory 2FA. Over time users are becoming familiar with the protocol and when given a choice of authentication factors, are selecting methods which are user-friendly, not necessarily the quickest (Ken Reese et al. 2019). This evidences that the future of MFA adoption is in usability and mandatory use, with the challenge being enhancing the security of user-friendly methods.
The Path Forward
Whilst 2FA is by no means obsolete, it has great room for improvement, which is why MFA is the new gold standard. Combining 2FA with an added passive level of inherent factor such as geolocation will greatly add further security without impeding on the user experience. As with all cyber security practices, the greatest weakness to the system or user is the user itself. So, education about why password best practices should be followed, how to identify suspicious digital activity, and creating a secure culture is imperative. Organisations and services need to make at minimum 2FA mandatory but ideally impose a minimum of three factors of authentication with one being biometric. This added layer will greatly improve the security. Online services need to remove the option to trust or ‘remember’ devices, as this form of complacency has led to breaches before and can again in the future. Services must impose stronger password requirements to meet a minimum of fourteen characters, as seen at the start of this blog, increasing the length of a password has an exponential security benefit. An alternative to a complex password is a memorable passphrase consisting of four or more random words. Services must also promote the use of biometric data instead of OTPs to avoid vulnerability to eavesdropping threat actors.
Two-factor is here and multi-factor authentication is going to be the gold standard for online access security for a long time; however, cyber threat actors are developing and improving the ways in which they conduct their attacks. Therefore, authentication factors and the security policies of those factors need to be updated regularly to stay ahead of threats. With new technologies arising there will be new vulnerabilities and better ways to authenticate users.
References
Cimpanu, C 2019, FBI warns about attacks that bypass multi-factor authentication (MFA), <https://www.zdnet.com/article/fbi-warns-about-attacks-that-bypass-multi-factor-authentication-mfa/>.
Drapkin, A 2023, How Long Does It Take for a Hacker to Crack a Password?, <https://tech.co/password-managers/how-long-hacker-crack-password>.
Joseph Williamson & Curran, K 2021, 'The Role of Multi-factor Authentication for Modern Day Security', Semiconductor Science and Information Devices.
Kaijun Liu, Zhou Zhou, Qiang Cao, Guosheng Xu, Chenyu Wang, Yuan Gao, Weikai Zeng & Xu, G 2023, 'A Robust and Effective Two-Factor Authentication (2FA) Protocol Based on ECC for Mobile Computing', Research on Security and Privacy in IoT and Big Data.
Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron & Seamons, K 2019, 'A Usability Study of Five Two-Factor Authentication Methods'.
Kevin Bankston, Ross Schulman & Woolery, L 2017, Case Study #2: Offering Two-Factor Authentication, <https://www.newamerica.org/in-depth/getting-internet-companies-do-right-thing/case-study-2-offering-two-factor-authentication/>.
Linda Rosencrance, Peter Loshin & Cobb, M 2021, two-factor authentication (2FA), <https://www.techtarget.com/searchsecurity/definition/two-factor-authentication>.
Lindner, J 2023, Two Factor Authentication Statistics [Fresh Research], <https://gitnux.org/two-factor-authentication-statistics/>.
Matt Tolbert, Elie Hess & Nascimento, M 2021, Vulnerabilities of Multi-factor Authentication in Modern Computer Networks, <https://digital.wpi.edu/downloads/2r36v157c>.
Vakulov, A 2023, Password Encryption 101: Best Practices Guide for Orgs of All Sizes, <https://www.secureworld.io/industry-news/password-encryption-best-practices>.
Images:
Drapkin, A 2023, How Long Does It Take for a Hacker to Crack a Password?, <https://tech.co/password-managers/how-long-hacker-crack-password>.
Imperva 2024, 2024, <https://www.imperva.com/learn/application-security/2fa-two-factor-authentication/>.
Spiceworks 2024, <https://www.spiceworks.com/it-security/identity-access-management/articles/what-is-biometric-authentication-definition-benefits-tools/>.