Why Two-factor Authentication Is Not a Panacea

And Why You Still Need It

Good old phishing scams

In the last year, two-factor authentication or two-step verification became a hot topic amongst consumers and enterprises. Relying on a several character password is unsafe and users and businesses need a more robust way of authentication. Double access protection is one of the most common recommendations for enhancing security for reasonably little effort, and many popular services offer it as mandatory or optional.

When you add a second factor, you get about 80% of the benefit by implementing any additional factor, this is how the Pareto principle works. However, like most other ways of protecting access it is not a panacea as human factor creates vulnerabilities even in perfectly designed systems.

In his blog, Justin Williams, American iOS developer, described how scammers stole money from his PayPal account. This happened due to the credulity of one of the AT&T employees, who violated the regulations and reassigned the number to a new SIM-card, as the phisher asked to do. The fraudster reset the password in PayPal that was protected by two-factor authentication, and the SMS with the confirmation code was sent to the new number.

In this way, he got full control over the account and stole money. In an enterprise, a similar attack could lead to significant losses of money and reputation. The more valuable the data, the more striving and sophisticated the hackers are, therefore it’s essential to ensure that a single weak link in your security system will not lead to the loss of everything.

The three pillars of security

There are generally three types of data used for authentication: something you know, something you have, and something you are. Something you know generally refers to passwords or other combinations of characters, digits or algorithms you can remember. Something you have is usually a token generated by your device or a keycard. Something you are is biometrics including your face, your fingerprints, or your retinal pattern.

The recent security trends often include various biometric scanners in order to increase security while protecting sensitive data. However, once biometric data is compromised, you cannot get new fingertips.

Two-factor authentication typically involves combining something you know and something you have. Additional information for confirming your identity today may include geo-location, speech recognition an even shaking the device.

What makes two-factor authentication imperfect

Apart from social engineering that is targeted at the people in the system, there are the technologies that allow gaining access to private data without forcing anyone to disclose passwords. Hackers may infect a computer with malware after a user clicks on a link in a phishing email and use keyloggers to collect the keystrokes of their targets. In this case, every typed character is visible to the attacker.

When the user enters credit card information, the hacker piggybacks on the session and uses the collected data for fraudulent transactions. If the two-factor authentication is introduced, hackers need to get access to the phone number, and it is not as hard as it may seem. Actually, in 2016, the National Institute of Standards and Technology released a document stating that the use of SMS messages for two-factor authentication in the future would be considered “unacceptable” and “unsafe”.

Recently, a group of hackers intercepted the networks and captured the verification codes a German bank sent to users, which allowed them to steal a considerable sum of money. To gain access to personal information, hackers and special services of different countries exploit the vulnerability in the SS7 set of telephony signaling protocols (“Signaling System №7”). It was developed back in the 1970s and designed to allow cell phone companies to interact with each other.

With access to SS7, hackers can wiretap conversations, intercept the messages, and even define the location of the user. Due to SS7 security vulnerabilities, almost anything transmitted through public phone networks can be potentially exposed. This is why even the users of apps where two-step verification is introduced are not at all immune to data leaks. There were cases when WhatsApp, Telegram and Facebook Messenger users got breached — not because of the inner vulnerabilities of these messengers, but because of the old-fashioned technology that is still used to transmit sensitive data and is not replaced with a refined protocol.

Tips for making two-factor authentication stronger

Two-factor authentication does not completely safeguard anyone from attacks, but it makes using compromised credentials a harder and more costly task for attackers who will likely prefer a lower-hanging fruit. This is why it’s reasonable to enable two-factor authentication wherever possible.

“We know that a standard username and password combo may very well be enough to protect your fantasy football league. We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea. Even with all of that, 63% of confirmed data breaches involved leveraging weak/default/stolen passwords. This statistic drives our recommendation that this is a bar worth raising.” — Verizon Data Breach Investigations Report

Increase your data protection level while applying two-step verification:

1. Employ different passwords for the services you use. If you are a business owner, strictly forbid the employees to use the same password for corporate resources and for personal accounts in social media.
2. Store passwords securely in a password manager. In VIPole Team, the administrator controls the passwords and the encryption keys of the employees and their resetting. In addition, it is possible to prohibit saving the secret phrase on devices. This can save the whole business in case someone loses a phone or a tablet or the device is compromised.
3. Prepare your incident response plan for the case of device loss so that your data stays inaccessible to fraudsters and securely available to you. If the device is compromised, make sure you can immediately wipe the data remotely. In VIPole, you always control your own active sessions and as a team administrator you see all connections and you can disable them if you recognize any suspicious activity.

Two-factor authentication is one of the key elements in protecting digital content, but you need intellectual and manual control to ensure complete privacy. In VIPole, in addition to the password, the secret phrase and confirming critical settings by SMS user data is protected by configurable auto locks and auto logout, smart and customized history management, remote control of active sessions and other options.

Absolute security is hardly possible, you always have to build a high fence with complex access control to protect your data. The higher the fence — the less likely it is that someone will want to try to pass through it. Therefore, using two-step authentication along with other proven and reliable methods of data protection is like locking your front door — still makes you safer.

VIPole offers end-to-end encrypted messaging and collaboration solutions for teams and enterprises dealing with commercially or personally sensitive information, and individuals wishing to protect themselves from hackers, identity thieves and malware.

More at www.vipole.com