So-called 2-factor authentication (2FA) exists in numerous variants: This works by adding an additional factor to the password that has to be entered beforehand, or by completely replacing previous login procedures with a combination of two factors. In today's blog post we take a look at the different approaches to 2-factor authentication and also consider the risks. Basically: Using a 2-factor authentication is always more secure.
The terms “authentication” and “authentication” are often used
synonymously in connection with 2-factor authentication. Strictly
speaking, however, these terms describe various sub-processes of registration
processes. Users authenticate themselves to a system with unique login
information such as a password or chip card. By checking the validity of
the data used, the system authenticates the user.
The Construct of 2-Factor Authentication
As a rule, the authentication process with 2-factor
authentication using several factors begins with entering a secure password. If
the system confirms the correctness of the entered password, this does not lead
directly to the desired content, but to an additional safety barrier - the
second factor. This prevents unauthorized persons in possession of the
password from gaining access to data or functions.
Usually, the systems behind the 2-factor authentication use an
external system after the password query to carry out the two-stage
verification of the user. How this looks can vary from provider to
provider: A second code may be sent to an external device such as a smartphone. It
is also possible that the second factor is the user's fingerprint on a
corresponding sensor. Chip cards or USB tokens are also conceivable. There
are three pillars for 2-factor authentication:
· Features: A clear user feature such as the fingerprint or the pattern of the iris of the eye identifies the user.
· Possession: Users have an appropriate item such as an access card, key, or token.
The factors used in each case ideally come from different
categories. Two-way authentication becomes more secure if knowledge (e.g.
PIN or password) is combined with possession (e.g. chip card) or biometrics
(e.g. finger/eye print).
Probably the greatest advantage of 2FA is that neither theft nor
unauthorized copying of access data allows access to the system. Hackers
and other cybercriminals must have the second factor at the same
time to be able to penetrate. The most common threat scenarios
for identity theft can be ruled out thanks to 2-factor authentication.
Frequently Used Procedures for Two-Step Authentication
There are many methods for 2-factor authentication - we present
the five most frequently used in the following.
TAN / OTP
TAN (transaction number) or OTP (one-time password) is a
one-time password that is transmitted as a second factor. In the distant
past, TANs were made available on paper lists, but this procedure turned out to
be unsafe. TAN generators (hardware) or authenticator apps (software) are
more secure; they generate one-time passwords based on events or times. The
most secure variants on the current market include TAN generators that include
transaction data such as account number or amount (eTAN, chipTAN) to generate a
TAN.
TOTP / HOTP
TOTP stands for Time-based One-Time Password, which makes sense
and purposes a little clearer. Such passwords are generated
cryptographically and are suitable for one-time use. The passwords are
generated using TOTP software; usually through an app on a mobile device. During
initialization, the server and app create corresponding TOTP passwords. A
similar alternative is known under the name HOTP (HMAC-based One-time
Password).
The market provides various hardware for the 2FA; Above
all, RSA SecurID or SafeNet eToken should be mentioned here. Although the
products may differ in detail, the main functions are similar. Similar to
software tokens, a random number is cryptographically generated that is used as
a second factor in the login process.
Token
The cryptographic token is used to store a private cryptographic
key. The authentication takes place by sending a request to the token,
which can only be correctly answered by the token with the private key.
Electronic Identity Card / eID
You can use your electronic ID documents such as your electronic
ID card to authenticate on the Internet. With the help of a suitable card
terminal or smartphone, the so-called "Extended Access Control"
protocol (V2) according to TR-03110 can be
implemented. Anyone wishing to access the data stored in the ID card needs
an authorization certificate. The same enables citizens to recognize the
identity and purpose of the data access.
All attributes listed under Section 18 PAuswG (family and maiden
name, first name, doctoral degree, date and place of birth, address, type of
document, religious or artist name) are stored on the ID card. With the
"service and card-specific identifier", data protection-friendly
pseudonyms can be calculated. The eID can also be used to carry out data
protection-friendly confirmations of residence and age verifications.
FIDO / U2F
Hardware tokens from the FIDO alliance, which are based on the
U2F (Universal 2nd Factor) standard, are considered a solid solution that
provides accounts with a key that can literally fit in every pocket. Simply
connect the U2F token to your device and register with a compatible service. After
a few clicks, you are registered.
The most prominent example of such a hardware token is YubiKey
from Yubico. Different companies have different models of U2F-compatible
devices on the market.
2FA Security Risks
Now that you have learned about the most common methods of
2-factor authentication, let's familiarize you with the security risks.
SS7 Hijacking
The codes for 2FA are only as secure as the technology used to
generate the code. If the code is sent via SMS, for example, the message
can be intercepted, using the outdated signaling system no. 7
(SS7). Developed in 1975, it hides a collection of protocols that major
telecommunications providers around the world still rely on today. Anyone
who now has access to SS7 is theoretically able to access all information that
is transmitted in the various cellular networks, including SMS. As early
as 2016, NIST had recommended not using SMS for two-factor authentication.
Not surprising, because SS7 does not even offer the basic
protective measures: the traffic is neither encrypted nor can the devices
distinguish between legitimate and false commands. Regardless of the
source, the system simply processes every command.
MitM
Man-in-the-middle attacks (MitM attacks) are frighteningly easy
to carry out and they are by no means limited to computer security or the
online area. In the simplest form of the MitM attack, the cybercriminal
simply switches between two parties who are currently communicating with each
other listens to the messages sent, and finally pretends to be one of the two
parties.
This also makes a simple way of bypassing 2-factor
authentication: the 2FA tokens entered by the user are recorded and forwarded
to legitimate servers to be able to create an authenticated
session. To get to the login information of the user, attackers
often rely on fake domains. These look deceptively real so that users
enter their login data without much hesitation.
WebUSB Attack
Some modern browsers such as Google Chrome (up to version 67;
limited in later versions) have built-in APIs, which are also called WebUSB. Thanks
to WebUSB, the browser is included during the initial installation and when USB
devices are made available. WebUSB and the USB devices communicate
directly with each other.
Various security experts, including Markus Vervier and Michele
Or, have investigated whether WebUSB also interacts with U2F devices. In
the attempt, inquiries could be forwarded directly to the U2F device without
using the FIDO client in the browser. The MitM check by the FIDO client
could be bypassed - annoying because the FIDO client actually ensures the
correct identity.
Social Engineering
In social engineering attacks, the perpetrators feign false
identities and intentions to get information, data, or other things. For
example, an attacker poses as a technician, an employee of large corporations
such as PayPal or telecommunications companies. The victim is tempted to
divulge information such as login or account information or to visit a prepared
website. Often people are also directed through deceptively real-looking
e-mails to fake websites to enter login information there, which is
then intercepted by the attacker.
Identity Theft
Client-side certificates can be used as a second factor for
authentication in wireless networks, VPNs, or as web resources via HTTPS. This
variant of 2FA offers a strong control and enables mutual authentication
between client and server.
However, cases are well known in which the client-side
certificates are equipped with weak passwords. With leaked or weak
standard login data, attackers can gain access, steal the certificates and thus
pass the authentication unseen.
Use 2-Factor Authentication Securely
As you can see: 2-factor authentication can make you act more
securely if you stick to a few basic rules. Use 2FA as soon as a service
offers it. To minimize the risk of SMS token theft through SS7 hijacking,
ideally use a stronger second factor, such as TOTPs or U2F.
Education and best practices help reduce the risk of
MitM or social engineering attacks. The aim is to sharpen users' safety
awareness. Companies can block phishing sites at the e-mail and/or
Internet gateway.
Use the latest software in all areas; also and especially
with your browser. The API access from Chrome in version 67 is severely
restricted. Despite 2FA, pay attention to strong passwords as the first
hurdle to access - this is still fundamental. Control access to sensitive
information such as session cookies or cryptographic material very strictly. You
do not collect your login information in generally accessible places such as
your company wiki, but store them in protected areas.
2-factor authentication is not a panacea. However, it creates another barrier in common login processes. These are ideally already secured with strong passwords. The second factor creates an additional barrier. So far, no one has succeeded in identifying a fundamental weak point in 2FA, although the different variants all have their advantages and disadvantages. This makes 2FA one of the best methods to minimize the risk of account takeovers and unauthorized data access.
Install free antivirus with inbuilt data recovery features to prevent data loss.
Comments
Post a Comment