Two-factor authentication is broken: What comes next? | Computer Weekly (2024)

News

Two-factor authentication is seen by many as a robust authentication method, but is it really as impervious as it seems?

Two-factor authentication is broken: What comes next? | Computer Weekly (1)

By

Published: 06 Apr 2020 15:30

It has long been known that passwords are one of the weakest methods for authenticating users. One of the first examples of a password being compromised can be traced back to 413 BCE, when the Greek army used a pass-phrase for identification during a night-time battle. Unfortunately, this pass-phrase became known to Syracusans, who used it to pose as Greek allies. Employing this ruse, the Syracusans decimated the Greek army.

It is now common practice to set minimum requirements for passwords, in terms of length and complexity. Nevertheless, these are frequently the weak point in an organisation’s security infrastructure.

Password databases can help in this regard, by providing users with a secure store of complex passwords that they no longer have to remember. However, this then becomes a single point of failure for end-point security.

Many organisations have therefore started using two-factor authentication (2FA) for access-point management, as it essentially provides another piece of security that needs to be overcome.

With the majority of 2FA systems, if the device is lost, stolen or compromised in some way (such as through malware), then the 2FA system becomes compromised.

“Two-factor authentication does not authenticate an individual. It authenticates the device. It’s what we call in the industry ‘identity approximation’. It’s not identity authentication,” says David Harding, senior vice-president and chief technology officer of ImageWare Systems.

“If you’re authenticating a device, you’re assuming that device is in the possession of the person you’re trying to identify or authenticate, and that assumption isn’t backed by anything, other than it being a known device.”

Recent examples

There have been several recent examples of 2FA being compromised. Jack Dorsey, the CEO of Twitter, had his Twitter account hacked in August 2019, which was protected using their 2FA security system, and had several unpleasant messages posted on his Twitter account. Similarly, the cryptocurrency exchange Binance had their 2FA system compromised and lost 7,000 bitcoins (approximately £31 million).

Compromising a 2FA system is lot easier than it seems. One of the easiest methods, especially in America, is a sim-swap, where a malicious actor switches a target’s mobile phone number to a new phone. Any subsequent text messages, such as those for 2FA, are sent to this new phone, thereby giving the malicious actor access.

Certain malware has also been found to compromise 2FA systems. Cerberus, a type of Android-based malware, was found to have stolen 2FA codes for Google Authenticator in February 2020. There is also the TrickBot malware, which bypasses 2FA solutions by intercepting the one-time codes used by banking apps, sent by SMS and push notifications.

Social engineering is also used to bypass 2FA security. Malicious actors may pose as a target’s bank, calling the target to “confirm their identity” by quoting the secure code that has just been sent to them, in response to an attempt to access their banking profile.

“A lot of this stuff doesn’t require any real technical skill, and that’s the really scary part,” says Harding. “There’s an old joke in the in the financial industry: ‘It doesn’t take any technical skill to take over a bank account, it just takes a winning personality’. When we first started learning about two-factor authentication being bypassed, it was through social engineering that it occurred.”

Can we fix it?

In order to combat this, 2FA needs to become identity-focused, rather than device-focused. One of the prime ways this can be achieved is through biometrics. Using biometrics in this way confirms that the individual is at their device. “The only way to truly authenticate is to rely on biometric authentication matching against a known enrolled biometric of an individual that you’re attempting to authenticate,” says Harding.

Biometric security has become a ubiquitous part of our lives. Some of the most common examples include the fingerprint and face ID biometric security on our phone, as well as the voiceprint ID when we call our banks. “The devices are already in the pockets of the of the people who are going to use them,” says Harding. “Biometrics went mainstream because of Apple and Android. The irony is, that wasn’t why they added biometrics; they actually added it for convenience.”

However, biometrics are themselves not infallible. As recent examples have shown, it is possible for biometric security to be spoofed – fooled into thinking that they are being presented with the correct information. For example; in the gummy bear hack a fingerprint scanner can be fooled by using gelatine-based sweets. There have also been instances of facial recognition being fooled by 3D rendering using photographs from Facebook.

Such exploits are being countered by the development of anti-spoofing systems built into biometric readers. For example, Face-ID can now read facial contours. “In the past, it’s been very easy to spoof some of these authentication systems,” says Harding. “The key now in biometrics, and what you’re seeing more and more of, is this anti-spoofing capability, which prevents that from happening.”

Iris-recognition is one of the more secure forms of biometrics. It is inherently robust against spoofing attacks. A famous fictional example of someone bypassing an eye scanner is from the 1993 film Demolition Man, where Wesley Snipes, as Simon Phoenix, extracts an eyeball from a security guard to bypass the iris lock. In reality, since the eye is an incredibly delicate structure, which would quickly decay, this gruesome technique is highly unlikely to work.

That said, one of the key issues around biometrics is that they commonly confirm biometric identity on the device, rather than through a centralised database. Furthermore, smart devices frequently allow more than one person to unlock the device using biometrics. When used in this way, all that the device is confirming is that the biometrics are those of someone who is authorised to use the device. This is not necessarily the person whose identity needs to be confirmed.

“Touch ID – Google’s fingerprint reader – doesn’t really authenticate the user. They check against the enrolled fingerprints on that device. I know this because I’ve coded to it,” says Harding. “For example, my fingerprint isn’t the only fingerprint that’s enrolled on my phone. My wife’s is as well, for a very simple reason; so she can change the music in the car. But to the phone, it doesn’t matter. It says; one of the fingerprints matches, but it can’t tell the difference between me and her.”

Read more about identity and access management

  • Desperately seeking secure IAM? You’re not alone, and it gets extra tricky when biometrics are involved. Learn to employ modes of modern identity management and still stay compliant.
  • In this Q&A, Ping Identity CEO Andre Durand explains why identity management is being subsumed by security and how AI and automation will modernise identity management systems.
  • IT pros must keep up to date with rapidly changing identity technology and access threats. Help protect IAM security by getting familiar with this list of foundation terms.

Another downside of biometrics is the frequency of false positives and false negatives. False-positives is where a match is made where there isn’t one, most commonly reported with facial recognition systems.

There are also false negatives, which is where a match fails to be made, despite being true. This is especially true for fingerprint scanners, where even having damp fingers can cause a problem. “Some 30% of the global population does not have an easily read or readable fingerprint. There are a number of reasons for that; you age and so your fingerprints degrade over time, some people genetically just have bad fingerprints. Then there’s what you do for a living or hobby,” says Harding. “I suffer from all three and have to re-enrol my fingerprint about every two weeks on my iPad and iPhone.”

Rather than relying on the device, organisations can use a centralised database to store the biometric data of all the registered users for a particular service. This allows biometric readers to reference the database rather than the device for authentication. In so doing, this shifts the focus from device authentication to user authentication.

Combining multi-factor authentication (MFA) with biometrics provides an additional layer of security. Rather than relying on password and biometrics, requiring three (or more) levels of authentication, with the added necessity of biometrics, provides organisations with a robust level of security that would not be otherwise achieved using 2FA or biometrics alone.

As smart devices become more sophisticated, they provide new and greater means for biometric authentication. “We’re going see higher resolution cameras. We’re at some point going to see infrared technology,” says Harding. “We can take advantage of things like the iris and we’re going to see more biometric modalities.”

Most smart devices now have a fingerprint lock and face ID, but the more secure iris recognition systems require dedicated devices. Naturally, this has a significant cost impact, especially if they need to be distributed to every person requiring access.

Although 2FA is more secure than just relying on a password, to assume it is sufficiently robust for a modern organisation would be short-sighted. Likewise, rather than relying on device-based authentication, organisations should consider using a centralised database, where identities can be securely stored and authenticated. “This is going to be the future of identity authentication,” says Harding. “Everything else is still identity approximation, and identity approximation will continue to fail.”

Read more on Identity and access management products

Two-factor authentication is broken: What comes next? | Computer Weekly (2024)

FAQs

What to do if two-factor authentication failed? ›

Check the time and date on your phone and make sure they match the computer or device you are logging in from. You can check that the times sync here. If your code is still not working, please restart your device and retry logging in.

What happens if I lose my two-factor authentication? ›

If you've lost access to your 2FA device, you can recover your account by using backup codes, alternative recovery options like a secondary email or phone number, or by contacting customer support. Be ready to confirm your identity by answering a few security questions or providing proof of ID.

What are the risks of not having multi-factor authentication? ›

It opens up a gateway for hackers to exploit, especially if you use predictable passwords or reuse them across multiple platforms. Without MFA, a cybercriminal only needs to crack or guess your password once to gain unauthorized access to your personal information, financial data, or even steal your identity.

How do I retrieve my two-factor authentication? ›

Recover an account
  1. Sign in to your Google Admin console. ...
  2. In the Admin console, go to Menu Directory. ...
  3. Click the user you want in the list. ...
  4. Click Security.
  5. Click 2-step verification. ...
  6. Click Get Backup Verification Codes.
  7. Copy one of the verification codes.
  8. Send the backup code to the user in an IM or text message.

What happens if authentication failed? ›

Authentication failed means there is a temporary block due to too many failed attempts. After 30 minutes after the last login attempt, the block is removed automatically by the system.

Why do I keep getting authentication failed? ›

This could mean that your device is using the wrong security protocol, the network name the device is using doesn't match the network, or the device and router encryption settings are incompatible.

Can you bypass two-step verification? ›

One of the easiest and, therefore, most common ways to bypass two-factor authentication is by simply utilizing the password reset function of websites and applications.

Can hackers break two-factor authentication? ›

Any 2FA system can be affected if it relies on passwords or other authentication mechanisms in addition to 2FA (because hackers can bypass 2FA using stolen credentials).

Can you still be hacked with two-factor authentication? ›

Two-factor authentication is a powerful security measure that adds an extra layer of protection to user accounts. While it is not immune to hacking attempts, implementing 2FA significantly reduces the risk of account breaches.

What are the risks of broken authentication? ›

For an end-user, a broken authentication attack could mean unauthorized access to their account, leading to the theft of sensitive personal data such as credit card information, social security numbers, and more. This could further result in identity theft, unauthorized transactions, and other forms of personal harm.

What's the main disadvantage of two factor authentication? ›

Drawbacks you may encounter

The most common reason for this can be the lack of a modern phone or any other gadget that would support such a feature. Problems due to loss of access to one of the authentication factors. This can make it difficult to access a personal account and take some time to solve it.

What is better than multi-factor authentication? ›

2FA can be more secure than implementing three authentication factors. On the other hand, if businesses utilize only two powerful authentication methods, like biometrics or push notification, then a 2FA is deemed to be more secure than an MFA security with three different authentication factors.

How do I get a two-factor authentication code if I lost my phone? ›

Try to log in with an alternate method
  1. Backup codes: Many services provide one-time backup codes for emergency sign-ins, in case you lose the device linked to the 2FA protocol. ...
  2. Verification on another device: If you're logged into a service elsewhere, you can go to the security settings and reset or disable 2FA.
Nov 11, 2022

How to recover email without 2 step verification? ›

How to recover Gmail password without phone number or recovery email?
  1. Step 1: Visit the Google Account Recovery Page. ...
  2. Step 2: Type in your Gmail username or ID. ...
  3. Step 3: Choose “Try Another Way to Sign In” ...
  4. Step 4: Verification Using Another Device. ...
  5. Step 5: Waiting for the Password Reset Link. ...
  6. Step 6: Resetting Your Password.
Jan 18, 2024

How do I get through two-step authentication if I changed my phone number? ›

To change the phone number for 2-Step Verification on the mobile apps:
  1. Go to the More menu.
  2. Select "Settings"
  3. Select "Password & Security"
  4. Click on "Change mobile phone"
  5. Go through 3 steps to re-authenticate, change your mobile phone number, and enter the code to verify the new number.

How do I reset my authenticator app? ›

Resetting Microsoft Authenticator
  1. Open Microsoft Authenticator on your device.
  2. In the “Settings” menu, usually found at the top right corner of the screen, scroll down and select “Accounts”.
  3. Choose the account you want to reset by tapping it.
  4. Then tap “Remove account” or a similar option.
  5. Follow the prompts to confirm.

Why is my iPhone not getting the two-factor authentication code? ›

If you have a phone number that isn't associated with your trusted device, consider verifying it as an additional trusted phone number. If your iPhone is your only trusted device and it's missing or damaged, you won't be able to receive verification codes required to access your account.

Top Articles
Latest Posts
Article information

Author: Horacio Brakus JD

Last Updated:

Views: 5926

Rating: 4 / 5 (51 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Horacio Brakus JD

Birthday: 1999-08-21

Address: Apt. 524 43384 Minnie Prairie, South Edda, MA 62804

Phone: +5931039998219

Job: Sales Strategist

Hobby: Sculling, Kitesurfing, Orienteering, Painting, Computer programming, Creative writing, Scuba diving

Introduction: My name is Horacio Brakus JD, I am a lively, splendid, jolly, vivacious, vast, cheerful, agreeable person who loves writing and wants to share my knowledge and understanding with you.