Defending against the hackers of 1995
Passwords are convenient for the end user, but it’s too easy to lose control of them. People share them with other people. People write them down, where they can be read. People send them in email, and that email is easily intercepted. People’s web browsers store the passwords, so they can log in automatically. Worst of all, perhaps, people tend to use the same username and password at many different websites. If just one of those websites is compromised (or even run as a password collecting scam) then those passwords can be used to attack accounts at all of the others.
Two factor authentication that uses an uncopyable physical device (such as a cellphone or a security token) as a second factor mitigates most of these threats very effectively. Weaker two factor authentication using digital certificates is a little easier to misuse (as the user can share the certificate with others, or have it copied without them noticing) but still a lot better than a password.
Security problems solved, then?
Two-factor authentication isn’t our savior. It won’t defend against phishing. It’s not going to prevent identity theft. It’s not going to secure online accounts from fraudulent transactions. It solves the security problems we had 10 years ago, not the security problems we have today.Bruce Schneier, April 2005
Password stealing attacks are still a risk – especially use of the same password on different services – but they’re not the main thrust of modern attacks, and haven’t been for years. Rather we’re seeing man-in-the-middle attacks and trojan attacks – these can be used very effectively as part of a targeted attack initiated by phishing or social engineering.
One form of a man-in-the-middle attack is to create a fake website that looks like your real website, and then to entice one of your users to go to the fake website instead of the real one. Your user then enters their password and the second factor from their securid fob, and the attacker uses that to log in to your website. Done well, the user will never notice – the attacker either gives them a fake error message and redirects them to your real login page or tunnels their transactions through to your website while also piggybacking their own transactions at the same time.
A trojan attack is similar, but the man-in-the-middle is hostile code actually running on the users computer.
Not just a theoretical attack
This isn’t just a theoretical attack. It’s fairly widespread, and probably underreported. One example from a couple of years ago is use of a trojan to steal half a million dollars from a local company, despite their banks use of one-time-password, securid style two factor authentication. Here’s another.
The accounts an ESP is protecting likely aren’t worth half a million dollars, so maybe bank-grade two factor authentication is good enough for them?
Another heavy user of two factor authentication is the online game World of Warcraft. They use a physical security fob or a smartphone app to generate one time passwords.
As we’ve mentioned before there’s a black market in stolen World of Warcraft accounts. They’re typically worth $8-$10 in bulk. And they’re being targeted by a key-logging trojan that intercepts the authentication data and passes it to the attacker, who then can take control of the account until they log out.
That means it can be cost-effective for an attacker to use a reasonably sophisticated keylogger trojan to take control of an account worth $10 for a couple of hours, which is bad news if you’re relying on your customers accounts not being that high value a target.
What value does 2FA have, then?
it won’t work for remote authentication over the Internet. I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft.Bruce Schneier, 2005
2FA is a decent way to improve password security. It’s easier and cheaper to require some form of 2FA than it is to train your users to use good passwords, and not to reuse passwords. And they can be part of a decent security approach – though the inconvenience and support overhead might exceed their value. But focusing on 2FA as a security solution won’t protect you from most current attack vectors, and can distract you and consume resources you could better spend on more effective approaches.
By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.Bruce Schneier, 2005
But two factor authentication is a great way to deal with some non-security related business problems, such as sharing of “flat fee” accounts by multiple users.
Two factor authentication is not a magic bullet for ESP security, and if it distracts you from implementing more effective (behaviour-based, rather than authentication based) security approaches then that narrow focus risks making your overall security worse.
Unless, that is, you’re defending solely against security threats from 1995.