Email Security

Two-Factor Authentication: The Pros and Cons of 2FA Schemes

Scott Undercofler

September 26, 2019

13 min

Two-Factor Authentication

“Implement two-factor authentication.” This is the advice given by cybersecurity experts around the world when a high-profile phishing attack makes the news. While it’s true that two-factor authentication (2FA) is a legitimate method of secondary security that businesses should adopt, it’s not as foolproof as you might think. Cybercriminals are often one step ahead of the experts, and they’ve learned to get around 2FA.

The technology behind 2FA

2FA is a process by which a user is authenticated by two separate methods. For example, a username/password combination and a separate method. An example would be withdrawing money from the ATM: You need both your passcode (PIN) and the physical debit card in the machine. Many financial institution websites use two factor, where you have to authenticate via a shared pin, unless a cookie is set on your browser. This pin can be delivered via email, text message, or voice call.

There are also hardware devices, like the Yubikey, a USB device that plugs into a computer and sends a hashed one-time passcode (OTP) when the user clicks the button on the plugged-in key. The authentication service needs to be configured to use this hash, but there is broad support for it, and the integration code is open source. Microsoft offers it as a 2FA path for all Office 365 web services.

Another style of key is the rotating passphrase key. This is a software or hardware device that is synced to a server and registered to a user. The device emits a rotating multi-digit code that is appended to the end of the user password. The receiver of the combined code strips the passphrase out into the two parts and authenticates the code against the authentication server. This external passphrase is the same idea behind receiving a text message with a one-time code to use for logins.

The benefits of 2FA are clear: Adding an extra layer of security to a transaction or account means that a would-be hacker would need both keys to access the account. As in the ATM example above, if your card was stolen or lost without the 2FA of a PIN code, a bad actor could clean out your account easily. In the same way, a malicious user who had your password but not your 2FA key could not access and highjack your email account and use that data to access banking or other services.

Related Content: [White Paper] Phishing Attacks: Advanced Techniques That Evade Detection

The limitations of 2FA

The first major drawback to a 2FA process is that it requires some sort of transactional setting. For instance, if you use a VPN service that requires 2FA, the session you establish is authenticated until you disconnect. If you use it to access your insurance company’s website, a session cookie contains information that identifies you to the server. Once you log out and clear that cookie, you would need to re-authenticate. This isn’t a drawback in this setting, but in a case like using your mobile device to access email, it becomes very problematic to use the 2FA method every time you want to check your mail or send a message.

The critical flaw in 2FA is that any authentication method is only as strong as the trust placed in it. If a user receives a phishing message asking them to log in to their bank account, and the phishing email contains a link to an intermediary site that is made to look like the actual bank, the user goes to the phishing site and enters their username and password, plus their 2FA data. The phishing site then uses the two parts to log in as the user to the financial institution. Since the user “trusted” the phishing site, they gave away their credentials, rendering the second factor useless.

Security consultant and former hacker Kevin Mitnick recently demonstrated how 2FA data is recorded in session cookies. Once a phishing victim adds their 2FA code to a website, the hacker can grab the session cookie from a developer tool in a web browser, such as Chrome. With the session cookie, the hacker has no need for the victim’s username and password; they need only paste the session cookie into a browser to log in to the victim’s account.

Even more dangerous is the false sense of security that has been established. Phishing attacks are successful because of the psychological manipulation at work. By using a well-known, well-hyped security method like 2FA, the cybercriminal has not only manipulated the victim into handing over their personal information but also lulled them to sleep.

While two-factor authentication can add a layer of security to many applications, it is not sufficient. By implementing Vade for Office 365, which utilizes AI, including machine learning, to detect targeted phishing attacks and an Auto-Remediate feature to automatically reclassify any threats that initially bypassed the filter, the end user is protected from potentially costly threats.