Yet Another Bypass: Is 2FA Broken? Authentication Experts Weigh In

A penetration testing tool called Modlishka can defeat two-factor authentication in the latest 2FA security issue. We asked a roundtable of experts what it all means.

A penetration testing tool published by Polish security researcher Piotr Duszyński can bypass login protections for accounts protected by two-factor authentication (2FA). In his write-up on the tool, (which is dubbed Modlishka, meaning “mantis” in English), he asked, “is 2FA broken?”

It’s a question that’s worth exploring, given that this isn’t the first time in recent months that 2FA has been defeated. So, to add context to this latest in a string of high-profile blows against the technology, we decided to ask authentication experts what they thought. First, a brief description of the 2FA-related hacks. Second, the roundtable responses from experts are below.

Modlishka is a reverse-proxy tool that Duszyński has released on GitHub. It sits between a user and whatever website that user is logging into, be it webmail, e-commerce, utility accounts, what have you. It allows the legitimate website content to display for the user – and then intercepts all of the traffic flowing back and forth. So, an attacker in real time can not only observe the victim’s credentials, but also whatever 2FA code he or she inputs. Acting quickly, the malefactor can then log into the account themselves and make cybercrime hay from there.

Any passwords are also automatically logged in the Modlishka backend panel, so even if an adversary is not sitting there waiting in front of the terminal, they can still scrape credentials passively.

“With the right reverse proxy targeting your domain over an encrypted, browser-trusted, communication channel one can really have serious difficulties in noticing that something is seriously wrong,” said Duszyński in his posting. “Add to the equation different browser bugs, that allow URL bar spoofing, and the issue might be even bigger…include lack of user awareness, and it literally means giving away your most valuable assets to your adversaries on a silver plate.”

He added that the only way to address the issue from a technical perspective is to “entirely rely on 2FA hardware tokens, that are based on U2F protocol.”

In December, word came of an APT attack dubbed the Return of Charming Kitten. The campaign was tailored to get around two-factor authentication in order to compromise email accounts and start monitoring communications. It uses a similar basic premise but requires more manual work on the part of the attackers. On a fake but convincing phishing page, users are asked to enter their credential details, which the attackers enter into the real log-in page in real time. If the accounts are protected by two-factor authentication, the attackers redirect targets to a new page where victims can enter the one-time password; the attackers can then take that, enter it into the real page, and are off to the races.

Earlier in December, an Android Trojan was uncovered that steals money from PayPal accounts even with 2FA on. Posing as a battery optimization tool, it asks for excessive accessibility permissions, which allow it to observe activity on other apps. Then it lurks on the phone and waits for someone to open PayPal and log in.

“Because the malware does not rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also bypasses PayPal’s two-factor authentication (2FA),” explained researchers at ESET at the time. “Users with 2FA enabled simply complete one extra step as part of logging in, – as they normally would – but end up being just as vulnerable to this Trojan’s attack as those not using 2FA.”

There have been other incidents too that lead us to question the efficacy of 2FA. In August, hackers compromised a few of Reddit’s accounts with cloud and source-code hosting providers by intercepting SMS 2FA verification codes. That too was likely a phishing gambit, which Lee Munson, security researcher at Comparitech.com, said is increasingly effective at thwarting 2FA.

“While 2FA is a very good secondary line of defense, it is not infallible,” he said. “Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit.”

Which brings us to the question of how much confidence should anyone really have in 2FA? Sure, these incidents were high-profile in the security community, but are they indicative of a more widespread problem where 2FA is compromised regularly? And if so, what should be next?

Threatpost asked a range of authentication experts their opinion, and the consensus seems to be that 2FA isn’t broken – but it’s certainly showing signs of fissure. Stephen Cox, vice president and chief security architect at SecureAuth, laid it out for us.

“While two-factor authentication is a step in the right direction, it falls short in addressing today’s threat landscape,” he said. “From fake login pages for popular email services to the high-profile breaches in 2018 with Yahoo and LinkedIn, there are plenty of examples of attackers who have defeated an organization’s basic two-factor authentication methods. The new reality is, basic methods such as knowledge-based questions and SMS-based one-time passwords can be evaded by attackers using simple phishing attacks and social engineering. Attackers have proven that they can intercept SMS codes or hijack users through social engineering to redirect where the texts are sent.”

Jason Kichen, vice president of Advanced Security Concepts at eSentire, noted that 2FA “has been complicated and nuanced by the continued cat-and-mouse game between attackers and defenders….we’ve seen the most simplistic (and arguably oldest) implementation, 2FA via SMS, shown to be vulnerable to a variety of types of spoofing/redirection attacks…and now we’re seeing tools (like Modlishka) that make the attack execution easier.”

A second takeaway from our roundtable is that regardless of its weaknesses, it should be implemented nonetheless given that it does add another layer of protection – even if the most widely deployed approaches are not as impervious as hoped.

“Any sort of 2FA is still leaps and bounds better than no 2FA at all,” Kichen said. “For now, far more people are not using any 2FA at all. Thus from an opportunistic attacker perspective, having the much derided 2FA via SMS means you’re a harder target than the user next to you. And for most of us, this is more than sufficient (even in a world with Modlishka in it).”

Bill Evans, vice president at One Identity, echoed the sentiment: “The bottom line is 2FA is generally really good and avoiding it because of recent news is foolish. One-factor authentication is good, two-factor is better. Relying on standards is a good way to bolster your chances of success.”

Speaking of bolstering success, one of the things to keep in mind is that how existing 2FA is implemented matters.

“No authentication method is perfect and 2FA is no different, but the vast majority of failings in 2FA are not failings in the technologies themselves but failings in the execution of the program,” Evans told Threatpost. “If you take shortcuts; if you don’t couple 2FA with a deep and comprehensive policy and risk program; and if you do not ingrain 2FA in your entire approach to identity and access management, you will not realize the benefits that 2FA can bring.”

Randy Abrams, senior security analyst at Webroot, pointed out that user education is also critical.

“It is far too easy to phish a person’s credentials,” he told Threatpost. “Anti-phishing education materially reduces the risk of credential (authentication) theft. User education is likely to become a prerequisite to obtain cybersecurity insurance, or a defense that reduces premiums.”

Meanwhile, some pointed out that since the compromises to date have mainly defeated the typical 2FA scheme, which uses a one-time passcode (OTP) sent to email or via text, other, more advanced forms of 2FA, like using biometrics as a second factor, should be considered. Biometrics is increasingly being adopted and users are increasingly comfortable with it, thanks to its use in iPhones and by companies like MasterCard.

“Depending on the type of 2FA, in almost all cases it still relies on two factors: what you know and what you have,” Lori Cohen, CMO at Veridium, told Threatpost. Granted, Veridium is a biometrics specialist, but her point is well taken: “By relying on only what you know, you will always be susceptible to breaches. Alternatively, the two factors you should use are: what you have, including your phone and its unique certificate, and what you are: biometrics.”

It’s important to keep in mind that even with biometrics, 2FA is merely a best practice, noted Abrams. “Multiple researchers have demonstrated that fingerprint scanners on mobile phones can be defeated,” he told us.

That said, as with OTP phishing, the danger should be put into perspective.

“The reality is that the odds of someone getting ahold of your phone and having both the skill and the motivation to break in are exceedingly small,” he said. “Authentication needs to authenticate individuals as opposed to credentials, and that is where the landscape is heading.”

One Identity’s Evans said that given the seemingly increasing headlines about 2FA compromise, he expects to see an escalating technology war between vendors for the most secure approach – but “fixing” 2FA with a more difficult-to-defeat second factor may all be meaningless if the user experience isn’t right.

“For the authentication landscape, it means that vendors of the most secure authentication technologies will begin to make more noise about why their solution is better than anyone else’s,” he told us. “But in essence, seismic shifts in the way people log on to protected resources generally meet several obstacles.”

These include the fact that it’s expensive and difficult to implement bleeding edge technology and most organizations are not equipped to do it. But more importantly, it needs to be frictionless so that users will actually decide to use it.

“Users rebel against change and anything that makes their lives more difficult (even if it’s the right thing to do),” he said. “Adding more hoops for users to jump through in an effort to increase security is an invitation for users to avoid security altogether and find ways around your protections. So, the tone of the conversation will change – temporarily – but reality will quickly push security-conscious organizations to continue on the steady path they are already on.”

Meanwhile, Tim Helming, director of product management at DomainTools, took a more hopeful tone and told us that he has faith in well-resourced white-hats to keep winning the cat-and-mouse authentication game.

“Given the attacks we’re seeing, it is safe to assume that the major players such as Google, Apple, etc., are well aware of the state of things, and are at work on ever-better methods of security for various kinds of transactions,” he told us. “We have seen new technologies that are, to date, very successful at securing sensitive communications–Apple Pay is a good example.”

 

Suggested articles

Discussion

  • Jerome Saliga on

    This is all well and good. Conventional wisdom from security pundits and security solution developers is that there is no amount of user inconvenience, no implementation cost too great, no learning curve too much to overcome, in the name of better security. And if we somehow add enough ineffective or vulnerable security solutions and authentication methods that we will be more secure. The problem is that this ignores the real question. Why can't security solution developers develop secure solutions?
  • Craig on

    Please explain the vulnerability and associated attack vector used to interpose a reverse proxy in a https browser session, for with any kind of authentication that is a major problem.
  • SiliconAddict on

    Can we freaking stop with the clickbait titles? SMS 2FA is broken. Everything else isn't.
  • David Fredricks on

    Look at [the US Treasury Department website]. It uses 2FA, but when asking for a password it requires a complicated selection of the text from a virtual keyboard which would require the attacker to record each mouse movement and selection.
  • RW on

    Uhh...so how exactly would U2F be better then? Wouldn't you need to have something completely disconnected from the computer where the phishing is happening?
  • Jack Bicer on

    It is not surprising to see these kinds of 2FA breaches, because the 2FA products use the same communications channel for the second factor authentication. Once the channel is breached, so will the authentication. Take a look at Sekur.me, which was designed to protect against single communication channel breaches. By eliminating passwords for safety and convenience, we can stop these kinds of attacks dead on their tracks. 2FA is still good, but it needs to be better and simpler.
  • Jack Bicer on

    SMS 2FA is not broken and would have worked fine if it was implemented correctly. Look at Sekur.me SMS Login, it would have worked in this scenario.
  • EnviableOne on

    proper authetication of the site you're clicking on and single use time based OTPs (not delivered by SMS) and there is no problem. None of this is bleeding edge and everyone could implement them. That payment providers like PayPal insist on still using SMS, even in their mobile app, is the issue, most people have got the hang of single use codes
  • Don Anderson on

    Can I have your password please then if you don't want to us 2FA? What if I ask pretty please? I don't think that is the conventional wisdom at all, nor is this a "security solution developer" (is that even a thing?) problem, it is and will always be a people problem. People are not secure. In fact, they are inherently the most insecure things in any security equation. Your cavalier attitude towards security individuals and controls highlights this. You don't want to do something because it is inconvenient to you. Until your accounts get broken into, and then it is the fault of security solution developers right?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.