The author of a recently released penetration testing tool called Modlishka, which can bypass mainstream two-factor authentication (2FA), asked a provocative question in a recently published research note: “Is 2FA broken?”
Since this isn’t the first example of how 2FA can be defeated, we asked authentication experts what they thought. Then, we asked readers to weigh-in with a Threatpost poll.
More than 300 of you responded, with the overwhelming majority giving their thumbs-up to the technology, even when SMS texts (which have been compromised repeatedly) are used as a second factor. At the same time, there was an overwhelming acknowledgement that one-time passwords (OTP) sent either via SMS or via email represent a known attack surface — and as such, need to be improved upon for 2FA to truly reach its potential. And, a not insignificant percentage said that killing the SMS channel would be a good step to take.
The survey results yielded other interesting themes. For instance, we asked about user phishing awareness, which is the way most 2FA schemes are compromised, and received mixed messages in terms of how much we should rely on users to play a part in securing web services.
Also, despite the hype around biometrics — a fast-growing arena for authentication in terms of R&D effort — our respondents were lukewarm on the idea. Just 16 percent thought facial or fingerprint recognition should be the second factor for authentication. And, a surprisingly low 6 percent felt that this is where future security developers should put their efforts.
Many individual comments mentioned FIDO (Fast IDentity Online) standards. The FIDO Alliance was established in 2011 to make two-factor authentication a more mainstream thing through the development of an open standard for the use of various strong authentication technologies such as trusted platform modules (TPMs), hardware tokens and others.
On the simple question of “do you use 2FA?”, the answer was an emphatic yes. A full 86 percent of readers use it when available, and another 13 said that they use it sometimes. Just 1 percent said that they don’t use it at all.
Use and trust are two different things of course, and on the question of whether respondents trusted 2FA to protect their accounts, the answers were more mixed. About half (47 percent) said that they don’t trust it entirely, and that they’re aware that it can be compromised. Another 42 percent said yes however, because it seems like the extra layer of protection would thwart most criminal. About 9 percent said that they don’t trust 2FA but they use it anyway, because it can’t hurt and might help. Just 1 percent said they were staying away from 2FA because there have been too many security incidents.
One respondent pointed out in an additional comment that it’s the type of second-factor that’s important. “I trust FIDO security keys entirely; I don’t trust the other forms as much,” they wrote.
Which brings us to attitudes towards which second factor should be used.
Which Second Factor?
Right now, the state of play is for a one-time password (OTP) to be sent to a phone via text, or to a computer via email. Both of these OTP methods have been cracked, mainly through phishing.
So what should replace OTP? By a significant percentage, hardware tokens are the favored replacement. A full 57 percent of respondents said that these tried-and-true legacy technology dongles should still have a place in authentication security — and in fact should be the go-to.
In addition to the set poll options, we received several other responses. These included time-based one-time password (TOTP), which uses the current time of day as one of its factors, ensuring that each password is unique; 2FA code-generator apps; biometrics or hardware security keys based on FIDO standards; Authy or Google Authenticator; and software tokens.
“Server-side OTP generation is broken,” said one respondent.
And yet, 12 percent said that SMS is fine as it is.
Here are the rest of the results:
Top 2FA Security Problems
And indeed, when asked more broadly about 2FA security concerns in general, respondents primarily thought that OTPs are at issue. About 65 percent agreed that SMS in particular (36 percent) and OTPs in general (29 percent) are the main problem.
One respondent making an additional comment said that “phishing is the biggest threat. Need to move to unphishable authentication.” Another said the most glaring issue is the a lack of independent verification channels.
About a fifth see the potential for compromise via phishing as the key concern, which lead them to tic “user education” — or rather the lack thereof — for 2FA’s insecurity.
Next we followed up on the phishing awareness piece, and asked what part user awareness plays. If users can spot a phishing attempt, in theory this makes existing mainstream 2FA that much more secure.
However, only 34 percent of respondents ranked user phishing education as “very important.” The largest percentage of respondents (46 percent) felt that while user awareness is important, it’s not to be relied upon.
Future 2FA Development
We also asked about the future of 2FA. The largest percentage of respondents (32 percent) agreed that making the experience frictionless for the user — despite what the second factor might be — should be a priority in development efforts for future solutions. After all, it doesn’t matter how secure a solution is if it’s too unwieldy for the average person to adopt.
Other suggestions from readers making use of the comment box included developing solutions around FIDO standards, which the respondent said represent “unphishable authentication,” or, establishing an alternate channel for validation of the second factor.
Echoing the anti-texting theme from previous questions, a fifth of respondents said that efforts should coalesce around “killing SMS”. The rest of the answers were fairly evenly split:
Is 2FA Broken?
And finally, we asked the main question, as to whether 2FA is broken. The consensus seems to be no, even when referring to OTP mechanisms — however, 36 percent noted that it’s “cracked,” and that the process needs to be improved. Respondents also hinted at other issues. Just 16 percent felt that the ability to compromise OTPs is the only problem with 2FA.