Best Top Reviews Online

Another Bypass: Is 2FA Defective? Experts in Authentication Weigh In

In the most recent 2FA security flaw, a penetration testing tool called Modlishka can defeat two-factor authentication. We asked a roundtable of experts to explain its significance.

A penetration testing tool published by Polish security researcher Piotr Duszyński can bypass login protections for accounts protected by two-factor authentication (2FA) (2FA). In his article about the tool (named Modlishka, which translates to “mantis” in English), he asked, “Is 2FA broken?”

It’s a question that’s worth exploring, given that this isn’t the first time in recent months that 2FA has been defeated. So, to add context to this latest in a string of high-profile blows against the technology, we decided to ask authentication experts what they thought. First, a concise summary of the 2FA-related hacks. Second, the roundtable responses from experts are below.

Modlishka

Duszynski has released the reverse proxy tool Modlishka on GitHub. It sits between the user and the website to which they are logging in, be it webmail, e-commerce, or utility accounts. It allows legitimate website content to load for the user but intercepts all incoming and outgoing traffic. So, an attacker in real time can not only observe the victim’s credentials but also whatever 2FA code he or she inputs. The criminal can then quickly log into the compromised account and engage in cybercrime from there.

Any passwords are also automatically logged in the Modlishka backend panel, so an adversary can scrape credentials passively even if they are not physically present at the terminal.

“With the proper reverse proxy targeting your domain over an encrypted, browser-trusted communication channel, it can be extremely difficult to detect that something is gravely wrong,” Duszynski wrote in his posting. “Add to the equation various browser bugs that enable URL bar spoofing, and the problem could be even more severe… Lack of user awareness is tantamount to handing your most valuable assets over to your adversaries on a silver platter.”

He added that, from a technical standpoint, the only solution is to “entirely rely on 2FA hardware tokens based on the U2F protocol.”

2FA Problems

In December, the Return of Charming Kitten APT attack was reported. The campaign was designed to circumvent two-factor authentication in order to compromise email accounts and initiate communication monitoring. It employs a similar basic premise but necessitates more manual labor from the attackers. On a convincingly fake phishing page, users are asked to enter their credentials, which the attackers then enter in real-time on the real log-in page. If the accounts are protected by two-factor authentication, the attackers redirect their targets to a new page where they can enter the one-time password. The attackers can then take this password, enter it into the real page, and proceed.

Even with 2FA enabled, an Android Trojan that steals money from PayPal accounts was discovered in early December. Posing as a battery optimization tool, it requests excessive accessibility permissions, allowing it to monitor other apps’ activity. The malware then waits on the phone for a user to launch PayPal and log in.

“Because the malware doesn’t rely on stealing PayPal login credentials and instead waits for users to log into the official PayPal app themselves, it also circumvents PayPal’s two-factor authentication (2FA),” researchers from ESET explained at the time. “Users with 2FA enabled simply complete one additional step when logging in, as they normally would, but are just as susceptible to this Trojan’s attack as those without 2FA.”

There have been additional incidents that cause us to question the effectiveness of 2FA. By intercepting SMS 2FA verification codes, hackers compromised several Reddit accounts with cloud and source-code hosting providers in August. Lee Munson, a security researcher at Comparitech.com, stated that phishing attacks are becoming increasingly effective at bypassing 2FA.

“While 2FA is an excellent secondary layer of defense, it is not foolproof,” he said. “Typically, it can be bypassed through phishing, either by tricking a user into revealing their 2FA identifier or, far more likely, by convincing them to log in to a fake version of the site they intended to visit.”

Is It Broken?

This brings us to the question of how much confidence one should have in two-factor authentication. Certainly, these incidents garnered significant attention in the security community, but are they indicative of a more pervasive problem in which 2FA is regularly compromised? Moreover, what should be done next?

Threatpost polled a variety of authentication experts, and the consensus appears to be that two-factor authentication (2FA) is not broken, but it is showing signs of cracking. SecureAuth’s vice president and chief security architect, Stephen Cox, outlined the situation for us.

“While two-factor authentication is a step in the right direction, it is insufficient to address the current threat landscape,” he explained. “From fake login pages for popular email services to high-profile breaches in 2018 involving Yahoo and LinkedIn, there are numerous examples of attackers overcoming a company’s basic two-factor authentication procedures. The new reality is that basic methods such as knowledge-based questions and SMS-based one-time passwords are vulnerable to phishing and social engineering attacks. Attackers have demonstrated the ability to intercept SMS codes or hijack users through social engineering in order to redirect where text messages are sent.”

Jason Kichen, vice president of Advanced Security Concepts at eSentire, stated that 2FA “has been complicated and nuanced by the ongoing cat-and-mouse game between attackers and defenders….we’ve seen the simplest (and arguably oldest) implementation, 2FA via SMS, shown to be susceptible to a variety of spoofing/redirection attacks…

Now we have tools (such as Modlishka) that facilitate attack execution.”

A second takeaway from our roundtable is that despite its flaws, it should be implemented because it provides an additional layer of security – even if the most widely used methods are not as impregnable as hoped.

“Any type of two-factor authentication is better than none at all,” said Kichen. “Currently, far more individuals do not use any 2FA at all. From the perspective of an opportunistic attacker, having the much-maligned 2FA via SMS makes you a harder target than the user next to you. This is more than enough for the majority of us (even in a world with Modlishka).”

Bill Evans, vice president at One Identity, echoed the sentiment: “The bottom line is that 2FA is generally really good, and it would be foolish to avoid it because of recent news. Two-factor authentication is superior to single-factor authentication. “Relying on standards is a good way to increase your likelihood of success.”

Strengthening Existing 2FA

In terms of bolstering success, it is important to consider how existing two-factor authentication is implemented.

“No authentication method is perfect, and two-factor authentication is no exception,” Evans told Threatpost. “However, the vast majority of 2FA failures are not in the technologies themselves, but in the execution of the program.” “If you take shortcuts; if you do not couple 2FA with a comprehensive policy and risk program; and if you do not integrate 2FA into your entire identity and access management strategy, you will not realize the benefits that 2FA can provide.”

Senior security analyst at Webroot, Randy Abrams, emphasized the importance of user education.

“Phishing a person’s credentials is far too simple,” he told Threatpost. “Anti-phishing education significantly reduces the risk of authentication (credential) theft. User education is likely to become a requirement for obtaining cyber insurance, or a defense that reduces premiums.”

Some pointed out that since the compromises to date have primarily defeated the typical 2FA scheme, which uses a one-time passcode (OTP) delivered via email or text message, other, more advanced forms of 2FA, such as biometrics, should be considered. As a result of its use in iPhones and by companies such as MasterCard, biometrics is increasingly adopted and users are becoming more comfortable with it.

“Depending on the type of 2FA, almost always it relies on two factors: what you know and what you have,” said Lori Cohen, chief marketing officer at Veridium, in an interview with Threatpost. Granted, Veridium is an expert in biometrics, but her point is valid: “By relying solely on your own knowledge, you will always be vulnerable to breaches. Alternatively, you should utilize two factors: what you have, such as your phone and its unique certificate, and what you are: biometrics.”

Abrams noted that even with biometrics, two-factor authentication is merely a best practice. Multiple researchers have demonstrated that mobile phone fingerprint scanners can be defeated, he told us.

Nonetheless, as with OTP phishing, the threat must be put in perspective.

“In reality, the likelihood of someone gaining access to your phone and possessing both the ability and the motivation to break in is extremely low,” he said. “The future of authentication is to authenticate individuals as opposed to credentials,” says the author.

On Future 2FA Development

Evans of One Identity stated that, given the seemingly increasing headlines about 2FA compromise, he anticipates an escalating technology war between vendors for the most secure approach – however, “fixing” 2FA with a more difficult-to-defeat second factor may be meaningless if the user experience is not optimal.

“This means that vendors of the most secure authentication technologies will begin to make more noise about why their solution is superior to all others,” he explained. In general, however, seismic shifts in the manner in which people access protected resources encounter a number of obstacles.

These include the fact that implementing cutting-edge technology is expensive and difficult, and that most organizations lack the resources to do so. Moreover, it must be frictionless so that users will actually choose to utilize it.

“Users resist change and anything that makes their lives more difficult,” he said. “Adding more hoops for users to jump through in an effort to increase security is an invitation for users to completely avoid security and find ways to circumvent your protections. Therefore, the tone of the conversation will shift – temporarily – but the reality will quickly force security-conscious organizations to continue along their current course.”

Tim Helming, director of product management at DomainTools, took a more optimistic tone and stated that he believes well-resourced white hats will continue to win the cat-and-mouse authentication game.

“Given the attacks we’re seeing, it’s safe to assume that the major players, such as Google, Apple, etc., are aware of the situation and are working on ever-improved security methods for various types of transactions,” he told us. Apple Pay is an example of a new technology that has proven to be effective at securing sensitive communications.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
20 Million Users Download Shady Reward Apps From Google Play

January 29, 2023

More than 20 million devices have downloaded a new category of activity-tracking applications from Google Play, Android’s official app store, in recent months. The applications promote themselves as health, pedometer, and good habit-building applications, promising users random rewards for remaining…

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.