Faking It - When is Two Factor Authentication Not?

Monday, February 28, 2011

Rafal Los


I got an interesting email from a colleague recently, about PayPal's "2-factor authentication". 

Admittedly when I first bought my secure authentication token from PayPal a while back I remember thinking how significantly more secure PayPal was for this type of security.  Apparently, though, it's a bit of smoke & mirrors.

As Brian points out here in his post - your PayPal account is securely guarded with 2-factor authentication until you tell their system you don't have your token.  Then everything sort of devolves back into the old days of passwords and secret questions.  I'm not comfortable with this... so I started thinking.

After a little bit of thought, I realized that my online banking account which is protected by a one-time-password sent to my phone via SMS is much the same. 

If I simply change my user-agent to an iPhone or mobile equivalent (which doesn't have Flash...) I get a simple username and password authentication.  I'm just not OK with this.  But these aren't the only examples... I bet you have more, and I know I certainly have 4 tabs open right now which all have the same problem.

So what's the moral of the story here?  Be careful what you consider saf(er) as far as 2-Factor authentication goes. 

Take a look at the authentication scheme from a 360-degree view... and see if the strong authentication 2-factor provides extends to all platforms (mobile device? HTML-only?)  If not then your account is protected by the lowest common denominator and for most sites that's a simple username and password.

Ask yourself if you're OK with that?  Then ask yourself... is there anyone serious about security out there?  Who? 

And are you willing to change banks, credit card companies, whatever to get that better protection? Because that's the only way things are going to get better - if we pull away from platforms that are faking their strong authentication.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Network Access Control
Passwords Authentication paypal Access Control Two-Factor SMS
Post Rating I Like this!
Lee Mangold Rafal -

My favorites are the sites that ask for a username/password, then ask for other information that only you should know...like...where you were born...from a 4-option dropdown list...

I wish I could remember where I saw it, but just a couple weeks ago I saw a reputable site claim that this was 2-factor authentication...
Rod MacPherson :)

I guess they missed the little speech that seems to go with any talk about multiple factors of authentication.

There are really 3 different factors: Something you are, something you know and something you have.

Password and place of birth are both the same type: something you know. That only counts as one factor, and place of birth is a really weak one at that.
Given you only need one or the other, that also only makes it one factor.

Whomever that was failed on 2 counts to understand multi-factor authentication.
Lee Mangold @Rod - Tell me about it...

Another factor that is pretty interesting is location-based. There are devices "out there" that work like a hardware token that detects your location via GPS and uses that as part of the authentication requirement. I've never seen this used mainstream, but its interesting nonetheless...
Rod MacPherson Lee, Is that a thing you know?
Cell phone tells website you are in NY, website asks where you are and expects you to answer NY?
Lee Mangold Rod - In theory, no. The Location sensor (LSS) generates a signature based on your actual location and transmits it to the auth server along with other credentials. If the device is trusted, it could prevent users from logging in from home (or in Russia) regardless of whether they have other credentials.

I've only seen academic materials reference the LSS/Location-based auth...Not sure if there are any actual devices out there.


Rod MacPherson ah, ok... So it's not location as an additional credential then, but rather location as a limiting factor to authentication, more like time based authentication that allows certain users to log in at certain times of the day.

I can see right away why that would not be very useful in real life use because it would have to be physically part of the token used in 2 factor auth going on the presumption that if you have your token to read the numbers and the token is at the office then you must be at the office ...or you have a webcam pointed at the token on your desk at the office :) Otherwise you'd need some way of (semi) permanently tagging the user with a GPS receiver and a transmitter, in such a way to be reasonably certain that the GPS and user are never apart. (animal tracking tags?) I don't think many people would go for that.
Rafal Los Wonderful conversation! This is great!

I'm so excited that this is sparking intelligent discussion. Too many organizations simply mis-understand 2-factor authentication, or what multiple factors even means as Rod pointed out.

What makes it worse still is when a big financial messes that up ...so sad. Do customers or end-users even stand a chance!?
Franc Schiphorst Be aware that SMS/phone based two-factor can become a "something you had".

In poland users got duped in installing a "security certificate" that intercepts the sms code and hides this from the user. the code gets sent elsewhere so people can do stuff with your account.
Rafal Los Franc- I wasn't aware of this, and being that my background is Polish I probably should keep in better touch with my contacts there :) I suspect the problem isn't unique though ...so the 2nd factor may be as you said "something you *had* " ... so the game goes up a notch?
Franc Schiphorst More info here http://news.softpedia.com/news/ING-Bank-Polish-Customers-Targeted-by-ZeuS-185523.shtml

This problem will be with all 2factor systems where a Man in the middle can be introduced. additional problem here is that the code can eb intercepted and redirected so NEW sessions can be set up. With a "traditional" token (not connected to any hardware and without option to install a "security certificate") you can only compromise the current session.

In the Netherlands i have a bank token generator that uses the chip on my debit card + pincode. But it can be (and is) connected via USB so the browser can request a token. But every time i need to enter pin code. I guess this can be compromised as well with an advanced MitM attack.
Rod MacPherson Even with traditional tokens you have to be very careful of how the seed files are managed. It used to be that they were fairly easy to manage. Make sure your RSA server is not part of the domain, and well hardened, and any seed disks they sent you are locked away. Now that more and more companies are using software based tokens for greater convenience these seed files are more widespead, and often even e-mailed to users to enable their software token on their laptop or blackberry. If you have a copy of a user's seed you have a duplicate of his token.
Rafal Los @Rod- very true. So the 'software explosion' is causing issues, clearly, with the ability to maintain secrets.

Do you see any viable solution to this epidemic?
Rod MacPherson It's tough. I don't really see a solution. Software based RSA tokens are both cheaper and more convenient, so people will continue to buy them.

One seed + user license can be used across several devices to give that user more easily accessible access to the token. It's a program on his laptop and an app on his cell phone when he's not at his laptop. He doesn't have to carry a token attached to his keys, he's already carrying the cell phone anyway. And for those with bad eyes, it's easier to read too. (on the laptop you can even copy and paste the 6 digit number into the web browser.) Soft tokens are just plain easy.

The thing I've tried to do is encourage the safest possible transfer of the seed from server to endpoint. The laptops are only done by IT staff at the office, new seeds are never e-mailed to the users, and blackberries have a method to push new seeds via the BES over the encrypted channel that all the BES instructions use so again, it doesn't have to go by e-mail, you just have to get the user to ensure his soft token is set to receive a new token.

If a thief gets ahold of an unlocked laptop. (users never seem to shut them down) That seed is compromised and should never be re-used. In a high security environment I would still recommend staying with hard tokens.
Rafal Los Great recommendations Rod, sounds more like common sense than high-tech solutions ...but then again isn't that how it's been lately? All the high-tech solutions aren't really solving problems like we'd like!
Franc Schiphorst Big risk with all software based tokens is that someone modifies zeus or other botware and makes a connector for the softtoken. The then have access to you('re login), what you know (password) and what you had (your softtoken software) and can then "under water" get your token to generate a key (and send it to china, brasil, russia or where ever they want to "do business".

Or better they can use your machine as a proxy to do business so the bank has no way to see it's not you at your usual spot.

Basically tokens should be on devices that have no possibility for rootkits.

Hardware tokens or chipcard (but not the myfare clasic as the ublic transport system in the netherlands found out ;)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked