Does Multi-Factor Authentication Even Matter Anymore?

Tuesday, April 05, 2011

Rafal Los


This post draws from a bit of inspiration left by a reader who commented on a previous post of mine titled "Faking It".  

If you haven't read that post, I recommend that short read first.  I love it when people leave intelligent responses... and make me think

Well, let's take this in stride, because if you just consider how trashed and malware ridden the average person's computer is it's entirely plausible to say that in fact no, multi-factor (2 or more?) authentication doesn't really add anything when the machine is compromised by malware that's often more technically advanced than the counter-measures we employ to make it simple for people to log in.  

But that's just depressing, and too... "Eeyore".

Let's be realistic instead - does multi-factor authentication really matter in the modern threat landscape?  I think the answer is many times more complex than a simple yes/no would imply - but overall I think the answer is still yes.  

Here's my thinking:

  • In light of recent compromises (MySQL/Sun/Oracle, ThePirateBay, Comodo and others) it's obvious that passwords are still too simple, easy to crack, and too often re-used across multiple tiers of risk
  • What breaches of web sites teach us further is that even if your password is stellar and complex, the website may store it in plain text ...and when they get SQL Injected and have their database stolen the game is over
  • While it may be a simple (and near-common-sense) jump to say that a vast majority of people's machines are compromised or loaded with some sort of malware... there aren't any good studies to extrapolate from -maybe we're wrong?
  • I doubt anyone thinks that multi-factor authentication will stop an attacker, but we can probably agree that it will slow him/her down we just need to figure out to what extent
  • In a relatively clean environment an attacker would have to compromise my computer + "me" to get at my account... and that's a pretty good level of risk mitigation
  • I have no faith in passwords... but if even you the user don't know the next password, it is difficult to write it down or lose it or have it traded for a candy bar
  • Multi-factor authentication systems that use one-time passwords give the attacker a very small window within which to strike... you have that one session and then you have to orchestrate your attack again; whereas with a password compromise you can keep attacking over and over

Anyway... that's my take on it.  If I'm looking at implementing a multi-factor authentication system and weighing the cost/benefit... I say do it, because passwords alone are dead and buried. 

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Network Access Control
Passwords breaches malware Access Control Network Security Multifactor Authentication
Post Rating I Like this!
Franc Schiphorst As you already pointed out, only the current session is compromised. But if the machine is properly hacked (say a home pc) every next session to the bank is also compromised.

One thing to note is that there is true 2 factor and fake 2 factor. Where for me true 2 factor is a little box with one button, one display and that's it.
The only API is me pushing the button and me reading the (tiny) screen.
Software (phone) based two facor or the SMS two factor can, and ARE, compromised is the device is compromised. Like in poland where users were duped to install a "security certificate" on their phone that would leach sms tan codes for the bank.

So what do i do for my valued two factor bank transactions.
Well the fail is that i'm lazy and use the usb option to i don't have to enter codes just my pin and press ok twice (one for pin and one for an overview of the transaction ammount) but that's me being lazy and mitigating is that my debit card is only in the generator when i actualy do transactions. (So you need pin and debitcard(chip) to log in and for every transaction)
The ftw is that i also have an app on my android that allows me to check transactions via a seperate platform/path and that i actualy do check ;)

Now an other form of two/3 factor is biometrics. Problem there is that you, as far as i know, have to connect a sca nner to a machine and that can then be compromised.

So for me 2 factor ok but in a package that can NEVER be compromised by the user/hacker
Franc Schiphorst And to anwser your original question, yes it does. :D
Franc Schiphorst
A new variant of the software that steals "2-factor" codes of symbian phones
Rafal Los Franc - I agree with what you're laid out here ... I was hoping to stimulate some brain cells and I can claim mission accomplished!

I am in the same boat as you, except that my debit card doesn't have a chip in it because on this side of the pond we're too lazy and complacent to do that.
Anthony May I believe multi factor does matter. I like what is doing to help solve these problems.
Franc Schiphorst So how is this secure where an attacker has full accesss to a machine and can replay keystrokes incl all the hovertime etc
Rafal Los Franc - that was sort of my point... when the attacker can potentially compromise the machine right into the browser you're using then the ONLY way to trust that you're getting a secure connection without compromise to your credentials is ... hrmmm...
Anthonie Ruighaver You seem to be looking at two factor authentication as a pure preventive mechanism. And many still are. But if the bank sends an SMS to a different device (my phone when I use my PC for internet banking), this two factor authentication scheme also becomes a detective control. I get a warning when my PC is compromised and someone adds a transaction to transfer money at the end of my session (I initiated the session not the transaction). Now this may not be completely secure yet, but by adding additional "authentication" (three factor, i.e. by sending a confirmation email) I can choose how secure I want it to be.
Franc Schiphorst @Anthonie that works as long as your phone has not been compromised. Polish ING users have been duped to install a "security certificate". This is actualy a program to steal the 2 factor sms's. So if a bank uses a phone as 2 factor device than you feedback loop will probably also be compromised. (The confirmation email will most likely be received on the already compromised banking device)

I use your feedback system myself for banking. I have an app on my droid that allows me to check my last 10 bank transactions. This is not push but pull but for an attack to be succesfull they will have to target an other machine that they have no knowledge off.
So it needs active attention on my part.

So for your push system to work you would need 3 devices.
Device A to do transactions
Device B (not linked to A) to get an OTP
Device C a receiver for transactions made on A.
Where A <> B <> C ;)

This based on the assumption that deviced will most likely get compromised.

So i prefer device B to be a simple OTP device with button/screen and a fat thumb as API :)
Rafal Los @Anthonie -Perhaps you're right. But consider this ... cell phones aren't just phones anymore - these 'smart' devices are increasingly being pwn3d much like PCs ... which means that once an attacker has control over the mobile device they can keep you from seeing any sort of alerts like you mention. Now the likelihood of someone compromising your account, then your mobile device is pretty low still... but not out of the realm of possibility.

@Franc - LOL. We'll be carrying a dozen 'devices' until someone gets the genius idea of making them into software and porting them to a single device again, heh.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.