The Problem with Two-Factor Authentication Solutions

Sunday, May 15, 2011

Roman Yudkin


The Problem With Common Two-Factor Authentication Solutions

More websites and online businesses today are beginning to rely on smartphones as a second factor of authentication.

Some online banks have been using SMS-based authentication for transaction verification but recently, major websites and businesses not in regulated industries are recognizing the need for stronger online authentication.

Earlier this year Google made two-factor authentication available to all users, and in the past few days Facebook also rolled out two-factor authentication

It's great news that more websites are strengthening online authentication. When one considers how much sensitive, personal information people share on the Web, relying on a single layer of password protection simply is not enough.

However, sending a one-time password or authentication code by SMS text message is also not very secure, because they are often sent in clear text.

Mobile phones are easily lost and stolen and if another person has possession of the user's phone, they could read the text message and fraudulently authenticate. SMS text messages can also be intercepted and forwarded to another phone number, allowing a cybercriminal to receive the authentication code.

With more businesses relying on mobile phones for out-of-band authentication, cybercriminals will increasingly target this channel for attack -- meaning that businesses should use a more secure approach than simple SMS text message.

However, the challenge for consumer-facing websites is to balance strong security with usability. Complicated security schemes will not achieve widespread adoption among Internet users.

A more secure and easy to use approach is to display a type of image-based authentication challenge on the user's smartphone to create a one-time password (OTP). Here's one example of how it can be done: During the user's first-time registration or enrollment with the website they choose a few categories of things they can easily remember - such as cars, food and flowers.

When out-of-band authentication is needed, the business can trigger an application on the user's smartphone to display a randomly-generated grid of pictures. The user authenticates by tapping the pictures that fit their secret, pre-chosen categories. The specific pictures that appear on the grid are different each time but the user will always look for their same categories.

In this way, the authentication challenge forms a unique, image-based "password" that is different every time - a true OTP. Yet, the user only needs to remember their three categories (in this case cars, food and flowers).

Delivering a type of knowledge-based authentication challenge to the user's smartphone rather than an SMS message with the code displayed in clear text is more secure because the interaction takes place entirely out-of-band using the mobile channel.

Because the mobile application communicates directly with the business' server to verify that the user authenticated correctly, it is much more secure than having the user receive a code on their phone but then type it into the web page to authenticate. 

Additionally, even if another person has possession of the user's phone, they would not be able to correctly authenticate because they do not know the user's secret categories.

This secure two-factor, two-channel authentication process will help mitigate more sophisticated malicious attacks such as man-in-the-browser (MITB) and man-in-the-middle (MITM).

Perhaps as important as security is ease of use. Most Internet users won't adopt security processes that are too cumbersome, and most online businesses don't want to burden their users.

Image-based authentication is much easier on users because they only need to remember a few categories of their favorite things and tap the appropriate images on the phone's screen, which is much easier than typing long passwords on a tiny phone keyboard or correctly copying an alphanumeric code from one's text message inbox on the phone to the web page on the PC.

In fact, a survey conducted by Javelin Strategy and Research group confirmed that 6 out of 10 consumers prefer easy-to-use authentication methods such as image identification/recognition.

More websites and online businesses should follow the example set by Google and Facebook by deploying two-factor authentication for users.

However, as criminals increasingly target mobile authentication methods and intercept SMS text messages, it will be critical for businesses to use a type of knowledge-based authentication challenge rather than sending an authentication code as a plain SMS text message.

Possibly Related Articles:
Network Access Control
Information Security
Authentication Cyber Crime Man-In-The-Middle Two-Factor One Time Password SMS Image-Based Authentication
Post Rating I Like this!
Bud Bradford The reason they call it TWO factor authentication is because even if the crook has obtained the SMS you are still being protected by a password. Most people now keep their mobile phones as secure as their wallets too.
Terry Perkins @Bud I don't know about "most" people. I think security minded folks do protect the cell phone that way but regular folks are still a bit lackadaisical.
Rob Pickering Apparently you don't know what a TWO factor authentication mechanism is...

"requires the presentation of two different kinds of evidence that someone is who they say they are"

This is most commonly referred to as "Something you have, and Something you know". So, using a cell phone, with an SMS text message, you can create the "Something you have". Now of course, you have to acquire the "Something you know".

How exactly does intercepting the cell phone or the SMS text message allow one to then "fraudulently authenticate" as that user? You don't have the "Something you know". So, you have to acquire that piece as well.

Then you mix up two different security paradigms, "One Time Passwords" and "Two Factor Authentication". While OTP can be used within a multi-factor authentication mechanism, it's rarely used as the sole method of communication.

Unfortunately, you then go on to describe a form of one-time password using images, which depending on the number of images, would be trivial to brute-force from the users device. A strong password itself would be ultimately much more secure than 3 images.

So, I ask: What exactly IS the problem with two-factor authentication? Your article doesn't tell us.
Roman Yudkin Thanks for the lively discussion in the comments. Please allow me to clarify:

One of the most common approaches to two-factor authentication on consumer-facing websites today is to send a one-time password or authentication code via SMS text message to the user’s mobile phone. The phone is considered the second factor of authentication because it is something the user has. Here is the most common scenario:

Step 1. User logs in to their online bank account using something they know, e.g. username and password. If they attempt to conduct a highly sensitive transaction such as transferring money to an outside account, the bank asks them to authenticate using a second factor…

Step 2. The online bank sends a one-time password or PIN to the user’s mobile phone via SMS text message. The phone is considered the second factor because it’s assumed that the user has possession of it. The user is asked to type the one-time password or PIN they received into the web page in order to authenticate the transaction.

There are a few shortcomings to this common approach to two-factor authentication:

If the cybercriminal has compromised the online account, it is not difficult to change the mobile phone information associated with the account to have the SMS text message sent instead to a phone the cybercriminal has access to. It’s also easy to obtain technology that fraudulently forwards SMS text messages to a different number. In this case, the cybercriminal compromises the online account, schedules a money transfer, when the bank sends an SMS text message to the registered phone number it is intercepted and re-routed to a phone that the cybercriminal has access to. They read plain text authentication code and enter it online to authenticate their transaction. The fact that the bank sent an SMS text message to a second channel barely even slowed down the criminal.

Then of course, there is also the fact that mobile phones are easily lost, stolen, or left sitting in plain view next to a computer in an Internet café or other public place. Given the fact that most people choose usernames/passwords that are easily compromised, re-use the same password on multiple accounts and have so much personal information on their smartphones, if a nefarious person gets possession of the user’s phone it would not take long for them to compromise one of the user’s online accounts. That criminal then has access to the online account and physical possession of the phone where the authentication code will be sent.

An alternative approach, which is not subject to the shortfalls described above, is to send a type of image-based authentication challenge to the user’s smartphone rather than a clear text SMS message. The visual challenge (something only the legitimate user knows) is solved on the smartphone itself (something the user has). In this way, it authenticates that the legitimate user is the person actually in possession of the phone, not another person. Here’s an example scenario:

Step 1. User logs in to their online bank account using something they know, e.g. username and password. They attempt to transfer money, so the bank asks for a second form of authentication…

Step 2. An image-based authentication challenge is either sent to the user’s smartphone or triggered as an app on the user’s smartphone. The phone is the second factor because it is something the user has. The image-based challenge requires the user to correctly authenticate by identifying – on the phone itself – a visual secret that only the legitimate user knows.

In this scenario, there are multiple layers of authentication as well as two factors of authentication. The user logged into the online account with something they know (username/password), then they solved a visual challenge (something else they know) on the smartphone (something they have).

In contrast, sending a one-time password or PIN via SMS text message does not actually verify that the legitimate user is in possession of the phone because the text message can be intercepted and received at another number by a criminal. Or, the criminal could be in physical possession of the phone, read the text message and use it to approve their transaction.

Lastly, using a type of image-based challenge that is authenticated on the smartphone, as described above, is more secure because the entire process remains out-of-band. The common approach of sending an SMS text message to the user’s phone but then having the user type the code into an insecure web session on a malware-infected machine is inherently flawed. Keeping the entire authentication process out-of-band and authenticating from a mobile app to the bank’s server is more secure.

As to your point about being able to brute force a few images, our own particular approach relies on categories of things rather than specific images so the pictures displayed are always different, making it much more difficult to brute force.

Of course, no security scheme is ever going to be 100% secure. This blog post was simply intended to point out that there are other mobile authentication approaches that are more secure than the common approach of sending a one-time passcode as a plain text SMS.

Thanks for the comments!
Rob Pickering 1) You usually (never) can change the destination of your SMS messages without authenticating via SMS first. So a simple account compromise of the "Something you Know" will not allow for advanced features, unless the thief ALSO has the Token.
2) "Then of course, there is also the fact that mobile phones are easily lost, stolen, or left sitting in plain view next to a computer in an Internet café or other public place" In which case your picture authentication is also invalidated.
3) Your approach isn't a different two-factor authentication approach, it's a 3rd factor (an additional "password" in the form of pattern recognition). So, you are describing multi-factor authentication.

So, it appears your conclusion to "The Problem with Two-Factor Authentication Solutions" is that they are not multi-factor authentication schemes.

Well, the problem with your three-factor authentication solution is that it is not a four-factor authentication solution, etc, etc.

Arguing against two-factor authentication schemes because they aren't multi-factor is rather weak.
Laura Deitch Thank you for sharing this information. If we talk about image based authentication then I feel even that can be break by cybercriminals. Therefore, when we talk about security services there is always a risk factor involved but as soon as any new layer of security gets introduced one should make full use of it.

Recently, I heard about TeleSign's Two-Factor Authentication which is being used by Salesforce. Watch the demo of Salesforce with TeleSign's Two-Factor Authentication at .
Sarah Needham Laura, the link you shared appears to show exactly the type of basic, SMS approach to two-factor authentication that Roman has described in this blog as not being very secure. It appears to send an authentication code to the user's mobile phone as a clear text SMS. Such text messages are easily intercepted by cybercriminals using a Zeus-in-the-mobile (Zitmo) attack and then used to fraudulently access the victim's account. The argument being made in this blog is that the SMS channel is not a secure channel to use for out-of-band, two-factor authentication and also that a layer of authentication should be required on the mobile phone (such as making the user enter a PIN or solve an image-based authentication challenge before being able to access the authentication code or complete the authentication process on the mobile phone).
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked