Does Two-Factor Authentication Need Fixing?

Tuesday, July 03, 2012

Nick Owen


NetworkWorld recently ran an article entitled Does two-factor authentication need to be fixed?.

The article discusses two topics: malware that processes fraudulent transactions after session authentication has completed and the "Team Prosecco" attack against PKSC11-based smart cards. (I have commented on this paper already, so I will be focusing on the former here..)

Needless to say, the title is overly simplistic. Does two-factor authentication need fixing? Well, that depends on what you are trying to do now, doesn't it?

Nobody is trying to do two-factor authentication. They are trying to work remotely, or secure their customers data or perform online banking. Even the most basic risk analysis shows that the title is misleading.

I find it fascinating that two-factor authentication gets blamed for a malware attack in a report from an anti-malware company. Here's a thought: stop the malware. Apparently, they cannot, so they lay the defeat elsewhere:

"According to the report, code customization that includes rootkits for client-side malware and encrypted links help hide the criminal attack process and avoid antivirus scans. 'And some of the web serves move dynamically so that blacklisting and reputation-centric technologies are not effective.' The report says the techniques used are basically 'a significant breakthrough for the fraudsters" because they represent the "defeat of two-factor authentication that uses physical devices.'"

So, assuming that the anti-malware companies cannot keep malware off PCs, what can be done? Well, actually stronger authentication can be applied at certain points in the online banking process to reduce exposure. When people think of two-factor authentication, they typically mean session authentication. The malware hijacks an existing session.

What can be done? Well, you can add two-factor authentication to a transaction. If done properly (ie, cryptographically distinct from the session authentication) it will reduce the attack surface to when a user a doing a transaction.

Further, if you send a receipt to a mobile phone in a cryptographically secure manner, you can confirm the transaction details with the user.

Can attackers target both a users PC and their smart phone? Yes. Does that make it pointless? No, because the goal is not perfection, but to reduce the amount of fraud.

At WiKID, we have also tried to address network-based Man-in-the-middle attacks for web-apps by validating an SSL certificate for the user. The token downloads a hash of the targeted sites SSL certificate with the one-time passcode.

The token client fetches the certificate from the website, hashes it and compares it to the retrieved hash. If the hashes match, the URL is presented as validated and the default browser is launched to that URL. We have really just applied some basic cryptography to minimized the attack surface.

Does two-factor authentication need to be fixed? It needs to be better. In particular, I think we need to make two-factor authentication less of a hassle for both users and administrators. But it should not be the whipping boy general security failures and a lack of proper risk management.

Possibly Related Articles:
Network Access Control
Information Security
Encryption SSL Authentication malware Access Control Attacks Smart Cards Man-In-The-Middle Two-Factor
Post Rating I Like this!
Maureen Robinson For solving this security situation and any other issues regarding security, we suggest applying a threat model which will handle potential security problems and vulnerabilities before you invest significant time and resources. If not, problems will grow to the point where they will be difficult to reverse. You can find more details on this topic here:
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.