In infosec, multi-factor authentication is often considered a positive, constructive element of layered security. However, some people have an oversimplified view. With multi-factor authentication, there are many nuances to consider.
At BSides Austin I presented on this topic.
When shopping for a multi-factor authentication solution, what should you look for? There are over 200 multi-factor authentication vendors, how do you evaluate the best one for your needs? You can weed out more than half of the vendors by following a simple step. Just say, “No,” or ask for alternatives for the following suboptimal choices:
- 2D fingerprints, other already-hacked or easily hacked biometrics
- QR codes
- Short Message Service One-Time Password (SMS OTP)
- JavaScript requirements
- Weak account recovery methods
- Lack of mobile device risk analysis
- Lack of checks for OWASP Mobile Top 10 Risks[1] for mobile apps
- Encryption with backdoors, no mysterious constants or “magic numbers” of unknown provenance.”[2]
- NIST defines multi-factor authentication as two or more of something you know, something you have, and something you are.[3] There is a growing chasm between NIST’s definition and newer definitions from some vendors.
Biometrics - As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked, even from photographs.[4] Facial and other biometrics can also be hacked. Why, then, is biometric-based authentication so fashionable? It is easy to reset a password. It is hard to reset fingerprints. According to industry expert Dustin Kirkland, “… biometrics cannot, and absolutely must not, be used to authenticate an identity.”[5] His March 15, 2015 SXSW talk title sums up his position, “Fingerprints Are Usernames, Not Passwords.”
QR Codes - Many information security professionals stopped using QR codes long ago. QR codes can be easily hacked, and then direct a person to a malicious website, or other hazardous URL.[6]
SMS OTP - In Operation Emmental, banking malware was used to scrape SMS OTPs from Android phones.[7] This is just one example of how SMS OTP is susceptible to man-in-the middle (MITM) attacks. A 2014 Paper from Northeastern University and Technische Universität Berlin states, “SMS OTP systems cannot be considered secure anymore.”[8]
JavaScript - Many multi-factor authentication vendors require JavaScript, and when an app is downloaded, insert JavaScript code into the browser. If WhiteHat Security’s Aviator browser is in use, or JavaScript has been disabled, the multi-factor authentication solution will not work.
Account Recovery – According to Google product management director for identity, Eric Sachs, account recovery is the Achilles heel of authentication.[9] Google Authenticator recovery keys are provided during enrollment. The user is told to print them out, and store them in a wallet or safe place. Account recovery is often a weak link, an opportunity for social engineering or other attacks.
Mobile Device as Token - If the mobile device is used as a token, is the mobile device checked for malware prior to enrollment, and on an ongoing basis? According to Lee Cocking, vice president of product strategy at GuardTime, “Mobile is the new adversarial ingress point.”[10]
OWASP Mobile Top 10 Risks - If a mobile app is used (hopefully this is not the case; but if it is), was the mobile app checked against the OWASP Mobile Top 10 Risks?
Encryption - Encryption is an excellent technology for multi-factor authentication. However, sometimes you have to pull teeth to get straight answers on a vendor’s encryption implementation.
NIST states that mobile device identification, time, and geolocation could be used to challenge an identity; but “they are not considered authentication factors.”[11]
For internal employees, hard tokens and complex, multi-step enrollment processes may be acceptable. However, for external consumers or customers, ease of use requirements are much tighter. In this case, many multi-factor authentication vendors are offering the following:
- Invisible user enrollment, no app to download
- Invisible user challenges for step-up authentication.
Regardless of the use case, for either employees or consumers, consider vendors that offer context-based, risk-based, adaptive-based authentication based on comprehensive, learning methodologies beyond just two-factor authentication.
Tips:
- Ask the vendor for a threat model for the solution.
- Don’t hesitate to give feedback or ask for what you need. I recently told the CEO of a multi-factor vendor that the enrollment process was too complicated, and that it comprised too many steps. He responded immediately with a streamlined version.
- Give feedback if you are asked to adopt a multi-factor authentication solution that implements one of the suboptimal choices listed above.
Caveat emptor!
Resources:
- OWASP Mobile Top 10 Risks, Insufficient Transport Layer Protection, https://www.owasp.org/index.php/Mobile_Top_10_2014-M3
- SANS, Two-Factor Authentication: Can You Choose the Right One? http://www.sans.org/reading-room/whitepapers/authentication/two-factor-authentication-choose-one-33093
- Gluu blog, (January 15, 2014), Achilles Heel of Two-Factor Authentication
- 2014 December, Starbug (Jan Krissler) video, Iche sehe, also bin ich … Du,
https://www.youtube.com/watch?v=vVivA0eoNGM&feature=youtu.be - Gartner, December 1, 2014, Magic Quadrant for User Authentication.
- Forrester, December 30, 2013; Market Overview: Employee and Customer Authentication Solutions in 2013: Part 1 of 2
- M2SYS Technology (July 24, 2014), The Impact of Biometrics in Banking, http://blog.m2sys.com/financial-services/impact-biometrics-banking/
- Google Unveils 5-Year Roadmap for Strong Authentication, http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/
- “The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Technologies are Irresponsible,” BSides Austin talk, March 13, 2015, http://www.slideshare.net/eralcnoslen/the-inmates-are-running-the-asylum-why-some-multifactor-authentication-technology-is-irresponsible
References:
- [1] Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
- [2] Source: https://www.grc.com/sqrl/sqrl.htm
- [3] Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
- [4] Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/
- [5] Source: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
- [6] Source: http://www.csoonline.com/article/2133890/mobile-security/the-dangers-of-qr-codes-for-security.html
- [7] Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
- [8] Source: https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf
- [9] Source: http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/
- [10] Source:
http://guardtime.com/blog/biggest-enterprise-risk-mobile-devices - [11] Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf