Can 2FA prevent breaches? Lessons learned from the SFO airport watering hole attack
In March 2020, two websites serving customers of San Francisco International Airport were hacked. The websites used first-factor authentication only and the cybercriminals had inserted code that allowed usernames and passwords to be stolen.
Passwords are flimsy. A quick phish or hack of an insecure database and your password is gone, stolen by a fraudster to use at will. And then there are the big enterprise breaches. If you have ever had a sextortion email, it will often be accompanied by a recognizable password you may once have used. If you go to the HaveIBeenPwned password checker, you can find out just how many of your passwords have been stolen.
To combat the less-than-secure nature of the humble password, the security industry invented the notion of two-factor authentication: add in a second credential on top of a password, and bingo, you have a second lock. Therefore, it is harder to open the door.
But is this true? Does two-factor authentication (2FA) prevent breaches?
Two-factor authentication: What is it good for?
The answer to the question, “does two-factor authentication prevent breaches,” is not a simple yes or no. It is an “It depends” kind of answer that often brings in implementation considerations.
One of the things that affect the success rate of 2FA in preventing breaches is the type of second factor used.
There are several commonly-used second-factor methods. These include:
- SMS text codes
- Time-Based One-Time Password (TOTP) (e.g., mobile authenticator app code)
- Biometric (e.g., fingerprint on a mobile device)
- FIDO security key (based on the FIDO standards)
- Passphrase (using three varying characters)
- Email code
Each has its own set of positives and negatives when it comes to preventing breaches. Some of the most popular second-factor credentials have become vulnerable because cybercriminals have focused on their weaknesses.
SIM-SWAP and SMS codes
SMS codes are vulnerable to SIM swap. This scam involves a fraudster tricking a mobile operator into swapping the victim’s phone number over to the fraudster’s new SIM card. The fraudster can then receive login codes during an attempt to login to the victim’s online account.
SMS codes are still widely used but are deprecated by NIST as a multi-factor authentication method because of inherent vulnerabilities.
Social engineering and TOTP
In the case of the Time-Based One-Time Password, or TOTP, social engineering tricks make this 2FA method less than perfect. Hackers typically use social engineering to get a user to share a login code.
Scammers may send a phishing email to the target, stating that their account is at risk. To prevent further exposure, the victim must share a code to verify themselves. The scammers tend to not want to capture the TOTP code itself, as it is time-limited. Rather, they ask for a backup code which is commonly used as part of account recovery.
Biometrics such as fingerprints and face can be used in a second-factor authentication context. The “DNA” of the biometric, its unique characteristics, are what gives this 2FA method strength (or entropy). This method is now so trusted that it is often used as an “only factor.”
The problem with this is that if something interferes with the use of the biometric (for example, the fingerprint reader has a fault), the default recovery is usually based on a password or PIN. You are then back to square one.
In addition, there have been a few cases of biometric hacks, such as the Samsung Galaxy S8 iris scanner hack.
One thing that is certain about cybercriminals is that they are highly adaptive. If there is a way to circumvent security, they will find it. In the case of second-factor credentials, often it isn’t so much the credential itself that is compromised but the process by which it is used. In the case of the Iranian espionage “Charming Kittens” campaign, the hackers used a mix of social engineering and phishing to compromise a 2FA system protecting email accounts.
Annoying two-factor authentication and UX
Two-factor authentication has had a slow acceptance from the general public. Even as recently as 2018, research from Google found that fewer than 10% of its users had turned on 2FA. One thing I learned in cybersecurity many years ago was that if someone doesn’t want to do something, they find a way not to. The user experience (UX) of security is as crucial as the underlying security measures.
Enforcing two-factor authentication in the consumer space is more complicated because it adds an extra step. Any extra steps for a consumer create friction because they remove that lovely seamless experience online apps strive for.
Unless a second factor is mandated via enforceable policies, chances are that only those users who are fully aware of the consequences of not using it will use 2FA. When Google was asked about why they did not enforce 2FA back in 2018, they replied that it was because of the impact on usability.
Stepping up the factors: Giving 2FA a chance
Two-factor authentication does not have to be an on/off switch. You can add an element of intelligence to the use of 2FA. This is usually in the form of rules that determine the need for increased authentication checks or even depressed authentication. For example, a login outside a whitelisted IP range could force the use of a second factor, while the same login within that same IP range would only require a password or even facilitate Single Sign-On (SSO) across federated applications.
In 2019, after grappling with the security versus usability of logging in, Google released research into the issues of UX and 2FA. The research carried out by the company, along with New York University and the University of California, found that while mandating a mobile device for a second-factor credential degraded the UX as it added friction, using a mobile device for verification was more acceptable.
Google looked at using “step-up authentication” instead. To use this functionality, a user associates a mobile phone number (non-mobile methods are available, e.g., secret Q&A) with their account. If a suspicious login is attempted, Google enforces step-up authentication and sends the user a login code to their device. Researchers found that this method blocked “up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks”.
Using 2FA and doing it well
The fact is, having a second factor credential in place does help to prevent a cyberattack and make a login process less risky. But cybersecurity is all about reducing risk and mitigating cyber threats and this can require more than one measure to be put in place. However, for some breach vectors, 2FA is very reliable. For example, research from Microsoft found that second-factor authentication prevents 99.9% of unauthorized login attempts.
The types of cyber threats mitigated by the use of second-factor include:
- Brute-force attacks
- Stolen passwords
- Some social engineering attacks
- Credential stuffing
- Man-in-the-middle credential theft
A final word on 2FA
Cybersecurity is about risk mitigation. Risk mitigation may require that an organization apply a multitude of methods, each adding in an extra barrier that cybercriminals have to overcome. The use of second-factor credentials is one such barrier.
In the San Francisco International Airport breach, having a second factor would have made the hacker’s job much more difficult. Perhaps to the point that they may have thought it too hard to tackle and moved to another, easier-to-hack, service.
- Hackers Breach San Francisco Airport Websites, Bank Info Security
- Pwned Passwords, Have I Been Pwned
- Sextortion Scam Uses Recipient’s Hacked Passwords, Krebs on Security
- Questions…and buzz surrounding draft NIST Special Publication 800-63-3, NIST
- Hacking the Samsung Galaxy S8 Irisscanner, media.ccc.de
- Charming Kitten Iranian Espionage Campaign Thwarts 2FA, Threatpost
- Who’s using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication, The Register
- New research: How effective is basic account hygiene at preventing hijacking, Google Security Blog
- One simple action you can take to prevent 99.9 percent of attacks on your accounts, Microsoft