How to hack two-factor authentication: Which type is most secure?
Password security is one of the biggest holes in many organizations’ cybersecurity defenses. Traditionally, authentication systems have relied on knowledge of a password to differentiate between legitimate and unauthorized users of a system or service. If you know the password, then you’re supposed to have access.
The problem with this is that many people practice very poor password security. Weak and reused passwords are easy to guess and enable credential stuffing attacks after a data breach. According to Verizon’s 2021 DBIR, 61% of data breaches involved the use of compromised credentials.
Two-factor authentication (2FA) and multi-factor authentication (MFA) are designed to solve this problem. Instead of relying solely on a password for user authentication, they require a combination of two or more factors, such as:
- Something you know: password, passphrase etc.
- Something you have: smartphone, authenticator etc.
- Something you are: biometrics
2FA and MFA differ only in the number of factors that they require. 2FA uses exactly two factors, while MFA can use two or more.
By requiring multiple factors for authentication, 2FA and MFA make it harder to gain unauthorized access to a system because guessing a password is no longer enough. However, depending on the factors used, it still may be possible to bypass MFA security.
Exploring the security of MFA
MFA comes in various forms, and each has varying levels of security. Some of the main forms of MFA are as follows:
Single-use codes sent by email or SMS are the most common method for implementing MFA. By requiring the user to enter a code sent to a phone or email account as well as a password, this form of MFA requires a “something you have” factor alongside “something you know.”
However, while email/SMS-based MFA is easy to implement, it also has the most security issues. For email, the biggest problem is that proving access to an email account is not necessarily multi-factor. If a user logs into the email account with a password, the two factors are both “something you know.” Also, the same password may be used for both accounts, further undermining the security of MFA.
SMS-based MFA also has its issues and can be undermined in various ways. Attackers may perform SIM swapping attacks to take over a target’s phone number, which results in MFA codes being sent to them. Alternatively, an attacker can use social engineering to trick users into sending the code to them. These, and the vulnerabilities of the SS7 mobile network, make email/SMS-based MFA vulnerable to exploitation.
Another common form of MFA is the use of an authenticator app. When a user wants to authenticate, they provide the code currently shown by their app, and the server verifies that it is a valid code at that time. Using the time-based one-time password (TOTP) algorithm (described in RFC 6238) and a shared starting point, a server and authenticator app can generate the same series of time-dependent codes.
Authenticator apps provide reasonably good security because the one-time codes are independently generated and not transmitted between the server and client. However, any MFA algorithm that involves entering a code is potentially vulnerable to social engineering. Also, malware on a smartphone may read authentication codes from within the app.
Like a Yubikey or a smartcard, hardware authentication devices store authentication information on a physical device. When the device is connected to a computer, the user can access protected accounts (potentially after entering a PIN).
A hardware-based authenticator provides better security than an authenticator app. Because authentication information is stored on a dedicated device with built-in protections, it is more difficult for malware to access this information.
Biometric-based authentication uses the “something you are” factor. Examples include facial recognition, iris scanning, fingerprint scanning etc.
While biometric authentication works well in theory, modern biometric-based authentication systems perform poorly in practice. Numerous examples exist of people bypassing smartphone facial or fingerprint recognition systems using various techniques. However, beating a biometric authentication system typically requires access to the real owner, which makes it more secure than email/SMS-based authentication, and it is less vulnerable to social engineering attacks.
Push notification MFA uses notifications on a user’s smartphone for MFA. To access an account, the user will have to tap a notification on their phone, which is “something you have.”
Push notification MFA eliminates the need to copy a one-time code from one device to another; however, it can still be vulnerable to social engineering. People may be accustomed to addressing notifications on their phones without thinking about it, making PUSH attacks possible.
As its name suggests, passwordless authentication is designed to do away with the password as one of the two factors used during authentication. Unlike the other MFA options, passwordless authentication uses a combination of “something you have” (typically a digital certificate stored on a device) and “something you are” (biometric authentication).
The security of passwordless authentication relies on its underlying features, and, as mentioned above, biometric authentication occasionally has issues. However, even with these issues, eliminating passwords makes this a better form of authentication in terms of usability and security. Additionally, eliminating a password or one-time code makes passwordless authentication less prone to social engineering attacks.
The bottom line of 2FA
Different forms of MFA all have their strengths and weaknesses. However, any form of 2FA/MFA provides an additional layer of defense, which makes it more secure than purely password-based authentication.
- 2021 Data Breach Investigations Report, Verizon
- RFC 6238, IETF
- What Are PUSH Attacks? Hypr