Data security is a major concern for any organization, whether the concern is for internal employees or external customers. Everyone needs to be able to limit access to potentially sensitive data, and this is accomplished using accounts. However, accounts require users to authenticate and prove their identity, and this is where everything tends to fall apart.
For data protection, the password has been the go-to for ages. Even before computers, passwords were used to prove membership in a group or gain access to a speakeasy during Prohibition. People keep using them because they make sense and they tend to work.
However, passwords on the Internet tend to be insecure. It’s not their fault, people simply use weak ones and reuse them across multiple accounts. This is understandable since the average user tends to have dozens of different accounts, and memorizing a unique, strong password for each isn’t feasible. There are solutions for this (like password managers), but people rely on their memory in many cases, putting passwords in a state of crisis.
The failure of several “password killers” means that they’re still around, so solutions have been developed to help. Two-factor authentication, for instance, requires a user to provide an additional factor (usually a one-time code) to authenticate to an account. Since an attacker would need both the password and this other factor to gain access, passwords become a bit less vulnerable.
The Types of 2FA
Two-factor authentication isn’t a “one size fits all” solution. Many different types of 2FA exist, and the effectiveness and convenience of the solution depends on the type used.
One of the most commonly used types of 2FA uses SMS messages. When you try to authenticate to a website, it sends a code to your phone that you need to type in. While this type of 2FA is better than nothing, it can be circumvented by attackers in a variety of different ways. One of the most commonly used methods is to perform a SIM-swapping attack, where a hacker walks into a branch of your cell phone provider and requests a new SIM card for your phone number. If they succeed, they now have control of your number and can receive your 2FA messages. This technique has been used to steal millions of dollars in cryptocurrency (like Bitcoin). There are also variations on this version like receiving a phone call with the code, but these are less common.
Another common version of 2FA uses email to send you your code. While this is better than SMS-based 2FA, it involves putting “all your eggs in one basket”. In most cases, the way to reset a forgotten password on an online account is by having an email link sent to you. If done properly, this password reset will also require a 2FA code. However, if an attacker has control of your email account (which is definitely possible due to the large number of recent data breaches and the fact that many people reuse passwords), they have everything that they need to take over your other accounts.
A third option for 2FA is using app-based authenticators like Authy, Duo, or Google Authenticator. With these apps, you connect the app to your account by scanning a QR code displayed on the website, and the app then generates 2FA codes for you whenever you need to authenticate in the future. Since no communication is required to generate these codes, they’re harder to intercept; however, this assumes that you haven’t lost your smartphone and/or that you have a decent lock code on it.
Finally, some companies create hardware-based security tokens like the RSA SecurID or the Yubikey. These devices can either generate a code for you or plug into your computer via a USB port. They may also require a PIN number or password to authenticate you. In general, these are considered the most secure version of 2FA, but even they aren’t perfect.
Crash of the Titan
Hardware-based security keys for two-factor authentication are generally some of the best 2FA solutions that you can get. Breaking into your account requires that the attacker gets physical access to the security key, which can be a lot harder than performing SIM hijacking or similar attacks. However, hardware security keys to aren’t always foolproof.
In July 2019, Google released the Titan security key, which can connect to your computer via USB or Bluetooth. However, they messed up the configuration of the Bluetooth protocol, allowing an attacker to perform a Man-in-the-Middle attack against the Titan. If an attacker is close enough to pick up the Bluetooth signal, they can intercept your one-time code before it reaches your computer, allowing them to login if they already know your password. While the need for Bluetooth limits the effectiveness of the attack (they need to be within 10 meters), it’s still insecure, leading Google to recall the affected keys and offer replacements.
Beyond 2FA
Two-factor authentication is a great idea and definitely helps to secure a variety of different online accounts. However, as the failure of Google’s Titan demonstrates, even the best 2FA schemes can fail. As a result, organizations need to be prepared to detect and prevent unauthorized “legitimate” logins.
Data protection solutions exist for protecting against attackers with access to valid credentials.
Using behavioral analysis, they can detect when a user deviates from normal, benign behavior, which can indicate an attacker or risky user. Deploying these solutions is a great way for organizations to protect their sensitive data and comply with hard new privacy regulations like the EU’s GDPR.
