There is an arms race going on between sophisticated threat actors and their targets.
Not too long ago, two-factor authentication (2FA) or multi-factor authentication (MFA) was seen as a silver bullet to defeat almost all kinds of account compromise attacks, including credential stealing websites. With 2FA or MFA, an attacker can no longer authenticate and log in to your account by simply discovering your username and password. They also need to provide a second form of identity verification, usually something you have (like a smartphone or other hardware device), or something you are (like a unique fingerprint or face).
The majority of 2FA authentication techniques hinge around a ‘one-time passcode‘ or OTP, a random 4 or 6 digit code which is either sent via a text message or email to the user. The user must then provide the code after already authenticating with their username and password. An OTP as a second form of authentication is supposed to prove that the person logging in has possession of a physical phone associated to them.
But now, threat actors have developed standardized toolkits that allow them to easily defeat accounts even if they’re protected with a 2FA code requirement.
What 2FA codes can protect against
Using SMS or code-based authentications to protect your accounts is much more secure than a simple username and password. It provides protection against some of the most common types of account compromise attacks:
- Brute-force and dictionary attacks: Attackers can simply try random passwords over and over until they guess the correct password and authenticate. Using dictionaries of common passwords or combinations of dictionary words, numbers, and special characters, etc. can increase their chances of success. However, most internet-facing logins will already mitigate the efficacy of this type of attack through rate limiting the number of authentication attempts, temporarily locking the account, or providing some other manual intervention if an attack is suspected.
- Password spray attacks: Here, the attacker will use previously discovered account credentials and try them on a wide range of website logins. For instance, suppose you register an account on a small online game website, which is later breached and your login information is exposed. The attacker will then ‘spray’ your username and/or email combined with the breached password to attempt to login to hundreds of banking websites, Google, Microsoft 365, Yahoo, etc. The hope is that you have re-used the same username and password at one of these more ‘juicy’ services. Password spray attacks can be easily defeated by NOT re-using passwords and ensuring websites you register with do not store your passwords in plain text.
- Keyloggers and other spyware: The attacker gains access to your computer through some form of malware or physical device and is able to capture your actual keystrokes. Or, they may have implanted malware capable of dumping your stored passwords saved in your browser or password management system. These types of attacks almost always require MFA to protect against. No matter how complex your password, if the attacker can read it as you use it, they can also use it. These attacks can sometimes be defeated by using well implemented password managers and endpoint protections (anti-virus, anti-malware), but there is no guarantee.
- Simple Phishing sites: Attackers will set up fake websites that imitate the look of legitimate login sites to banking portals, Microsoft accounts, Google, etc. They will send convincing emails asking for the user to update their password, login to check recent account activity, etc. But the link will be to their malicious site instead of the real login page. Fortunately, even if you provide your username and password to the attacker, they will be unable to use it at the real website if you have enabled 2FA.
Where Basic 2FA Fails
Although using OTP codes as a second form of authentication can defeat many types of account takeover attacks, there are multiple attack methods that allow attackers to defeat them:
- SIM swap: In this social engineering attack, a threat actor will discover your phone number and contact your carrier’s technical support. They will claim to be you, stating that they lost their phone and have a new one, and ask that they ‘port’ your phone number to the new phone’s SIM card. The phone carrier SHOULD have adequate identity verification requirements in place to prevent the attacker from successfully porting your phone number away from your phone. But this is often not the case, and we’ve seen multiple successful attacks involving this technique. Fortunately, this is usually a targeted attack, as the attacker must know lots of details about the victim to successfully trick the carrier into swapping the phone number.
- Proxy Phishing Sites: These attacks used to be limited to sophisticated, nation-state threats. But now, we are seeing evidence of standard ‘off-the-shelf’ toolkits like Modlishka that will allow almost any attacker to set up a phishing website capable of bypassing 2FA code protections.
Basically, the malicious website will act as a man-in-the-middle (MITM) between the user and the legitimate website. The user will provide their username and password, which will automatically transfer to the login page of the real website and submit the form. Once submitted, the real website will generate an OTP and send it to the user via SMS or email. The malicious website with then preset an input asking for the user to enter the code. Once entered, the code is relayed back to the real website and the authentication attempt succeeds, giving the attacker access to the account. From there, they can potentially change the password, disable or change the 2FA, or steal as much data as possible.
Newer toolkits like Modlishka also remove the need to ‘clone’ the real website’s login pages. Instead they simply proxy the current login page content directly to the victim. There’s no need for the attacker to be able to perfectly replicate the look and feel of the site, or update their fake site when the real one changes.
Of course, a user with good security awareness should be able to spot these phishing emails and website URLs almost immediately and stop the attack in its tracks. The importance of effective security awareness training cannot be understated here.
Better 2FA Protections
Fortunately, there are different forms of 2FA available that are more secure (and even easier to use) than SMS code based authentication.
- Authentication Apps: An app is downloaded to the user’s mobile device and ‘registered’ with the website. When the user authenticates, a push notification is sent to their device, which asks the user to approve or deny the login attempt. Here, apps like Microsoft’s ‘Authenticator App’ or Duo Mobile can be used across many websites, so there is no need to download multiple apps for different websites.
- Hardware Tokens: A physical token (usually a USB stick, Bluetooth or NFC enabled token) can also be used to provide 2FA. This is very similar to the app-based workflow above, except the user must physically insert the token into their device and touch a physical button on the device or enter a PIN to allow its use. Most of these devices use a standard called U2F or the more modern FIDO2 standard to provide the back-and-forth secure authentication with the website. Popular devices include Yubico’s Yubikey, Feitian, Thales SafeNet eToken, and SoloKey.
Both of these techniques have an important distinction from the traditional SMS-based OTP authentication: Even if the user is tricked into authenticating with the second factor, the attacker can not use that authentication information to log in to the real website. Here’s why:
- Unlike OTP codes, the authentication information from the device to the server can NOT be intercepted and used in a MITM attack. The FIDO2 standard uses asymmetric encryption (a public/private keypair) to prove possession of the authentication device. The private key remains protected on the device and is never transmitted. In the case of hardware tokens, the private key cannot be read or copied, even by the owner.
- The FIDO2 standard also includes attestation of the authenticating server. This means that when you are attempting to log in to your Google account, your authentication client will verify that it is indeed talking with the ‘google.com’ domain and not ‘somehackersite.ru’ domain before ever signing anything with the private key associated to your Google account. So, even if YOU are tricked into pressing ‘Allow’ or tapping the physical key, the authentication process will fail unless the server can be verified first.
Indeed, these authentication protocols are so strong that they can safely be used by themselves, completely eliminating the need for password authentication. One caveat is that sole possession of the hardware token or device should NOT be enough to authenticate. You should protect it with a device specific PIN or biometrics if available. This way, even if you lose the device or token, someone will not be able to use it without knowledge of the PIN or your physical presence.