Two-factor authentication hackable?

13 May 2018

Report “Two-factor authentication hackable” (1) published by Doug Olenick’ on May 10, 2018 at SC Media US is really frightening.

Two-factor authentication (TFA) is a great means to secure users of web services against phishing attacks. I’m aware that TFA with SMS or authenticator apps is not 100% secure because the login is not bound to the service, which means that TFA is prone to Man-in-the-Middle attacks. But the title of the report suggests that TFA is no longer secure at all.

A closer look at the report shows that Doug Olenick describes a Man-in-the-Middle attack initiated by a fake URL in an e-mail. The URL points to a web services which acts as a proxy for LinkedIn in this case. The proxy collects the users account details and the session cookie. Since the session cookie contains all details required to login to LinkedIn the attacker can hijack the users account without being requested of the password and the second factor.

For details about the attack see Kuba Gretzky’s post “Evilginx – Advanced Phishing with Two-factor Authentication Bypass” (2).

What can we learn from these reports?

TFA is vulnerable against phishing and Man-in-the-Middle attacks. User awareness and anti-phishing training become not obsolete once TFA with authenticator app or SMS is rolled out in an organization.

Although TFA is vulnerable this should not stop you from implementing TFA.

FIDO U2F Key (6)

If you want to get it right the first time implement TFA with hardware keys, e.g. FIDO U2F keys. With hardware keys the user login is bound to the original service, which means that only the real site can authenticate with the service. For details see the FIDO alliance (3) homepage or the Yubico (4) homepage. For a great user story see report “Google Eliminates Account Takeover with the YubiKey” (5).

Have a great week.

1. Olenick D. Two-factor authentication hackable [Internet]. SC Media US. 2018 [cited 2018 May 13]. Available from: https://www.scmagazine.com/network-security/two-factor-authentication-hackable/article/765135/

2. Gretzky K. Evilginx – Advanced Phishing with Two-factor Authentication Bypass [Internet]. BREAKDEV. 2017 [cited 2018 May 13]. Available from: http://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass

3. FIDO Alliance. https://fidoalliance.org/ [Internet]. FIDO Alliance. [cited 2018 May 13]. Available from: https://fidoalliance.org/

4. U2F – FIDO Universal 2nd Factor Authentication [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/solutions/fido-u2f/

5. Yubico.com. Google Eliminates Account Takeover with the YubiKey [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/about/reference-customers/google/

6. Picture Credits: Amazon.de. [cited 2018 May 13]. Available from: https://www.amazon.de/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8