Two-factor authentication, simply put, is a stronger method of authentication than the traditional username and password. Authentication is the process of verifying someone’s identity. To authenticate an individual, there are multiple factors including something you know (password, pin number), something you have (token, laptop, phone, smart card) and something you are (biometrics). Two-factor authentication is when you authenticate a subject using two of the three factors. For example, something you know and something you have. Having two passwords is not two-factor authentication; it is single-factor authentication because there are two instances of things you know.
Several corporate and consumer-facing services make use of two-factor authentication. If you’ve ever used Google Authenticator, Microsoft Authenticator, received an SMS authentication code, you have made use of two-factor authentication.
Why do you need two-factor authentication?
Attacks on credentials are on the rise. In the latest Verizon Data Breach Investigations Report, they found that 37% of breaches made use of stolen credentials. Credentials are made up of a combination of your username and password. When an attack obtains access to your credentials, through a prior breach, credential spraying, credential stuffing or a phishing attack, they’ll try to log in as you. An attacker can maintain access to your account until you change your password, which may be 90 days, 120 days or forever.
This is where two-factor authentication comes in. If the application, system or environment you’re authenticating to is capable of two-factor authentication, your credentials are essentially useless because the attacker will not have access to your second factor (something you have or something you are).
What attacks does two-factor authentication protect against?
Two-factor authentication is an essential security control to protect all accounts that can access sensitive information. It protects against an expanding list of attacks including credential stuffing, password spraying, brute-force, credential compromise and password profiling.
Credential stuffing: Credential stuffing is when an attacker compromises a website you have an account on and then tries to log into another website to see if you reuse the same password on multiple websites. CRA, Loblaw, Canadian Tire, Instacard and Sobeys have all experienced credential stuffing attacks.
Password Spraying: A lot of end-users make use of terrible passwords including their dog’s name, spouse’s name, vacation destination or, our favourite, the seasons (e.g., Spring2020, Summer2020, Fall2020 and Winter2020). Password spraying is when an attacker tries to log into a number of accounts with some of the most common passwords. This is because most websites with reasonable security may prevent brute force attacks. For example, after 5 failed login attempts, your account is blocked for 1 hour.
Brute-force: Brute-force is basically the opposite of Password Spraying. Instead of trying a small list of passwords against several accounts, this explores an extensive list of passwords against a few accounts. These may be truly random passwords (e.g., aaa, aab, aac) or based on a long wordlist or dictionary.
Credential Compromise (Phishing): Phishing attacks often try to obtain access to your credentials. It is very common to have an e-mail that links to a fake login page for banking, corporate VPN, or any others. The purpose of this is to obtain access to your password without you knowing and after stealing your password they may redirect you to the correct page (and log you in).
Credential Compromise (Malware): Key loggers are a type of spyware/malware/hardware device that monitors keystrokes and mouse movements and logs them to a file for an attacker to review. Sophisticated malware, including banking trojans, will have filters on the capture to sift through the noise and only document the passwords they’re interested in.
Password Profiling: Perhaps the most sophisticated attack, password profiling is when an attacker performs intelligence gathering to understand more about you and who you are to know what types of interests, pets, partners or hobbies you have to make a more intelligent word list. These attacks may also make use of past compromised passwords. For example, if your password was Toronto1 you may change it to Toronto2 to make things easier (please don’t do this!).
What are the different types of two-factor authentication?
Two-factor authentication exists in multiple implementations including a hardware token that’s often time-based, a mobile application, a SMS message to your mobile device, or a smart card. Each of these contains various strengths and weaknesses worth considering before implementing in your environment:
Hardware-based tokens include Yubikey, Google, RSA and several others. They display a seemingly random number that changes every 60 seconds. Hardware tokens are more secure, but a bit more difficult to roll out because of the logistics involved.
Mobile-app tokens include Google Authenticator, Microsoft Authenticator, Duo, Authy and more. Instead of the number, this may involve a push to a mobile application on your phone that prompts you to approve or decline. This makes two-factor easier, but we’ve often found when we target implementations that make use of push notifications end-users often accept without much thought.
SMS messaging is the simplest way to roll out two-factor authentication, but often the least secure as we’re seeing with SIM-swapping attacks. Ironically enough, this is because telecom companies do not properly authenticate you when you call for help.
Smart Cards are essentially credit cards with a chip on them that are resistant to tampering and near impossible to copy. They’re used for banking (chip and pin), credit cards, authenticating to HSMs, and more.
Putting the pieces together
Two-factor authentication protects against an ever-growing list of attacks. Passwords have always been a very weak form of authentication because we often choose terrible passwords because they’re easier to remember. This is why companies like Twitter have banned the top 500 weak passwords, and why Specops Soft has such a compelling offering to help block billions of weak passwords in corporate environments. Two-factor authentication is an additional layer, but one that must be used on all internet-facing applications, components, and infrastructure. Wherever possible, the Packetlabs team recommends implementing two-factor authentication to minimize the potential for account takeover. Contact us to learn more about how we can help.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications