Flawed two-factor authentication
03 February, 2016
category: Corporate, Digital ID, Financial
Dovell Bonnett, CAC – Cybersecurity for the Business Owner
For years I have had many heated arguments with different security companies and CISO’s that getting an additional logon code from your phone or IM is not true two-factor authentication. Here’s why and here’s my proof.
Authentication is always from the guard’s, sentry’s or computer software’s logon perspective. These gatekeepers want to know if you have in your possession the multiple identifiers required to gain access. Many people mistakenly look at multi-factor authentication from the user’s perspective as to the number of items they present.
There currently are three factors or forms of identification: Something you have, a card; something you know, a password or PIN; and something you are, a fingerprint. Presenting one of these factors is called single-factor authentication and in today’s world this is considered very weak authentication. As a side note, a new factor is being discussed: Somewhere you are. This is using the GPS in your smartphone to determine your location and if that location meets your travel habits. Frankly, I find this form of identification disconcerting in that my movements are being tracked. But that is for an entirely different discussion.
By definition, with multi-factor authentication you have to present two of more dissimilar factors like card-PIN, card-fingerprint, PIN – fingerprint, or card-PIN-fingerprint. Two is stronger than one, but three is even better.
Typing in a password and then a text PIN is a know-know response. That’s because the user is presenting the guard two things the person knows. The guard never authenticates the phone and phones can be cloned or messages intercepted. Fingerprint and facial recognition are also the same with two “are-are” recognitions. A membership card and credit card is “have-have.” At least if they used a driver license with a photo then they have the “are” part because of the photo. These are all examples of double-single-factor authentication.
Proof: Meanwhile, Android malware has been detected that’s capable of defeating two-factor authentication by forwarding voice calls containing one-time passphrases that would ordinarily be received by the authorized users, Dinesh Venkatesan, principal threat analysis engineer at Symantec reported.
Venkatesan reported last year that Android malware — first detected in 2014 and referred to as Android.Bankosy — had been observed intercepting short message service messages. The malware recently added the ability to forward voice calls, because financial institutions have been moving away from sending the onetime passcodes via SMS.
Although the ability to defeat two-factor authentication should be a concern, Symantec rated the Android.Bankosy malware as “Risk Level 1: Very Low,” in part because it must be installed manually on the victim’s device.
Double-Single Factor Authentication is stronger than Single Factor, but not as strong as true two factor or multi-factor authentication. With all the cyber attacks and government regulations now recommending at least two-factor authentication, you need to know what this means and what to deploy to keep your identity and data secure.
The use of a text or voice PIN is marketed as being convenient but this is convenience without security that is neither convenient nor secure.
Dovell Bonnett is the founder and CEO of Access Smart, LLC.