My organization advocates that users should use their mobile phones for two-factor authentication when logging into email and the like, but I'm concerned about whether the end device represents a problem in this equation. For example, should users avoid using Android devices for the purposes of two-factor authentication because of the malware problem on the Android platform? Or does that not come into the equation for two-factor authentication?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
Two-factor authentication is all the rage at the moment with many big name Web sites introducing it as an additional safeguard against password compromises. Most banks already make two-factor authentication compulsory for accessing online services, but recent attacks against high-profile targets such as the Associated Press' Twitter account has led nonfinancial sites to consider providing this extra layer of defense against attackers looking to hijack people's accounts. Twitter also recently joined the likes of Microsoft, Apple, Google, Facebook and Dropbox in offering the option of two-factor authentication when accessing an account.
Most two-factor authentication technologies used with online services generate a one-time password (OTP) when users logs in with their username and password. A user receives the OTP via an SMS on their registered mobile device and enters it on the website to complete the login procedure. While two-factor authentication is a definite improvement on plain password authentication, it is not infallible.
For example, a man-in-the-middle attack can thwart this type of out-of-band, two-factor authentication by tricking a user into visiting a counterfeit website. As it looks exactly like the site the user intended to visit, they enter their login credentials into the fraudulent site believing it to be the real thing. The attacker actually forwards these credentials onto the legitimate site, which then sends the user an OTP. The user, still unaware anything is wrong, enters the OTP in the fake website and the attacker sends them to the legitimate website, having gained full access to the account in the process.
High-value or high-profile accounts may also be attacked using number porting, where an attacker tricks a mobile provider into transferring a victim's mobile number to a new account under the attacker's control. Any SMS messages or calls sent to the victim's mobile number are sent to the attacker.
Android users currently face another threat from a version of the Pincer Trojan, Android.Pincer.2.origin, which infects devices by masquerading as a security certificate and is capable of intercepting and forwarding inbound text messages. This obviously defeats the protection offered by two-factor authentication and compromises any SMS messages containing sensitive information, such as transaction authentication numbers that are used to confirm online banking transactions.
Two-factor authentication vulnerabilities like this are likely to appear on other mobile devices eventually. As with the breach of RSA SecurID tokens in 2011, it serves as a reminder that any third-party authentication technology is dependent on the security of the relevant vendors or, in the case of text messaging, the security practices of the mobile provider. One vendor looking to combat man-in-the-browser and credential-stealing attacks is Duo Security Inc., whose Duo Push technology employs asymmetric encryption to sign and verify communications between Duo's servers and a smartphone running the Duo Push app.
As with any security measure, two-factor authentication is a case of balancing ease of use with protection and educating users on how to use the security technologies available. Despite the very real vulnerabilities currently present in most two-factor authentication implementations, opting to use two-factor authentication when it's offered is certainly far better than not using it at all.
This was first published in September 2013