Two-factor authentication is seen by many as a robust authentication method, but is it really as impervious as it seems?
It has long been known that passwords are one of the weakest methods for authenticating users. One of the first examples of a password being compromised can be traced back to 413 BCE, when the Greek army used a pass-phrase for identification during a night-time battle. Unfortunately, this pass-phrase became known to Syracusans, who used it to pose as Greek allies. Employing this ruse, the Syracusans decimated the Greek army.
It is now common practice to set minimum requirements for passwords, in terms of length and complexity. Nevertheless, these are frequently the weak point in an organisation’s security infrastructure.
Password databases can help in this regard, by providing users with a secure store of complex passwords that they no longer have to remember. However, this then becomes a single point of failure for end-point security.
Many organisations have therefore started using two-factor authentication (2FA) for access-point management, as it essentially provides another piece of security that needs to be overcome.
With the majority of 2FA systems, if the device is lost, stolen or compromised in some way (such as through malware), then the 2FA system becomes compromised.
“Two-factor authentication does not authenticate an individual. It authenticates the device. It’s what we call in the industry ‘identity approximation’. It’s not identity authentication,” says David Harding, senior vice-president and chief technology officer of ImageWare Systems.
“If you’re authenticating a device, you’re assuming that device is in the possession of the person you’re trying to identify or authenticate, and that assumption isn’t backed by anything, other than it being a known device.”
Recent examples
There have been several recent examples of 2FA being compromised. Jack Dorsey, the CEO of Twitter, had his Twitter account hacked in August 2019, which was protected using their 2FA security system, and had several unpleasant messages posted on his Twitter account. Similarly, the cryptocurrency exchange Binance had their 2FA system compromised and lost 7,000 bitcoins (approximately £31 million).
Compromising a 2FA system is lot easier than it seems. One of the easiest methods, especially in America, is a sim-swap, where a malicious actor switches a target’s mobile phone number to a new phone. Any subsequent text messages, such as those for 2FA, are sent to this new phone, thereby giving the malicious actor access.
Certain malware has also been found to compromise 2FA systems. Cerberus, a type of Android-based malware, was found to have stolen 2FA codes for Google Authenticator in February 2020. There is also the TrickBot malware, which bypasses 2FA solutions by intercepting the one-time codes used by banking apps, sent by SMS and push notifications.
Social engineering is also used to bypass 2FA security. Malicious actors may pose as a target’s bank, calling the target to “confirm their identity” by quoting the secure code that has just been sent to them, in response to an attempt to access their banking profile.
“A lot of this stuff doesn’t require any real technical skill, and that’s the really scary part,” says Harding. “There’s an old joke in the in the financial industry: ‘It doesn’t take any technical skill to take over a bank account, it just takes a winning personality’. When we first started learning about two-factor authentication being bypassed, it was through social engineering that it occurred.”
Can we fix it?
In order to combat this, 2FA needs to become identity-focused, rather than device-focused. One of the prime ways this can be achieved is through biometrics. Using biometrics in this way confirms that the individual is at their device. “The only way to truly authenticate is to rely on biometric authentication matching against a known enrolled biometric of an individual that you’re attempting to authenticate,” says Harding.
Biometric security has become a ubiquitous part of our lives. Some of the most common examples include the fingerprint and face ID biometric security on our phone, as well as the voiceprint ID when we call our banks. “The devices are already in the pockets of the of the people who are going to use them,” says Harding. “Biometrics went mainstream because of Apple and Android. The irony is, that wasn’t why they added biometrics; they actually added it for convenience.”
However, biometrics are themselves not infallible. As recent examples have shown, it is possible for biometric security to be spoofed – fooled into thinking that they are being presented with the correct information. For example; in the gummy bear hack a fingerprint scanner can be fooled by using gelatine-based sweets. There have also been instances of facial recognition being fooled by 3D rendering using photographs from Facebook.
Such exploits are being countered by the development of anti-spoofing systems built into biometric readers. For example, Face-ID can now read facial contours. “In the past, it’s been very easy to spoof some of these authentication systems,” says Harding. “The key now in biometrics, and what you’re seeing more and more of, is this anti-spoofing capability, which prevents that from happening.”
Iris-recognition is one of the more secure forms of biometrics. It is inherently robust against spoofing attacks. A famous fictional example of someone bypassing an eye scanner is from the 1993 film Demolition Man, where Wesley Snipes, as Simon Phoenix, extracts an eyeball from a security guard to bypass the iris lock. In reality, since the eye is an incredibly delicate structure, which would quickly decay, this gruesome technique is highly unlikely to work.
That said, one of the key issues around biometrics is that they commonly confirm biometric identity on the device, rather than through a centralised database. Furthermore, smart devices frequently allow more than one person to unlock the device using biometrics. When used in this way, all that the device is confirming is that the biometrics are those of someone who is authorised to use the device. This is not necessarily the person whose identity needs to be confirmed.
“Touch ID – Google’s fingerprint reader – doesn’t really authenticate the user. They check against the enrolled fingerprints on that device. I know this because I’ve coded to it,” says Harding. “For example, my fingerprint isn’t the only fingerprint that’s enrolled on my phone. My wife’s is as well, for a very simple reason; so she can change the music in the car. But to the phone, it doesn’t matter. It says; one of the fingerprints matches, but it can’t tell the difference between me and her.”
Another downside of biometrics is the frequency of false positives and false negatives. False-positives is where a match is made where there isn’t one, most commonly reported with facial recognition systems.
There are also false negatives, which is where a match fails to be made, despite being true. This is especially true for fingerprint scanners, where even having damp fingers can cause a problem. “Some 30% of the global population does not have an easily read or readable fingerprint. There are a number of reasons for that; you age and so your fingerprints degrade over time, some people genetically just have bad fingerprints. Then there’s what you do for a living or hobby,” says Harding. “I suffer from all three and have to re-enrol my fingerprint about every two weeks on my iPad and iPhone.”
Rather than relying on the device, organisations can use a centralised database to store the biometric data of all the registered users for a particular service. This allows biometric readers to reference the database rather than the device for authentication. In so doing, this shifts the focus from device authentication to user authentication.
Combining multi-factor authentication (MFA) with biometrics provides an additional layer of security. Rather than relying on password and biometrics, requiring three (or more) levels of authentication, with the added necessity of biometrics, provides organisations with a robust level of security that would not be otherwise achieved using 2FA or biometrics alone.
As smart devices become more sophisticated, they provide new and greater means for biometric authentication. “We’re going see higher resolution cameras. We’re at some point going to see infrared technology,” says Harding. “We can take advantage of things like the iris and we’re going to see more biometric modalities.”
Most smart devices now have a fingerprint lock and face ID, but the more secure iris recognition systems require dedicated devices. Naturally, this has a significant cost impact, especially if they need to be distributed to every person requiring access.
Although 2FA is more secure than just relying on a password, to assume it is sufficiently robust for a modern organisation would be short-sighted. Likewise, rather than relying on device-based authentication, organisations should consider using a centralised database, where identities can be securely stored and authenticated. “This is going to be the future of identity authentication,” says Harding. “Everything else is still identity approximation, and identity approximation will continue to fail.”
This article originally appeared on ComputerWeekly.