I’ve not blogged on two-factor authentication for a while – the roll out among major providers is encouraging – Come on Amazon and Virgin Media, it’s about time you stepped up.
I was prompted to return to the subject by the article London Calling: Two-Factor Authentication Phishing From Iran.
In it, the authors cause us to reflect that actually when broken down two factor authentication, as largely implemented, moves use forward from username and password, to little more than username and two passwords (one of those password is generated and has special characteristics such as it can only be used once).
From a user perspective you enter a username, you enter a password from memory, then enter a generated or supplied password for a device or text message.
The challenge is – as shown by the article, this can all be phished in the same was as a username / password can.
The usual perception is that because the second “password” is generated, and used once only it is more secure. The problem with the model comes when used as part of a phishing attack combined with a man in the middle.
The simple model is the attacker puts up a phishing page, collects your username and password and in real time logs into the genuine system. This triggers the generation of a genuine second factor to which the user complies with expectation and enters it to the phishing site. The attacker can now log on as you – two factor authentication defeated.
The moral is, even if you have implemented two factor authentication across as many services as possible, don’t sit back and think you’re safe – you are still susceptible to phishing, so need to be just as wary about validating who / what is asking you for your credentials.