Two-factor authentication isn't enough

There's Two Factor Authentication, and there's Two Factor Authentication.  Sadly, the term and the acronym "2FA" have come to mean just one specific branch of the authentication family tree, a bunch of related one time and/or out-of-band password approaches (including SMS codes, OTP key fobs, and EMV CAP).

The more fundamental idea is still vital.  Two Factor Authentication should mean access involving a physical device.  When that device is a smart device, like a chip card or a phone, then possibilities open up for machine-to-machine challenge response, digital signing, mutual authentication and so on, which eliminate the sorts of MITM attack that plague the OTP and out-of-band password solutions.

How come my comment from last week disappeared?

Stephen, not my doing. Finextra bloggers have no administrative control over comments. I can see your first comment if it is any help

Just wondering about this part of Stephen's comment:

"Two Factor Authentication should mean access involving a physical device."

Why is the traditional meaning of 2FA - something you know/have/are - not good here?

Come on, 2FA is the bees knees if it is implemented properly. What do you want 3FA, 4FA, why bother at all ... I have had a look at the new 2FA processes some companies are employing with their web strategies, they are solid, especially the systems which are starting to use passcode generator enabled iPhone applications. It is cost effect, security effective and the passcode only lasts for a matter of seconds.

I would say 2FA with a passcode generator is as good as is it is ever going to get.

Martin, it's not the number of factors so much as the nature of the technology. The one time password generator is subject to MITM attack. A code that lasts a couple of seconds still affords a mechanised attack computer plenty of time to intercept and replay. 

The "bees knees" in my opinion is the smartcard. OTPs are a toy. With built-in readers increasingly commonplace (and with NFC allowing new ways to interface cards to laptops, tablets and phones) we could be replicating the universal ATM/POS experience for all Internet transactions.  Cards are far easier to use than OTP, and technically have all manner of advantages as noted previously, including resistance to MITM and mutual authentication.

Interesting side-note: I was talking recently with a "big data" analyst who told me he knew of shady characters in places like Russia and the Ukraine that were funded by organized crime, looking at social media data to help with identity theft. All those questions that banks and other service providers ask, like "What's your mother's maiden name?" or "What's your dog's name?" as a second factor using mere challenge questions, that kind of data can now be easily gleaned from Facebook. The idea is to build a complete profile on an individual, and then use that data to "leverage the authentication process", as you say. Scary.  But it makes me think that the definition of 2FA probably needs to be tightened.

Kenneth: Absolutely the definition needs tightening. Some have bastardised "Two Factor" authentication by counting multiple secret questions as additional factors.  The most important thing is we need a physical factor (something you have) that is easily noticed when lost, and which is also difficult to replicate or intercept & replay.  A big problem with biometrics when deployed without a physical token [like in the idea of a cardless ATM where you just stare into an iris scanner] is that you cannot tell when your authenticator has been stolen. It's important that we use more sophisticated criteria for matching applications to security technologies.

In all this discussion about definition of 2FA, what constitutes a puristic implementation of 2FA versus what does not, etc., it's equally important to assess what are the appropriate use cases for 2FA in the first place. Does a retail banking customer really  have to go through 2FA to know their account balance? Should a biller use 2FA to authenticate that the payor is indeed the subscriber? I could go  on with such rhetorical questions but the primary point of a transaction is that it should go through without causing undue friction for the customer, and I think this point often gets missed by overzealous security mechanisms. Some seven years after FFIEC mandated 2FA for online retail banking in the USA, the level of compliance may be low, but I have never come across any solid evidence that non 2FA users have suffered greater theft as a percentage of their transaction volumes as compared to 2FA users. 

Which brings us back to my point! The default "2FA" -- meaning one time password generators -- is a toy, long ago defeated by determined criminals, and of marginal benefit. But "two factor authentication" achieved by smarter means like chip cards, enables transactions to digitally signed and rendered non-replayable, and mutual authentication too, where the chip's intelligence can detect and respond to site spoofing etc..  Then two factor authentication would offer real advantages, and be as easy to use in the remote Internet setting as POS and ATM systems.

Not all "two factor authentication" is the same, and we should take the time to think beyond the simple key fobs and calculators that have come to mean "2FA" by default.

Thank you all for this great debate. Like some comments suggest, 2-F authentication can be defined differently. But, an effective 2-F authentication solution must use an Out-Of-Band (OOB) channel. As security technology vendor, my premise must be that the device used to make the transaction is compromised; then you work back from there so all fraud vectors are addressed.

Of course the number of factors (2,3,4) depends on business imperatives but aren’t customers demanding security already? Let’s be real, as an industry, are we seriously going to stop at 2-F? We need to evolve with technology (especially mobiles) and with the sophistication of attacks from fraudsters.

Multi factor authentication and OOB are just the beginning though – authentication alone does not stop the transaction from being compromised – you need transaction verification which is where the OOB comes in.

Who has not heard of ZITMO, ZEUS, sim swap, CFU?

Understanding security is no longer enough; any serious player in security will need to understand how telcos/mobile operators work to develop the right technology with the sufficient factors for strong authentication. Oh, by the way it is cost effective as well and can be delivered under 400 milliseconds.

This is an excellent research paper around why, warts and all, passwords are here to stay and, despite their huge promise on paper, many alternatives haven't managed to move the needle on adoption.   

https://www.finextra.com/fullfeature.asp?id=1705

Would anybody know if 2F mitigates token misuse in terms of tools such as incognito which can impersonate windows access tokens, which an over use of domain admins can cause to become a bigger concern? Or does two factor only really help the initial authentication part and therefore once authenticated to AD the tokens are still up for grabs and privilege escalation from a compromised client on the network?