2FA Is Not Invincible
Recap from the July 16th, 2019 CISO/Security Vendor Relationship Podcast
by Lydia Pert
Time and again, we hear about costly breaches impacting businesses all around the globe — many due to hackers merely gaining access to employee login information. Organizations need to take responsibility for sensitive data by ensuring that employees are using something stronger than just a basic password. Every business should be using two-factor authentication (2FA) whenever possible.
2FA is an extra layer of security, used to verify that the person requesting access to a particular resource is authorized to access it. Francis Dinha, the CEO of OpenVPN, explained two-factor authentication as “a second step taken to confirm a process. It can be used to gain access to an account, access specific resources, or complete any transaction by verifying your identity.” In its most popular form, 2FA sends a confirmation code to a mobile phone, which the person requesting access must then enter into the appropriate login confirmation window within a short amount of time. Some methods of 2FA require users to have a physical second factor on their person, like a USB key or special card. This is like having a second key to the safe, like many bank vaults used to have.
2-Factor Authentication Vulnerabilities
For a long time now, 2FA has been widely accepted as a better way to keep data safe than just using traditional passwords alone. However, like any technology, 2FA is not invincible. The recent Cloud Security Tip revealed that hackers can and have bypassed 2FA — and even made the ability public knowledge by posting it online for anyone to find. A recent presentation at the Hack in the Box Security Conference in Amsterdam also featured a video showing how two particular pieces of software work to bring the two authentication keys together, destroying the 2FA integrity.
In one instance, a tool called Muraena does the phishing work, intercepting an unsuspecting person’s browser-clicks and setting up the form for the 2FA code to be entered. Then, a second tool, called Necrobrowser, tracks the accounts of thousands of people — and finds the right phone numbers to send the authorization code to. Though there are other, more sophisticated ways to defeat Two Factor Authentication, security experts say this Muraena/Necrobrowser combination makes it easier for low-level hackers to get in on the action. Kevin Mitnick, a former convicted hacker turned cybersecurity consultant, explained that “the tool to actually pull these attacks off has been made public. So any 13-year-old could download the tool and actually carry out these attacks.”
How To Prevent 2FA Breaches
Cybersecurity and deep data science are rarely combined in organizations, which means data management 2FA is still much more secure than passwords alone, but organizations need to take measures to ensure that their 2FA measures are not susceptible to breaches. Instead of sending an email or a code to an employee's cell phone, businesses should consider utilizing security keys for the authentication process. Security keys look like keychains and contain a hardware chip, and use Bluetooth or USB to act as the final authentication factor. Companies like Google have adopted physical keys like these as their second factor to prevent 2FA breaches.
On top of strong 2FA practices, organizations should also implement a reputable VPN. OpenVPN Access Server works by providing secure access to the internal networks that house all of the tools and applications employees need to get their jobs done. No matter if employees are in an office, working from home, or in the field, they can access those features securely. Access Server also includes integration with various two-factor authentication apps such as Google Authenticator and AWS Multi-Factor Authentication, to ensure optimal protection on all levels.