Grafvision - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Multifactor authentication isn't a security cure-all

Multifactor authentication is a login security method that's picking up momentum in the business world, but IT shouldn't overlook its blemishes.

Multifactor authentication advocates claimed it would deliver us to security nirvana and bring account-hacking cyberbullies to their knees, but there's another side to the story.

Multifactor authentication, also known as two-factor authentication (2FA), does not prevent malware, phishing, man-in-the-middle (MitM) or other Web-based maladies. Yet enterprises faced with the growing tide of consumerization have begun to embrace it as a way to secure sensitive corporate resources. Multifactor authentication can lower the incidence of stolen credentials or unauthorized access to company data, while it also adds an additional layer of security for local access, back-end access and other common network entry points. There's truth in all this, but it's important to highlight that 2FA does not offer ironclad protection to the degree all the recent hype would lead us to believe.

The dark side of multifactor authentication

Part of the issue has to do with how multifactor authentication is implemented. The second authentication factor that is most popular among 2FA vendors nowadays is a one-time password (OTP).

In this type of strategy, the first layer of authentication is a personal password, but the user also needs to enter a code from an OTP token, usually sent by way of SMS, to that person's mobile device. The idea is that the OTP will be available only to that individual, which, in theory, is supposed to ensure that an outsider can't make use of those access credentials.

However, the growing trend of sending OTPs by SMS is itself problematic because messages are often sent in cleartext. Even junior hackers can go online to find software or services that intercept text messages. From there, all they need are the target phone numbers. Once they have their systems in place, they can intercept text messages and forward them to other phones, where they can use the OTPs to authenticate those devices.

Multifactor authentication is also unable to prevent MitM attacks, which often start with a phishing campaign in the form of an email. If successful, the email diverts the user to a fake website designed to look like the real thing, such a bank's online portal. There the user enters login information and other confidential data, which the hacking interceptor then uses to access the bank's real site. The user never suspects a thing until it's too late.

And what happens when the authentication mechanisms themselves are compromised? Back in 2011, for example, a successful cyberattack resulted in the theft of data related to RSA's SecurID authentication tokens, putting secure networks across the globe at risk.

But the problems don't stop there. Earlier this year, attackers exploited Heartbleed's OpenSSL vulnerability to access servers belonging to a client of a U.S. security services firm. The attackers slipped past the multifactor authentication to get at 64 KB of sensitive data from any connected client or server, including a significant number of decrypted passwords. The hackers might have also gotten away with the seed used to generate the OTP tokens needed for the client's two-factor authentication.

And this past summer, researchers discovered a vulnerability in PayPal's authentication process that made it possible to bypass the company's two-factor protections. PayPal confirmed the bug's existence and stressed that the problem was limited to a small number of integrations with its Adaptive Payments programs. Usernames and passwords were still required to access the accounts.

Two-factor authentication still better than one

There are plenty of other incidents that point to the holes in multifactor authentication, and certainly some authentication mechanisms can be called into question. Even so, 2FA is still better than relying on passwords alone, though that hardly means it is a security cure-all.

We need to be careful not to evangelize multifactor authentication to the point we forget it's only part of a larger defense-in-depth strategy. When we evaluate a service's security, we must take into account many factors, one of which is to ensure that 2FA isn't being implemented in a way that can result in other vulnerabilities.

Next Steps

Securing an enterprise with multifactor authentication

Multifactor authentication in the cloud

Comparing the top multifactor authentication products

Dig Deeper on Enterprise mobile security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do the risks of two-factor authentication change your opinion of it?
In my mind, no security solution is truly a 'solution', and should only be part of an overall strategy - so knowing that 2FA has some flaws doesn't change my mind that it is something to pursue. 
I actually didn't realize that there were many flaws with 2FA. In fact, when used properly, it should lock your stuff down pretty well. It's like the guy who gets his car stolen complaining about it...then revealing that he keeps a spare set of keys in the glove box. If you use the security devices/systems in place to protect your data, then you should - in most instances - be safe. #commonsense 
The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution needed for important accounts requires the use of the most reliable password.

Using hard-to-beak and yet hard-to-forget passwords will help. It is easily possible with the Expanded Password System that accepts images as well as characters.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

By the way, some people shout that the password is dead or should be killed dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). What could be killed is the text password, not the password.

Points in this discussion I agree with are that 2 is better than 1 and that the password won't die until there's a true replacement for it. If we see being secure as a goal and a necessity, then we'll need to continue to find ways to make this happen.