Grafvision - Fotolia


Multifactor authentication isn't a security cure-all

Multifactor authentication is a login security method that's picking up momentum in the business world, but IT shouldn't overlook its blemishes.

Multifactor authentication advocates claimed it would deliver us to security nirvana and bring account-hacking cyberbullies to their knees, but there's another side to the story.

Multifactor authentication, also known as two-factor authentication (2FA), does not prevent malware, phishing, man-in-the-middle (MitM) or other Web-based maladies. Yet enterprises faced with the growing tide of consumerization have begun to embrace it as a way to secure sensitive corporate resources. Multifactor authentication can lower the incidence of stolen credentials or unauthorized access to company data, while it also adds an additional layer of security for local access, back-end access and other common network entry points. There's truth in all this, but it's important to highlight that 2FA does not offer ironclad protection to the degree all the recent hype would lead us to believe.

The dark side of multifactor authentication

Part of the issue has to do with how multifactor authentication is implemented. The second authentication factor that is most popular among 2FA vendors nowadays is a one-time password (OTP).

In this type of strategy, the first layer of authentication is a personal password, but the user also needs to enter a code from an OTP token, usually sent by way of SMS, to that person's mobile device. The idea is that the OTP will be available only to that individual, which, in theory, is supposed to ensure that an outsider can't make use of those access credentials.

However, the growing trend of sending OTPs by SMS is itself problematic because messages are often sent in cleartext. Even junior hackers can go online to find software or services that intercept text messages. From there, all they need are the target phone numbers. Once they have their systems in place, they can intercept text messages and forward them to other phones, where they can use the OTPs to authenticate those devices.

Multifactor authentication is also unable to prevent MitM attacks, which often start with a phishing campaign in the form of an email. If successful, the email diverts the user to a fake website designed to look like the real thing, such a bank's online portal. There the user enters login information and other confidential data, which the hacking interceptor then uses to access the bank's real site. The user never suspects a thing until it's too late.

And what happens when the authentication mechanisms themselves are compromised? Back in 2011, for example, a successful cyberattack resulted in the theft of data related to RSA's SecurID authentication tokens, putting secure networks across the globe at risk.

But the problems don't stop there. Earlier this year, attackers exploited Heartbleed's OpenSSL vulnerability to access servers belonging to a client of a U.S. security services firm. The attackers slipped past the multifactor authentication to get at 64 KB of sensitive data from any connected client or server, including a significant number of decrypted passwords. The hackers might have also gotten away with the seed used to generate the OTP tokens needed for the client's two-factor authentication.

And this past summer, researchers discovered a vulnerability in PayPal's authentication process that made it possible to bypass the company's two-factor protections. PayPal confirmed the bug's existence and stressed that the problem was limited to a small number of integrations with its Adaptive Payments programs. Usernames and passwords were still required to access the accounts.

Two-factor authentication still better than one

There are plenty of other incidents that point to the holes in multifactor authentication, and certainly some authentication mechanisms can be called into question. Even so, 2FA is still better than relying on passwords alone, though that hardly means it is a security cure-all.

We need to be careful not to evangelize multifactor authentication to the point we forget it's only part of a larger defense-in-depth strategy. When we evaluate a service's security, we must take into account many factors, one of which is to ensure that 2FA isn't being implemented in a way that can result in other vulnerabilities.

Next Steps

Securing an enterprise with multifactor authentication

Multifactor authentication in the cloud

Comparing the top multifactor authentication products

Dig Deeper on Enterprise mobile security