Can We Save One-Time Password Multifactor Authentication?

Can We Save One-Time Password Multifactor Authentication?

Bottom Line: If you have a choice of what type of multifactor authentication (MFA) solution to buy or use, use a phishing-resistant MFA solution. If you use OTPs, use phishing-resistant OTP.

One-Time Password (OTP) MFA solutions are among the most hackable and bypassable forms of MFA.?The U.S. government has been saying NOT to use them for years (for example, https://zerotrust.cyber.gov/federal-zero-trust-strategy/#identity ) to protect valuable data, sites and services. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) also considers OTP MFA weak, recommending more secure forms of phishing-resistant MFA (https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf ). Phishing-resistant MFA does not, currently, include most OTP solutions.

This does not mean OTP solutions have to go away. Most just have to be tweaked and updated to be less phishable. This article will cover some methods that OTP solutions can deploy to become less phishable. Some related background first.

What Is a One-Time Password?

OTP (https://en.wikipedia.org/wiki/One-time_password) authentication solutions have been around for centuries, well before today’s digital MFA solutions. The idea is that a single-use password (or encryption or decryption key) is one that is used to protect data, but can only be used once and never again. Even if that secret is compromised, its only value to an attacker is whatever is protected by that single-use, one-time password. Additionally, because the OTP is only created and used once (and supposedly never intentionally repeated), it is inherently tougher to compromise or predict (although this is not always true).

Compare it to someone’s password, which is the same “secret” used to protect a bunch of other secrets for the lifetime of the password. If an attacker gains access to it, it will allow the attacker to compromise the protected data for the lifetime of the password. For all these reasons, a well-implemented OTP solution is thought to be strong authentication.

How OTP MFA Works

Most OTP MFA works by generating a one-time code (usually four to six digits long) using a combination of:

·????????A starting “seed” value that is randomly generated for each individual solution instance

·????????Some information that is unique to each instance, such as an MFA device’s hard-coded ID or user’s email address (i.e., something to tie the OTP to the particular instance)

·????????Optional: a current time/date value

·????????An OTP-generating algorithm

Note: This is a simplified representation of how OTP MFA works and is used in authentication.

The first two or three pieces of information are placed into the OTP-generating algorithm to generate an OTP code for a particular moment in time or event. This information may be stored and shared between the OTP MFA-authentication solution that verifies the OTP code submitted by the user and the OTP MFA device that generates the code, so that both sides are “seeing” the same OTP code at the instance the user wants to log in while using it.

The random seed value and the unique instance information is supplied to the OTP algorithm to generate the visible OTP code the user sees. Typically, the OTP code the user sees is a truncated version of a longer generated number. When the user needs to use the OTP MFA to log in, they type the generated OTP code into the login screen of the site or service relying on the OTP MFA for user authentication. ?

With Time-Based OTP (TOTP) MFA solutions, the current date and time may be used to generate a new OTP code at a preset interval, say every 30-60 seconds. “Event-based” OTP MFA solutions calculate new OTP codes when an “event” or “gesture” happens, such as the user touching a sensor or plugging in a token. Event-based OTP MFA (HOTP) does not care about the current date or time, although HOTP may update the OTP value automatically after a set period of time regardless of an event occurring or not.

Today, there are hundreds of OTP MFA solutions, both implemented in hardware and software. The first OTP “hard token” many of us ever saw was an RSA Security’s RSA SecurID (see image below).

No alt text provided for this image

Google Authenticator and Microsoft Authenticator (see images below) are two of the most common forms of “soft token” OTP MFA.

No alt text provided for this image
No alt text provided for this image

Short Message Service (SMS) messages (an example shown below) can also be used as OTP MFA, but the phone, unlike the two previous OTP MFA examples, does not generate the code. Phones simply display the randomly generated OTP created and sent by the authenticating solution.

No alt text provided for this image


?But the idea is the same. The user is sent/displayed a (hopefully) seemingly randomly-generated set of digits that they type into a login screen when prompted. The user often has a maximum amount of time the OTP code is good for. Non-SMS based forms of TOTP MFA usually generate codes that are only good for 30-60 seconds. HOTP-generated codes may be good for some set period of time, say 10 minutes, or stay good forever until another event happens (or may even remain good and usable after another event and code has been generated). SMS codes are often good for 10 minutes, but it depends on the authentication service relying on it.

?One-Time Password MFA Is Easily Hackable

The problem with the vast majority of OTP MFA is that the digits provided to the user can be learned by an attacker and then used by the attacker to log into the user’s intended website/service as the user. OTP MFA codes are a digital “bearer bond” where possession of the code implies ownership of a login identity. And this is a very, very common type of attack.

The most OTP attack is when the user (i.e., potential victim) is sent a phishing email pretending to be from a legitimate service the user uses OTP MFA with, but it contains a malicious, rogue link. If the user does not notice that the URL link does not take them to the legitimate site/service, what they are taken to instead is a malicious site/service that can then capture everything the user types into the fake login screen, including their login name and OTP code. Microsoft discusses this type of attack here:

https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/

And summarizes the attack with this diagram (below, from the Microsoft post).

No alt text provided for this image

?

You can watch a similar type of demonstration attack here: https://www.youtube.com/watch?v=xaOX8DS-Cto . Seeing is believing. Most people who have not seen this type of attack cannot believe how easy it is to steal the OTP code (or the resulting successful login token after the user has logged in using OTP MFA).

It does not take uber hackers to steal OTP MFA codes. Today, more and more password-stealing trojan malware programs intercept one or more types of OTP MFA codes. Here is an example of one that steals Google Authenticator codes: https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html . More and more ready-to-use “phishing kits” intercept OTP MFA codes. Here is an example: https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-all-hackers-use-advanced-phishing-tactics/ .

Hundreds of thousands, if not millions, of people who thought they were specially protected by OTP MFA have been hacked, usually involving social engineering. And this is not new, it has been occurring at least since the early 1990s. For as long as OTP MFA has been around, hackers have been successfully hacking it.

As mentioned above, this has led to many experts (including yours truly) saying not to use easily phishable MFA, and this includes most forms of OTP MFA. But there are many phishing-resistant forms of OTP MFA. It is just that most people are not buying it or using it.

Some OTP MFA Solutions To Prevent Easy Phishing Attacks

I like any MFA solution that prevents easy phishing. Here is the entire list of phishing-resistant MFA that I know about: https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes .

You want MFA solutions that prevent eavesdropping, man-in-the-middle attacks (Microsoft calls them adversary-in-the-middle attacks) and easy social engineering. What should you look for in OTP MFA as an indication that it prevents easy social engineering? Here are some key features to look for:

·????????FIDO2-enabled (https://fidoalliance.org/ )

·????????NIST SP-800-63-3 or -4 AAL3 certification, which is phishing-resistant

·????????Private key locked to a particular device in such a way that a re-played code submitted from another rogue device/site/service will not work

·????????Secondary channels, where the authentication is performed against a known good path and server (FIDO does this)

·????????Channel binding, to prevent MitM attack on HTTPS connections

·????????Geo-Fencing Protection, where submitted code will not work from a non-registered new physical location

There are dozens of ways to prevent the most common types of phishing attacks against OTP MFA, vendors just need to implement them.

How FIDO Protects Against Easy Phishing Attacks

Let me give you an example of how FIDO2 defeats MitM attacks. All FIDO2 tokens must be registered to the site/service where they are going to be used to authenticate; and vice versa. A FIDO2 token user can still be tricked into clicking on a rogue link to a fake site/service, but if that is where the MitM redirection ends, the FIDO2 token will never issue an OTP code, because the token will not have detected that it ultimately connected with a valid site/service. It just will not work. The thief will get nothing.

If the attacker forwards the FIDO2 client to the MitM site/service and then onto the user’s registered site/service (as is often done), a FIDO2 server will reply to the initial client request to log in with a valid URL that the client should now connect to, encrypted by the client’s public key (so only the client can decrypt and use). For example, suppose the FIDO2 client was tricked into going to www.badsite.com and badsite.com then proxied all authentication information from the FIDO2 client to the FIDO2 server at www.goodsite.com . When the FIDO2 server at www.goodsite.com got the client’s login request, it would send back to the client an encrypted link containing www.goodsite.com . The FIDO2 client would then drop the connection to www.badsite.com and then connect directly to www.goodsite.com .

Note: The FIDO2 process is more complex than this, and often does not even involve an OTP MFA code, but I used a simplified version of the FIDO2 “second channel” to demonstrate the most important part of this particular discussion.

Client Registration

It is also possible to “lock” a particular MFA OTP solution to a particular device and prove that the current MFA OTP submission is coming directly from the legitimate client and not a rogue MitM server. For example, the vendor can take a digital “snapshot” of the legitimate client as it would appear to the server. This would usually involve any information that can be sent through the user’s browser to identify the user’s browser session (e.g., OS, OS version, browser, browser version, user agent, etc.) along with any other information that is only known to the legitimate client (such as a device or client ID). One example of this information might be using a randomly-generated number created by taking some of the legitimate browser session information that can be transmitted through a browser.

This information, known as browser or session fingerprinting, is sent encrypted from the client to the server, such that the MitM site cannot easily see or duplicate the information that is used to identify the client. But from this information, the server can authenticate that the sent information originated from the legitimate client.

For more information on browser fingerprinting and hacking of that fingerprinting, see these following two links: https://www.humansecurity.com/learn/blog/the-cybercrime-starter-kit-inside-anti-detection-browsers and https://spycloud.com/blog/anti-detect-browsers-stolen-digital-fingerprints/ .

The idea is to make the session or browser fingerprint very difficult for the MitM service to learn or retransmit correctly. However it is configured, only the legitimate client would have the information and be able to transmit it, verifying origination.

Client Registration

Another method is to require that the OTP MFA solution be registered to a particular client and the server will only accept the submitted OTP if it originates from that client (and not if a MitM attacker host computer is involved). For example, the OTP only works if the client’s name is Roger’sComputer0509 signed by the client’s private key and encrypted by the server’s public key. If an intermediate MitM attacker was involved, they might know what the client’s name is, but not be able to correctly sign the client’s response to the server and cannot decrypt what is sent by the client to the server to learn what is sent.

Channel Binding

Channel Binding involves tying the client and/or server’s fully qualified domain name to the TLS connection being established, with one or both sides requiring particular expected hosts names to be involved in the TLS channel. This prevents a MitM attacker from creating additional fake TLS connections between itself and the client and the server to carry on the MitM interception. Without Channel Binding, the MitM site could create new TLS connections between itself and the client and server that the client and server do not know about, allowing eavesdropping and replay attacks.

The problem with both Client Registration and Channel Binding solutions is they often do not work at scale with sophisticated load balancers involved. It messes up the originating host names so that the load balancers’ names will sometimes appear as either the client or server, causing authentication problems.

Required Login Portal

Another way to prevent easy MitM attacks is to require that all logins begin at a trusted login portal that contains all the right URL entries, so that a user cannot as easily be tricked into clicking onto a rogue link. The problem with this solution is that it requires that all legitimate logins begin and end within a particular portal (which is sometimes too much “friction” for some users) or it is difficult to prevent “out-of-the-portal” logins even when you want users to use the login portal only.

Geo-Fencing ?

A common geo-fencing protection example would be a user who normally only logs in from their previously registered location of Tampa, FL, suddenly seeming to originate from China or Russia. This might indicate a MitM attack.

Education

Of course, the best solution is to aggressively educate end users about the potential attacks that their particular MFA solution can be compromised by, and how to recognize and mitigate those attacks. There is no way to prevent ALL social engineering of any authentication solution, so you need to educate your user base about the common types of attacks against their authentication solution so they can prevent them no matter how they arrive. And this defense will work no matter what type of authentication solution you are using – OTP MFA or otherwise.

There are many ways to defeat the most common phishing attacks against OTP MFA. We just need to start requiring that our OTP MFA vendors implement one or more anti-phishing features so that they start delivering more phishing-resistant MFA.

And if you have a choice of what type of MFA solution to buy or use, use a phishing-resistant solution.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了