Two Factor Authentication Failure: an authenticator app design vulnerability?
Thomas Naylor
CEO of hifo.co: enabling the best in tech to be more easily discovered. 30+ years in Digital Transformation. Application development, ERP, IT infrastructure, & cloud. Cyber Security judge at SC Awards.
Corporate IT mostly moved on from the 2FA dongle, like the SecureID dongle provided by RSA, about a decade ago.?Then there was the SMS text message for the additional ID verification.?Vulnerabilities associated with text messaging then drove the development of the authenticator app; the app that provides a continuously updated bespoke six-digit code to be used at login.
The authenticator apps are well designed in general, except some have, in my view, a serious design flaw, and represent a high security risk.
The stronger authentication process will only allow authentication to continue if the authorised user inputs a six-digit code that is generated at login.?Even if a hacker had both the user’s email address and password, it would be impossible for that remote hacker to simultaneously get through the security, i.e. get access to that six digit code, and therefor get access to the account.
However, there is now a new hybrid functionality that has been added to several authenticator apps, including, most worryingly, Microsoft Authenticator.?The user can simply click approve, rather than entering a six-digit code at login.??The problem is that if the user’s password has been compromised in a data breach (please see Have I Been Pwned for the list of huge user name and password breaches) or if the user has been unknowingly subject to an advanced, well-tailored phishing attack, the user’s account will be seriously vulnerable. The 2FA will not be worth its salt as illustrated by the following use case:
领英推荐
As soon as a hacker has the user email address and password and does the first stage of login to e.g. Office 365, the genuine account holder will then get a ‘please click’ approve pop up on their phone… showing their company name, and their email address per the image above.
Human nature would indicate that the great majority of users will click that approve – and suddenly, on the other side of the world, a hacker will be simultaneously granted access to their email and business folders.
Some Authenticator Apps will confirm if the IP and system spec are the same or new, at the same time as asking for the approval – this is slightly more secure – however a careless, stressed, or very busy user would still be prone to click automatically.
In IT security there is often the conflict between usability and security. Increased user convenience can result in increased security risk. The above is one example of this. If your authenticator app has this pop-up approval, the recommendation from hifo is that this functionality is disabled as soon as possible.
Tech Enthusiast| Managing Partner MaMo TechnoLabs|Growth Hacker | Sarcasm Overloaded
2 年Thomas, thanks for sharing!
IS & IT pro, Computing’s Top 100 IT Leaders, author & speaker, helping protect organisations & their data
4 年This has been a concern of mine for a while now. Adding 2FA to Microsoft Office 365 accounts defaults to this 'approve from the app' sign-in rather than the 6 digit code, which you then have to set manually afterwards. You have to really want to sign-in to type in a six digit code, it's not something you do accidentally and because it takes longer than just clicking 'Approve' it gives you time to think whether the request is genuine or not.