Two factor authentication flaws have been identified that allow accounts to be accessed even when protected by a password and second authentication factor.
Two-factor authentication is an important safeguard to secure accounts. In the event of login credentials being guessed or otherwise obtained by a third party, an additional method of authentication is required to gain access to the account. Without that second factor, access to the account is blocked. But not always. Multiple two-factor authentication flaws have been identified.
Two Factor Authentication Flaws Exploited in Reddit, LinkedIn and Yahoo Cyberattacks
Two-factor authentication is not infallible. Recently, Reddit disclosed that it had suffered a data breach even though two factor authentication had been implemented. Rather than use a token, Reddit used SMS messages to a mobile phone owned by the account holder as the second authentication factor. As Reddit discovered, SMS messages can be intercepted. The attacker was able to intercept a 2FA SMS message and gain access to an employee’s account, through which it was possible to access to an old database of user credentials.
Two-factor authentication was also in place at Yahoo in 2013, yet the company still experienced a massive data breach that resulted in all three billion of its users having their information obtained by hackers. Go back a year and there was the massive 167 million record data breach at LinkedIn, which had also implemented two-factor authentication.
A phone call or text message to a phone owned by the account holder does not necessarily prevent access to the account from being gained by a third party. In August last year, a Bitcoin investor had $150,000 of cryptocurrency stolen from his wallet after it was accessed by a third party. In that case, the investor’s second factor phone number had been re-routed to a device owned by the attacker after the phone company was duped.
Any second factor that uses the phone system of SMS messages provides an additional layer of protection, but it is not enough to protect against a determined skilled hacker.
Two Factor Authentication Flaws Discovered in Microsoft’s Active Directory Federation Services
A major two-factor authentication vulnerability was recently discovered by a security researcher at Okta. Okta, like many companies, uses Microsoft’s Active Directory Federation Services (ADFS) to provide multi-factor authentication.
Okta security researcher Andrew Lee discovered the system have a serious vulnerability that was not only straightforward to exploit, doing so would render an organization’s multi-factor authentication controls virtually useless.
Lee discovered that someone with a username, password, and a valid 2-factor token for one account could use the same token to gain access to any other account in the organization in AD with only a username and password. Any employee who is given an account and specified their own second factor could use it to access other accounts. Essentially the token was like a hotel room key card that opens all rooms in the hotel.
Obtaining another employee’s login credentials would only require a phishing campaign to be conducted. If an individual responded and disclosed their credentials, their account could be accessed without the need for a second factor.
The vulnerability in question, which was patched by Microsoft on August 14 in its August Patch Tuesday updates, was present in how ADFA communicates. When a user tries to login, an encrypted context log is sent by the server which contains the second factor token but not the username. This flaw could be exploited to fool the system into thinking the correct token had been supplied, as no check was made to determine whether the correct token had been supplied for a specific user’s account. As long as one valid username, password and 2FA token combo was owned, the 2FA system could be bypassed.
Two factor Authentication is Not a Silver Bullet
These two factor authentication flaws show that while 2-factor authentication is an important control to implement, businesses should not rely on the system to prevent unauthorized accessing of accounts. The two-factor authentication flaws discussed here are unlikely to be the last to be uncovered.
2-factor authentication should be just one element of an organization’s defenses against phishing and hacking, along with spam filters web filters, firewalls, intrusion detection systems, antivirus solutions, network segmentation, and employee security awareness training. 2FA should not be viewed as a silver bullet to prevent unauthorized account access.