True Two-Factor Authentication

MFAFor years I have had many heated arguments with different security companies and CISO’s that getting an additional logon code from your phone or IM is not true Two-Factor Authentication (2FA). Here’s why and here’s my proof.

Why:

  1. Authentication is always from the guard’s, sentry’s or computer software’s logon perspective. These gatekeepers want to know if you have in your possession the multiple identifiers required to gain access. Many people mistakenly look at Multi-Factor Authentication (MFA) from the user’s perspective as to the number of items they present.
  2. There currently are three factors or forms of identification: Something you Have (i.e. card), Something you Know (i.e. Password or PIN), and Something you Are (i.e. fingerprint). Presenting using only one of these factors is called Single-Factor Authentication and in today’s world this is considered very weak authentication.As a side note, a new factor is being discussed: Somewhere you Are. This is using the GPS in your smartphone to determine your location and if that location meets your travel habits. Frankly, I find this form of identification disconcerting in that my movements are being tracked. But that is for an entirely different discussion.
  3. By definition of MFA you have to present two of more dissimilar factors like Card-PIN, Card-Fingerprint, PIN – Fingerprint, or Card-PIN-Fingerprint. Two is stronger than One, but Three is even stronger than Two.

Typing in a password and then a text PIN is a Know-Know response. That’s because the user is doing the presenting and the guard sees two things the person Knows. The guard never authenticates the phone, and phones can be cloned or messages intercepted. A fingerprint and a facial recognition is an Are-Are recognition. A membership card and credit card is Have-Have. At least if they used a driver’s license with a photo then they have the Are part because of the photo. These are all examples of Double-Single-Factor Authentication.

Proof:

Here is a copy of an article that just came out TechTarget by Peter Loshin

Android malware steals two-factor authentication passwords

Meanwhile, Android malware has been detected that’s capable of defeating two-factor authentication (2FA) by forwarding voice calls containing onetime passphrases that would ordinarily be received by the authorized users, Dinesh Venkatesan, principal threat analysis engineer at Symantec, reported this week.

Venkatesan reported last year that Android malware — first detected in 2014 and referred to as Android.Bankosy — had been observed intercepting short message service (SMS) messages. The malware recently added the ability to forward voice calls, because financial institutions have been moving away from sending the onetime passcodes via SMS.

Although the ability to defeat 2FA should be a concern, Symantec rated the Android.Bankosy malware as “Risk Level 1: Very Low,” in part because it must be installed manually on the victim’s device.

Double-Single Factor Authentication is stronger than Single Factor, but not as strong as true 2FA or MFA. With all the cyber attacks and government regulations now recommending at least 2FA, you need to know what this means and what to deploy to keep your identity and data secure. In closing, the use of a text or voice PIN is marketed as being convenient. My response to this is Convenience without security is neither convenient nor secure.