Limitations of two factor authentication (2FA) technology
The common two factor authentication (2FA) techniques used In India have several shortfalls. We take a look at security risks associated with 2FA solutions.
Two factor authentication (2FA) techniques have grown rapidly with Indian enterprises rushing to secure assets in the wake of cyber attacks, compromises and heists. 2FA based one-time password (OTP) techniques which use basic unique individual identification factors for authentication have done much to secure end-users.
Let’s now take a look at the 2FA methods available in the Indian market today. Each of these 2FA technologies come with limitations and vulnerabilities.
1) Hardware tokens
OTP attack vectors
Most OTP systems are susceptible to real-time replay and social engineering attacks. OTPs are also indirectly susceptible to man in the middle (MITM) and man in the browser (MITB) attacks.
Real-time replay attack is a form of an MITM attack. In this attack, malware sitting on the browser captures user credentials. The malware forwards these details to the attackers, and simultaneously blocks the user request. The user receives an error message which reports a failure. The attacker can perform an immediate replay with the same credentials. These tokens are usually valid for 60 seconds (+/- 10 seconds).
This fundamental design flaw can be avoided using a strong challenge-response mechanism. Remote attacks usually originate overseas, and involve heists on targets of opportunity. On the other hand, local attacks involve a fair bit of social engineering, cloning of cell phone SIMs (to receive OTPs), or changing the number registered for OTPs with the service provider.
Hardware tokens are the most widely used 2FA OTP mechanisms in India. The technology is nearly 15 years old now, and it’s vulnerable to several kinds of advanced attacks such as real-time replay (see Box: The attack vectors).
Potential compromise arising from the seed leakage, something that a popular security token vendor became a victim to in 2011, comes next. The vendor stored the seeds for all its released tokens, and its servers were compromised. With the OTP generation algorithm being public, the attackers could derive OTPs for leaked seeds.
Beyond security risks, hardware tokens suffer from availability issues, with token replacement bringing on additional logistical and administrative burden. Every misplaced token sees a downtime of up to five days before replacement. These devices aren’t user-serviceable, requiring replacement at least once in three years due to battery failure. This entails a 100% cost to the company.
2) SMS-based tokens
SMS-based 2FA OTPs are very common in India (especially in banks) due to their zero logistics costs and end-device liability. SMS-based 2FA comes with its own issues, with availability being a major issue. The primary problem with this method is the explicit dependence on external parties for OTP delivery. Here are some drawbacks:
- Delay in delivery: Message delays plague SMS services. Once sent out, an SMS OTP traverses multiple hops across carriers. It becomes susceptible to delays caused by network congestion. 2FA OTPs being time sensitive (typically three to five minutes), OTP delays can lead to ‘session timeouts’. Operator service outages and gateway downtime also affect SMS-based OTPs.
- Government/regulator interference: The Indian government has set precedents for blocking bulk-SMS gateways for law and order purposes. This is a serious concern for online banking services dependant on SMS-based OTPs. For example, one of India’s largest PSU banks once had to contract a Bangladeshi SMS gateway to send out its OTPs. This increased its cost by 100% at Re. 1/SMS.
- Low level of security: In India, the SMS encryption in used is usually basic in nature. SMS-based OTP also adds several variables to the trust chain. If a gateway is compromised, it will result in a major security breach, especially when it involves overseas gateways. SIM cloning is another emerging threat vector for SMS-based OTPs, with documented cases of frauds in India rising.
- Coverage areas/unavailability of service: Since SMS-based 2FA OTPs are sent over the air, users outside the network coverage can face issues. When users travel abroad, there are restrictions on incoming SMSs.
- Unavailability of devices: The user’s registered mobile device needs to be physically available to be able to receive the SMS OTP.
3) Software based tokens
Most hardware token vendors have a software version of their two factor authentication systems. The underlying technology is similar, and uses standard algorithms to generate OTPs. These solutions may cost less, since separate hardware is not required. Their availability across a variety of platforms makes them an attractive choice.
Software-based 2FA OTP solutions like Google’s Authenticator reside on your device, and work much like their desktop counterparts. As mobile platforms get actively exploited, such OTP methods are susceptible to seed leakage (like their hardware counterparts). Hardware compliant with vendor’s recommendations is usually required. In this approach, the user is tied to a device. This impacts user access while on the move, on losing the device, or when attempting access from multiple devices.
4 ) Hardened browsers
Hardened browsers are secure 2FA systems designed from the ground up with specific intent of authenticating and connecting two parties over a secure tunnel. This comes at the cost of flexibility, given that these browsers are usually bound to a specific device, location, platform and so forth. Some hardened browser solutions support only specific platforms.
These factors inherently compromise usability of these systems. They are suitable for inter-branch communication/authentication or in scenarios where systems/platforms remain static. Breaching hardened browser-based 2FA requires sophisticated, highly customized and targeted attacks in order to spoof the challenge-response system used by the system. Hardened browsers themselves are built to resist any form of hijacking making this a laborious undertaking.
5) PKI-based solutions
More 2FA stories
- Bank of India’s 2FA with mutual authentication goes beyond OTPs
- Secure tokens: Preventing two-factor token authentication exploits
- Enterprise mobile access: Considerations for two-factor mobile authentication
- Two-factor authentication alternatives
- Cloud computing architecture security part 1: Physical and intrinsic controls
- Two factor authentication gets token agnostic at Central Bank of India
Public Key Infrastructure (PKI) systems provide end-users with certificates for two factor authentication, which are used as challenge-response mechanisms to establish a private communication channels between two parties. Although effective, securing the certificate from falling into the wrong hands is a challenge. Since these certificates are installed on USB dongles and issued to the user, they are subject to the same issues as hardware tokens.
These certificates are valid for a year, and need renewal from third-parties certifying bodies like Verizon and Entrust. Very few Indian organizations opt for PKI-based 2FA systems.
6) Grid-based authentication
Grid-based authentication systems are challenge-response based systems, where a predetermined pattern derived from a graphical grid displayed on screen is used to formulate the OTP. This two factor authentication system can be coupled with physical matrix cards to be overlaid on the on-screen grid to ensure immunity from compromise via screenshots. Such 2FA methods are also potentially susceptible to social engineering and theft. However, it still requires effort to acquire the unique array and password. At the end of the day, it depends on the user to not divulging patterns, beyond which this solution provides a cost to security advantage.
About the author: Rakesh Thatha is the CTO and co-Founder of ArrayShield Technologies. He leads the company’s solution consulting and technology development aspects. Thatha was also part of the core team which carried out the network design phase of the Government of India’s National Knowledge Network (NKN) project. He has an MS (by research) from Indian Institute of Technology (IIT), Madras.
|As told to (Varun Haran)|