rethinking two factor auth
Among the many other things 2013 was the year of, it was the year of two factor auth. As news of each week’s bitcoin exchange hack surfaced, the web tubes collectively responded to each incident with TFA FTW! Clearly, two factor auth will continue to see more use in 2014, just as it wasn’t wholly nonexistent in 2012, but I think 2013 represents the turning point where if TFA wasn’t wide spread, it was widely known. I think it’s a good time to reflect on just how and why TFA protects your account, and from whom.
We’ll use gmail as our target for this discussion. I’ve taken a bunch of nude selfies, and since I’m never going to be as naked as I am now, I email them to myself for safe keeping. Moriarty is going to hack into my gmail account, steal my pics, and revenge me with them. Let’s run through a few attack scenarios.
First up, Moriarty straight up hacks into the gmail storage server because Google forgot to set a root password. It doesn’t matter what my password is, or whether I’m using two or three or four factor auth. I’m screwed. Not a very interesting scenario to discuss. Let’s lump XSS and CSRF in here, too.
Second up, we’ll assume the computers I use are secure (at least against Moriarty), but he might try various other attacks, like an online password guessing scheme. There are four subscenarios (strong and weak password, TFA and not). If my password is “banana”, then it probably won’t take too long to guess. Without TFA, he’s in. With TFA, he needs the secret code on my phone and I’m safe. Unless there is a TFA bypass, like the one Duo Security found. Another bypass, for Paypal TFA.
Now let’s consider if my password is more like “tJPUg2Sv5E0RwBZc9HCkFk0eJgmRHvmYvoaNRq3j3k4”. That’s one tough nut to crack. I feel pretty confident you’re not going to brute force that. I don’t need TFA. But what if I enabled TFA anyway, because Google tells me to every time I login? In many cases, that same second channel is also used for the password reset function. Which sounds easier to you, guessing “tJPUg2Sv5E0RwBZc9HCkFk0eJgmRHvmYvoaNRq3j3k4” or intercepting a text message to my phone? If you guessed option B, you’d be right. That’s what happened (among a few other mistakes) when CloudFlare was hacked. It’s like installing a deadbolt on the front door, but then installing a screen back door at the same time. Or consider that Paypal will allow attackers to bypass both password and security fob with a phone call.
Third up, we consider the possibility that Moriarty has implanted his Moriartyware malware on my computer, in the same vein as the Miss Teen USA webcam spy. That story is a little different, in that cutefuzzypuppy was operating the webcam, but he also had full control over the computer. Moriarty can use the browser running on my computer to access gmail and forward himself all my pics. I’m already logged in; no passwords, no codes, no TFA. This is already happening.
So far, I think most people are imagining the typical malware is a simple keyboard logger, for which TFA is a reasonable defense against a stolen password. But the technical skill needed to escalate a keyboard logger into a complete remote control tool is zero. The logger happens to be a little more convenient now, but when it stops being convenient or effective, Moriarty will move on to remote control. There’s a saying about not outrunning the bear, just the next guy, but consider: the people using TFA represent, on average, more valuable targets. The greater effort to go after them results in greater rewards. Another new post from Duo covering the history of more advanced attacks.
The increased security of TFA depends on some things happening and some other things not happening. You have to lose control of your password, but not in a way that results in losing control of your computer. You have to fall for the phishing email asking for login details, but not the phishing email asking about the PIN just sent to your phone. Wait, an attacker will reset my password and phish for the reset code? And most importantly, you have to hope that it’s really two factor auth and not actually a second one factor auth.