Many people think of two-factor authentication as a panacea for protecting users. While 2FA does drastically improve user protections, there are still risks.
Attackers recognize that every security control implemented in an enterprise comes with its own risks that need to be managed. Therefore, they have learned to attack security controls in order to compromise a system’s security. One example of this is the recent Reddit breach.
2FA is the practice of using two authentication factors to prove the identity of a user. The authentication factors can be something you have, something you know or who you are. There are other authentication factors, but these three are used most commonly.
The two most commonly used authentication factors are a knowledge factor — a password — and either a possession factor, like a security token or a smartphone, or a biometric factor, like a fingerprint or facial scan. Passwords carry their own risks that are better-known than the risks related to possession or biometrics factors because passwords have been the primary authentication factor for most of the history of computing.
In this tip, we’ll take a closer look at the Reddit breach, the risks of using text messages — also known as Short Message Service (SMS) messages — to authenticate users in 2FA systems, and how enterprises plan to address these risks.
Reddit was not the first organization compromised by a weakness in their authentication system, and it won’t be the last; these systems are a critical and complex part of an enterprise’s defenses and must be protected.
Reddit reported that an attacker compromised a few employee accounts using SMS-based 2FA to gain access to their cloud and source code hosting providers. It’s unclear how the attacker acquired the password used to compromise the accounts or if there were other security controls in place to monitor accounts as Reddit didn’t specify how its SMS-based 2FA was bypassed in the attack.
SMS is not an ideal platform to deliver one-time passwords (OTPs), as the messaging protocol has long been known to be full of vulnerabilities and weaknesses: SMS messages can be spoofed, and man-in-the-middle attacks, in which an attacker intercepts OTPs, are commonly associated with the use of SMS for 2FA.
Even though the attacker was not able to get write access to the systems, Reddit changed its production secrets and API keys in order to harden its access management security. Reddit didn’t mention why these details needed to be changed. In order to defend against this type of attack, it’s a good idea to have a plan to change your company’s secrets and API keys, to have a lifecycle for managing those secrets and to change them if it’s possible that they have been compromised.
Risks of using SMS for multifactor authentication
Attackers can intercept one-time passwords delivered by SMS-based 2FA systems. They can also use social engineering techniques to get victims to change where their SMS authentication messages are delivered.
Attackers have other options to bypass the second factor, including the development of an overlay attack that presses the Approve button on a smartphone or pre-empting SMS authentication by registering a new hardware token.
Addressing the risks of using SMS for MFA
Enterprises that use SMS-based 2FA to protect high value or privileged accounts should have started a plan to migrate away from SMS-based 2FA when it was deprecated by NIST in 2017. However, given the resources needed to move regular user accounts and the idea that SMS-based 2FA is still more secure than just using a password, enterprises that want to start moving accounts away from SMS-based 2FA should note that it should not be as high a priority as transitioning high value or privileged accounts to other authentication factor options.
2FA authentication systems offer different options that can be configured depending on the needs of the application. These include options enabling the use of different types of hardware tokens for one-time passwords, authenticator applications, biometric readers, or other authentication factors and techniques.
System administrators may want to limit the use of hardware tokens to privileged accounts, but permit consumer logins using SMS-based 2FA. The cost incurred when an individual consumer account is compromised may be significantly less than the cost of using hard tokens for 2FA for all consumer accounts. If the cost of a potential SMS-based 2FA exploit is low enough, that approach may still significantly reduce the number of compromised consumer accounts, making it cost-effective.
Providers of 2FA systems should look into this more carefully and provide guidance to their users on how to securely and cost-effectively use their service to protect enterprise accounts. They will also need to be prepared with options for companies to choose what best meets their enterprise needs and to guide their customers through the failure modes, support costs, integrations, potential vulnerabilities in deployments and how to securely deploy the system.
Overall, enterprise security programs require constant vigilance and ongoing updates as the risks and technologies change. While it’s impossible to eliminate risk, and the cost to reduce risk may be higher than the cost to adequately respond to an incident, enterprises may want to focus their efforts on protecting privileged accounts and making sure that their supporting systems are adequately protected. Admins should also look at the costs incurred by compromised accounts to determine the size of the problem before changes are made to user or consumer accounts that do not use SMS-based 2FA.