In my previous article (link: http://www.enterpriseitworld.com/index.php/is-it-secure-to-use-cell-phones-to-get-the-otps-one-time-password/) we talked about SMS based 2FAs and how this method is not a safe method to authenticate.
2FA via SMS:
This topic of concern has been in debate for quite some time now. SMS isn’t a secure way to use 2FA. It has two key vulnerabilities.
Firstly, the technology is susceptible to SIM Swap attacks.
Secondly, hackers can intercept SMS messages by intercepting the Signaling System No. 7 (SS7) phone routing system. The methodology was designed back in 1975 but is still used almost globally to connect and disconnect calls. It also handles number translations, prepaid billing, and crucially, SMS messages.
The other common way to use 2FA codes is to install a dedicated smartphone app. There are lots to choose from. But how secure are specialist 2FA apps? Their biggest weakness is their reliance on a secret key.
When you access a site, the code the app creates is based on a combination of your key and the current time. At the same moment, the server is generating a code using the same information. The two codes need to match for access to be granted. If a cyber-criminal manages to gain access to a company’s password and secrets database? Every account would be vulnerable.
Secondly, the secret is either displayed in plain text or as a QR code; it cannot be hashed or used with a salt. It must probably also be in plain text on the company’s servers.The secret key is the fundamental flaw in the Time-Based One-Time Password (TOTP) that specialist apps use.
FIDO based 2FAs:
The FIDO (“Fast IDentity Online”) Alliance is an industry consortium launched to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords.
The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device
Universal 2nd Factor, also abbreviated to U2F, the safest method to date. ‘’This authentication method provides good protection against phishing attacks, because the URL is also checked during the login process.’
U2F is an open authentication standard that enables internet users to securely access any number of online services with one single security key instantly and with no drivers or client software needed.
U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. Today, the technical specifications are hosted by the open-authentication industry consortium, the FIDO Alliance. U2F has been successfully deployed by large scale services, including Facebook, Gmail, Dropbox, GitHub, Salesforce.com, the UK government, and many more.
Widely considered to be a second-generation version of 2FA, it both simplifies and strengthens the current protocol. Additionally, using U2F keys is almost as convenient as opening an SMS message or third-party app.
U2F keys use either an NFC or USB connection. When you connect your device to an account for the first time, it will generate a random number called a “Nonce.” The Nonce is hashed with the site’s domain name to create a unique code.Thereafter, you can deploy your U2F key by connecting it to your device and waiting for the service to recognize it.
It is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance (FIDO U2F).
With the YubiKey, user login is bound to the origin, meaning that only the real site can authenticate with the key. The authentication will fail on the fake site even if the user was fooled into thinking it was real. This greatly mitigates against the increasing volume and sophistication of phishing attacks and stops account takeovers.
- Strong security — Strong two-factor authentication using public key crypto that protects against phishing, session hijacking, man-in-the-middle, and malware attacks.
- Easy to use — Works out-of-the-box with native support in platforms and browsers including Chrome, Opera, and Mozilla, enabling instant authentication to any number of services. No codes to type or drivers to install.
- High privacy — Allows users to choose, own, and control their online identity. Each user can also opt to have multiple identities, including anonymous, with no personal information associated with the identity. A U2F Security Key generates a new pair of keys for every service, and only the service stores the public key. With this approach, no secrets are shared between service providers, and an affordable U2F Security Key can support any number of services.
- Multiple choices — Open standards provide flexibility and product choice. Designed for existing phones and computers, for many authentication modalities, and with different communication methods (USB and NFC).
- Electronic identity — Identity proofing is offered for organizations requiring a higher level of identity assurance. Through service providers it is possible to bind your U2F Security Key to your real government issued identity.
As on today, FIDO U2F is considered the safest method for 2FA.
Next food for thought is, what would happen if a YubiKey integrates with a USBHarpoon?
By: Archie Jackson, AVP Technology (Information Security), GENPACT