Before we start talking about this concept I’d like to talk a little bit about the history of the word red team. According to Micah Zenko book “Red Team How ...
Due to the increase of the cyberattack around the glob, many companies have started to implement what we call the Two factor authentication or multifactor authentication system.
Two factor authentication (2FA) system, is a subtype of a more general system called Multifactor authentication. Multifactor authentication is the process of using more than one piece of information to authenticate one user.
Using your credit card in an ATM (Automated Teller Machine) to get cash is a sort of two factor authentication.
In this post I am going to give you a more detailed idea about this system, with a lot of realistic examples on where and how to implement this system, and of course accordingly to the recommendations of the most known standards in this particular subject.
To understand the two factor authentication system, you will need to first know what are those factors. So let me explain first this. The authentication factors are divided into 3 main categories :
Such as a piece of information, that only the user knows about it. For example, Password, PIN, answer to secret questions …
This category involves all the specific items that a user may have, Such as a physical or logical security token, OTP token (sent through SMS), RFID Card …
Such as a biometric element, that identifies a unique human. For example, iris, retina, fingerprint, finger vein, facial characteristics…
According to PCI DSS 8.2 requirements, to implement an MFA we need to use at least two factors. Of course, there are more factors like geolocation and time, that can be used to restrict access based on the location of the user or disable for example access to users after work hours. In this post, we will focus on the three factors explained to make it simple.
Now that we’ve got a clear idea about those factors and what is a two factor authentication system, let me explain a really interesting principle or rule while implementing this mechanism. Actually, while choosing which factors to use for our MFA, we need to keep in mind that the two factors that we are going to use need to be Independent of one another.
What does this mean? Well, it is simple, getting access to one factor does not grant access to the other. Let me give you an example to understand it better:
Let us say you are using a username and a password to log your clients, and then you ask them for an OTP after you verify that their combination is correct. The OTP is sent to the email of the user once the verification is successful. Now, let’s suppose that your client uses the same combination to access his email account (which is a very common behavior). In this scenario, an attacker that gets access to the user email will have also access to the OTP code generated by your backend. This means that the rule in this situation has not been respected.
Now let us see some realistic implementation examples of the two factor authentication.
The ATM system could be considered as a two factor authentication system. To get cash from the machine, the client needs to have a Credit card (Something he has), and he needs to provide a PIN (something he knows). Therefore, this is a good Two factor authentication system implementation.
In most online banking systems, we can notice that they ask first for a combination of a username and a password (something you know). Then they verify if it is the good one and generate an OTP that is sent to a user’s mobile phone, and of course, ask for it after that to log the user (something you have). In this situation, knowing one of the two factors does not imply the other knowledge.
To make an online payment with a European credit card, you need to have the credit card number (something you know) and you need to enter the security code of three digits (something you have). Now you may say that this is not a two factor authentication, as the user security code is also something he already knows. Well, this is why I said the European credit card (I do not know about others but at least in Europe that is how things work).
In Europ, once you perform a purchase with your credit card and your security code, this code is automatically changed at the bank backend and the new value is sent to you as an SMS. Therefore this information becomes something you have and not something, you know.
In this part of the post, we will discuss some bad implementations of the two factor authentication system, Implementations that I found all the time while doing a penetration test. I will also explain why this implementation is not good and how to make them good.
The very first bad implementation that I am going to talk about is using certification to authentication a user combined with a username and password. Let’s say you have an internal web application, and to log into the app you will need to use your professional computer where you have installed a certification to login. Now let’s analyze this scenario :
Now the first principle of a two factor authentication is satisfied. Which is using two different factors. However, if we take a look at the second principle, which is the independence of the two factors, then we can notice that this is not satisfied. Why? Well, simply because if a black hat hacker gets access to the user’s computer he will be able to get the user certification and log into the app.
So, how to fix that ?
To fix the two factor authentication system in this situation, you will need to put the certification in an RFID or USB and use it when you want to login.
Let us say you have an app that asks users to enter a username/password combination and answer a secret question. This situation is like using two passwords to authenticate a user.
The first principle, in this case, is not satisfied and you are using the same factor (Something you know) two times.
Using two passwords together is no more secure than using a single password because a password-cracking attempt could discover both in a single successful attack.
A multifactor authentication system is an awesome mechanism to secure your systems, but this does not mean that his data or techniques are secure by default. I mean, even the two factor authentication system needs to be protected against cyber attacks that may impact the integrity and the confidentiality of his data, and this is what we are going to see in this part of the post.
For the first factor like passwords and others something you know information, it needs to be hard to guess and protected against data leaks.
Biometrics and other (something you are) data, they should be protected from unauthorized replication and in best cases not stored in the backend ever.
RFID cards and removable devices (something you have), things are a little different and in most cases, the security of these elements is based on the end-user. However, this does not mean we should not put any security mechanisms to secure this factor.
One of my clients has asked me an interesting question, and I would like to answer it here to let people know about it as this is really interesting to know about. What is the difference between the Multi-step and Multi-factor authentication systems?
Let me answer this question by giving a realistic example of a computer that log users using the following process :
In this scenario, we are talking about a multistep authentication system, because if one of the authentication factors failed the user is capable of knowing which one is not correct. Contrarily to a multi or two factor authentication, where no information about the failed factor needs to be presented.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).