by Josephine Wolff for the New York Times
Here’s how two-factor authentication is supposed to work: You log in to your bank account or email inbox, and after correctly entering your password, you are prompted to confirm the login through an app on your cellphone, a one-time code sent to you via text message or email, a physical YubiKey device or even a phone call. That app, text message, email, YubiKey or phone call is your “second factor,” intended to ensure that even if the person trying to log in isn’t really you, he or she still can’t gain access to your accounts without access to your phone or YubiKey.
You might find two-factor authentication mildly irritating, and there’s a chance you might not even notice the extra step in the login process anymore. Regardless, you probably feel a certain comfort in the idea that at least your money or your inbox is well protected. But like so many other commonly accepted best practices in computer security, we actually know very little about how well two-factor authentication works.
In December, Amnesty International released a report describing an easy-to-apply technique being used to compromise accounts protected by two-factor authentication. The hackers whom Amnesty International investigated, who were targeting accounts belonging to individuals in the Middle East and North Africa, set up phishing pages that captured not only users’ passwords but also the one-time authentication codes generated by their two-factor services.
Setting up phishing websites that look like the login pages for well-known web services is a common way to steal passwords online. Here’s the way it works: Someone designs a website that looks almost exactly like Bank of America’s website and then emails you a message, purporting to be from Bank of America, warning you that your account is about to expire, or your information needs to be updated, and directing you to a fake site where you believe you’re logging into your bank account but instead are just typing your password into a website owned by scammers.
This type of phishing is precisely the kind of threat that two-factor authentication is supposed to protect you against. Unlike so-called dictionary attacks — in which hackers try to guess your password by running through a dictionary of possible choices — forcing people to develop more complicated or longer passwords (a minimum of eight characters with uppercase and lowercase letters, and at least one symbol and one number) does not help at all when someone steals your password via phishing. So the password-complexity requirements that have reigned as a common (and irritating) best practice in every workplace for years are increasingly supplemented by two-factor authentication, to protect you against both dictionary attacks and phishing attacks.
But it turns out that the one-time codes generated by people’s smartphones or sent via text message and email can also be phished. If you’re the hacker, all it takes is adding a component to your fake Bank of America website so that after you prompt someone for his password, you try to log in to his real Bank of America account using the password he has just provided, triggering a second-factor alert that doesn’t alarm him because he thinks he’s signing into Bank of America too. Then, on your fake phishing site, you prompt his to enter his second-factor code and use it to complete the login.
The activity in Amnesty International’s report is not even the first time that two-factor authentication has been compromised in that manner. In 2014, an F.B.I. special agent, Elliott Peterson, described how malware distributed by the botnet GameOver Zeus could compromise two-factor authentication protecting bank accounts in the same way.
The fact that two-factor authentication can be compromised through fairly straightforward, widely used tactics is no reason to stop using it. After all, no security tool is perfect. As long as it significantly decreases the likelihood of account compromises, two-factor authentication is still worth using. But we don’t know a lot about how much two-factor authentication actually helps protect your accounts.
Google has offered its optional two-step verification system to Gmail users since 2011 but has never released any data about its effectiveness at driving down account compromises. In fact, last year Google switched all of its employees from using the Google Authenticator app for two-factor authentication to physical security-key devices that need to be inserted into a computer port to complete a login. Since making that switch, Google announced last July, none of its employee accounts have been compromised. The announcement seems to imply that the security provided through the app was not regarded as sufficient by the company for its internal accounts, even though it is what many Google users rely on. Should we all be using physical security keys? How much less effective is the Google Authenticator app? We still don’t know (though presumably, Google does).
In the absence of any empirical evidence about how well two-factor authentication works, organizations have been rushing to institute it in recent years for fear of falling behind their peers. Even the federal government started rolling out two-factor authentication late last year to federal and state employees. The two-factor provider Duo Security saw its annual recurring revenue pass the $100 million mark in 2017, after increasing 135 percent in 2016. Last year Cisco purchased Duo for $2.35 billion, indicating just how valuable and ubiquitous this technology has become.
The rapid rise of two-factor authentication is not a bad thing. In fact, it’s probably a good thing, but we can’t know that for sure until we learn something about how well it’s working. It makes logical sense that requiring more pieces of information to log in to an account would serve to better protect that account, but relying on common-sense justifications for computer security has misled us before. For instance, many companies require employees to change their passwords every year or every 90 days. For years, this has been commonly accepted as a best practice for security based on the idea that it makes it more difficult for hackers to use old, stolen passwords. But in fact, those mandatory password changes might sometimes do more harm than good unless the password has been compromised.
Many computer security practices are propagated through misguided notions of “best practices” that businesses decide to adopt because they see everyone around them doing something and assume it must be the right choice. But just copying what everyone else is doing and calling it best practice does not actually help strengthen the security of our accounts or data. To do that, we need to be able to measure the impact of these practices using concrete data about whether they reduce instances of account compromises or stolen funds or intellectual property theft. We need the companies that operate and implement these security practices to track those metrics and be willing to release them, even when that data may not paint them in the best — or most secure — light. Otherwise, we’re left blindly adhering to supposed best practices without knowing what really works for cybersecurity.