Two-Factor Authentication: A Standard in Security

Understand the importance and the benefits of two-factor authentication for your business

The purpose of two-factor authentication (2FA)—also known as multi-factor authentication (MFA)—is to simply reduce the value of a stolen or guessed password. At Dwolla, we strongly encourage our employees and clients to use two-factor authentication.

This is a Spider chart that represents Dwolla’s opinion on the strengths and weakness of each second factor authentication method discussed

Authentication is the process of proving you are who you claim to be. Typically this is completed by providing something you know, such as a password.

Relying on users or password complexity requirements to create strong passwords is not enough. Let’s face it, humans are terrible at creating them. “P@ssw0rd” and “Winter2018!” could bypass most password requirements while being easily determined by an adversary.

The goal of an adversary is to impersonate a user to gain the same privileges and access to information that the user has. If an application only requires a username and password, the adversary can gain access via several methods, including:

• Password guessing by using a dictionary of the most common passwords
• Phishing users into sharing their password
• Searching password dumps from previous data breaches (users tend to use the same password for multiple accounts)

This is where second-factor authentication comes in.

Rather than relying only on something you know to prove who you are—which adversaries can learn—second-factor requires you to prove something you have. This can be a phone to receive SMS messages or a hardware token that generates a one-time password. If an adversary were to obtain a user’s password, they would also need to prove that they have access to the second-factor device.

This makes it exponentially more difficult for adversaries to impersonate users.

For applications that do not inherently have a 2FA option—or only support weaker second-factor options—Single Sign-on (SSO) permits a user to use one set of 2FA login credentials to access multiple applications. Having one strongly authenticated identity for multiple applications is increasingly better than having multiple, weaker, authenticated identities across applications.

Services that integrate with on-premises or web applications to add two-factor authentication in the authentication flow—such as Duo—can be implemented as well.

Using public and private key pairs for the authentication process, Universal Second Factor (U2F) strengthens the authentication process by validating the requesting site before authorizing access. This public/private key pairing prevents MITM (man-in-the-middle) attacks, where an adversary secretly relays and possibly alters the communication between two parties who believe they are communicating directly with each other. The FIDO Alliance, a non-profit organization that works to reduce the reliance on passwords for authentication while improving user experience, created the U2F specification and published an API specification for web applications—called WebAuthn—to leverage strong authenticators.

Hardware tokens, such as a Yubikey, integrate directly with supported browsers and services to generate a unique public key for each account, signed by the hardware token’s private key. The token-generated public key is sent to the application server to be stored for validation.

When signing into the application/portal, the server sends a challenge message to the user’s browser. The user then responds by signing the message with the private key—usually by physically tapping or pressing a button on the hardware token—which the server validates with the public key.

It is important to note that the origin of the challenge is included in the response. Meaning, if someone were to phish as gooogle.com (google.com with three “o’s’), an adversary that captures the signed U2F message, would not be able to pass the message to google.com, as Google would reject the message because the origin in the signed message does not match.

As outlined by Google in their whitepaper “Security Keys: Practical Cryptographic Second Factors for the Modern Web,” their implementation of U2F authentication driven by hardware keys not only reduces sign-in time by greater than 50%, but also reduces support costs of supporting other two-factor authentication methods. As of this post, U2F is fully supported in Chrome, with other browsers providing support in emerging releases such as Firefox Quantum.

Dwolla is a strong believer in the strength of U2F and requires hardware token-based authentication for employees. We found that implementing hardware key authentication has driven down support costs and made authentication stronger and faster.

While many foundational authentication mechanisms exist (strong passwords, device fingerprinting, account lockout/rate limiting, CAPTCHAs, etc.), if the threat model requires strong authentication, the business will need an adequate second-factor.

One-time email codes and security questions are not valid forms of 2FA as they break the expected combination of something you know (password) and something you have (hardware token or similar).

For one-time email codes, if an adversary has control of an email account, that message (containing a one-time code) would be easily obtained and used as a bypass. Security questions are often publicly available, easily researched or phishable (eg high school mascot, mother’s maiden name, childhood street address).

SMS as a second factor is quickly falling out of favor and should be deemed a last option or exception-based second-factor method. The strength of SMS is dependent on the threat model of the call center of the mobile carrier. An adversary could port the number over to their own device by calling support and pretending to be the user (known as pretexting).

This vulnerability is also known as SIM-swapping and is—unfortunately—increasing in occurrence. Even though this attack may be mitigated with a PIN and account security measures with your mobile carrier, it is no longer advisable to use SMS as a second factor.

Although better than single-factor authentication, the strength of this second factor is waning and should be used with caution.

Based on our security posture at Dwolla, below is a list of 2FA methods ordered from strongest to weakest.

U2F (Universal Second Factor)

Requirements: Hardware Key with U2F support (USB, Bluetooth, NFC)

Advantages: Currently one of the strongest 2FA options, requires little user interaction.  Origin server domains are part of the signed response, rendering Man-in-the-Middle (MITM) attacks extremely difficult and/or thwarted. The required hardware key and its capacitive sensor is quick and easy to engage. Over time, this method of authentication provides savings and overall lower support costs.

Disadvantages: Cost of hardware, limited browser and application support.

Push Notifications

Requirements: Android or iOS device.

Advantages: More difficult to phish, time effective for authentication. Users have a strong location affinity with their mobile devices. The strengths of push notifications are based in strong services: TLS, HSTS, RSA 2048 or greater and prioritized AEAD ciphers. Mobile devices leverage key pairs and secure enclaves.

Disadvantages: Requires internet access on device, more time consuming for configuration.

OTP (One-time Password)

Requirements: An authenticator app or hardware token

Advantages: Short-lived codes, no need for internet or cellular access

Disadvantages: Phishable and time consuming. If the device is lost or stolen, the token will need to be reset. Hash-based OTP (HOTP) codes may become out of sync and difficult to resync.

SMS (Simple Messaging Service)

Requirements: A personal device that can receive SMS messages

Advantages: Ease of use, ubiquity of delivery

Disadvantages: Phishable and time consuming. Requires cellular reception/service and prone to SIM swapping/phone porting.

—