Skip to main content

I know something that isn't two-factor authentication

(0 comments)

William Edwards wrote a post entitled "I know someone whose 2-factor phone authentication was hacked…" about a friend whose bank account was drained by fraudsters. His bank relied on a dial-back system. The attackers social-engineered BT to re-route the phone calls. This attack is eerily similar to the recent attack on Cloudflare, which started with an attack on an AT&T account.

I agree with almost everything in the post, except this: a dial-back verification systems is not two-factor authentication. It's been clear to me that the term "two-factor authentication" is showing its age. In many ways I prefer the term "strong authentication" because it implies that you are increasing the strength around authentication. And it leads us to this:

In order for an authentication mechanism to be considered strong, it must rely upon cryptographic proof of possession of the authentication factors.

There is no cryptography in a dial-back system. There is no provable encryption in SMS. These systems may be better than a static password, but they are not strong!

If your authentication system falls back to a system that doesn't rely on secure systems, then it is not strong. It's the old cliché about weakest links.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom