Two Factor Authentication (Step) - A False Narrative

Lets have a quick chat about Two Factor Authentication (2FA) or do I mean Two Step Authentication (2SA). If you want true 2FA, the solution should be FIDO compliant. So, to be clear for this article, 2FA means FIDO compliance, while 2SA is the non FIDO compliant approach. I am not really going to debate the terminology, rather, I want to highlight what I see as a false narrative. Let me state that, using something in addition to your password is a good idea, in fact it is a great idea, and far better than simply having just a password. (I think some of the security folk at STRIPE have some good stats on this).

From my experience I am seeing a false narrative emerge.

This false narrative is when both security and non-security folk try to push the narrative that 2SA is nice and secure. Because lets be honest the vast majority of authentications that say they are 2FA are in fact 2SA. Some examples of the 2SA approaches; when you use an OTP - One Time Passcode, usually generated by tools such as Google Authenticator, or a code issued via SMS to your phone. Other approaches such as push notification to your phone, e.g. OKTA Verify are also 2SA approaches. All of these 2SA approaches can be defeated. While a 2FA approach can not be defeated (at least to my knowledge).

So this means a FIDO compliant approach is more secure than the non FIDO approach.

The issue appears to be that the consumer, i.e., the people using these 2SA authentication solutions believe they are now nicely secure. As I have already stated, I fully accept using an additional step in addition to a password is good security hygiene, I use many services that are 2SA, and sometimes I even choose to use 2SA over 2FA simply for convenience.

But I am concerned that ordinary people, by that I mean standard non-tech security people, are falling into a false sense of security, and that they might appear far more relaxed than they should be. In fact, I see tech people and even tech security people failing into this false narrative. So, if the tech and security folk fall into the false narrative, then non tech people are going to find this very confusing.

My banking on line application is now pushing the idea of "Strong Customer Authentication" as part of PSD2. All the options available are 2SA and they don't allow for 2FA, at least not at this time. And, that is exactly where I actually want 2FA, is with my financial banking stuff, even on their web site where they are explaining "Strong Customer Authentication" they refer to it as 2FA. This means that when the security community want to move people to 2FA, people are going to be quiet confused. And, that's the issue. So now, lets have a look at what I am talking about.

To demonstrate defeating 2SA I am using the excellent Man In The Middle framework (MITM) Evilginx

So, here are a few video demonstrations of this MITM platform in use defeating 2SA. The first video shows how everything is suppose to work. While the second video demonstrates how Evilginx is used to defeat 2SA.

Video One

Video Two

So, you see it's not that difficult to defeat 2SA solutions. Of course you have to convince a user to click on a malicious web app. If the solution is 2FA i.e., FIDO compliant this approach will not work, because the FIDO Key (device) is registered (bound) to the domain that it's registered with. So, a phished site can not convince the FIDO device to respond.

Of course, I know a lot of people might not agree with me here. At the end of the day 2FA is about FIDO compliance, while 2SA is just another step, and, don't fall into the trap that you cant be compromised when using non FIDO approaches.

If you are responsible for highly sensitive content or you have root access to systems, then you really want to be using a FIDO compliant approach.