Authentication: The Pitfall Of Two Factor Authentication
Last update: 8th Apr, 2006
A lot of banks in the US are busy preparing themselves for new federal requirements on two factor authentication for online banking. This trend has also been adopted by financial institutes in many other countries. Two factor authentication is definitely a good way to improve security level of online banking. With online authentication attacks like phishing hitting major banks around the world, traditional user name and password only authentication seems to be seriously lacking.
In talking to other security professionals, everyone seems to be excited about the two factor authentication systems such as the one-time password (OTP), soft and hard tokens. However, it should be noted that two factor authentication is not the "end-all" and "be-all" of authentication solution that will stop phishing and other attacks in their tracks.
Potential effects of two factor authentication
In the short term, two factor authentication will cut down the phishing and other online banking attacks. By adding the second factor of authentication, attackers will have a more difficult time trying to grab the full credentials from unsuspecting victims. This is the primary benefit that everyone expects when implementing two factor authentication. The early adopters of an extra factor in authentication will see a drastic decrease in attacks simply because the attackers just move on to attack the weaker ones.
In the long run, after every bank has moved on to two factor authentication, phishers and attackers will eventually catch on and will start attacking the online applications protected by two factor authentication. This might happen faster than most people think. With regulations requiring the banks to have two factor authentication, it is possible to see a massive deployment of two factor authentication system within couple of years. With two factor authentication being the norm, it is possible that within a year of wide scale two factor authentication deployment in a country, the attackers could already be fluent in attacking the online banking clients using two factor authentication.
Methods of attacks
Let's review some of the methods attackers can use to break the protection offered by two factor authentication. Remember, these are only some of the possible scenarios, the rest is up to imagination.
So, two factor authentication doesn't work?
We have showed a few ways in which the two factor authentication by itself does not offer sufficient protection for online banking. The pitfall is in the lack of protection from the two factor authentication against real time impersonation attack. Although two factor authentication is not perfect, this is not a good excuse for not deploying two factor authentication system. All cases we mentioned above render the life of an attacker a whole lot more difficult. When the attack is more complicated and difficult, the likelihood of an attack reduces.
Instead of using two factor authentication as the only solution against the security issues with online banking authentication, the financial institutes and government regulators should look into educating the general public about the proper way to safeguard their online transactions. The financial institutes should also start to investigate more ways for the clients to easily identify the legitimate website versus the look-alike. To further protect the financial institute and the clients, it is important to look into improving the real time fraud detection system on the backend so malicious transactions get flagged before they even happen.
As long as there is money to be made, the attack against online banks will not stop. Making it more difficult by using two factor authentication is a good way to cut down on some of the attacks. The more work required to attack, the less likely we are going to see a phishing kit for $20. It's also interesting that the folks from Kaspersky are noticing a shift of cyberattack targets towards the government sector, they are guessing the profit made from individual user is not satisfactory to the attackers anymore.
It is important to note that two factor authentication by itself might not offer the level of protection some people keep dreaming about. Any system has its own deficiency. In the online banking authentication system, we need more than one technology with many accompanying backend processes to ensure it meets the security expectation of clients.