Authentication: The Pitfall Of Two Factor Authentication

Last update: 8th Apr, 2006


A lot of banks in the US are busy preparing themselves for new federal requirements on two factor authentication for online banking. This trend has also been adopted by financial institutes in many other countries. Two factor authentication is definitely a good way to improve security level of online banking. With online authentication attacks like phishing hitting major banks around the world, traditional user name and password only authentication seems to be seriously lacking.

In talking to other security professionals, everyone seems to be excited about the two factor authentication systems such as the one-time password (OTP), soft and hard tokens. However, it should be noted that two factor authentication is not the "end-all" and "be-all" of authentication solution that will stop phishing and other attacks in their tracks.

Potential effects of two factor authentication

In the short term, two factor authentication will cut down the phishing and other online banking attacks. By adding the second factor of authentication, attackers will have a more difficult time trying to grab the full credentials from unsuspecting victims. This is the primary benefit that everyone expects when implementing two factor authentication. The early adopters of an extra factor in authentication will see a drastic decrease in attacks simply because the attackers just move on to attack the weaker ones.

In the long run, after every bank has moved on to two factor authentication, phishers and attackers will eventually catch on and will start attacking the online applications protected by two factor authentication. This might happen faster than most people think. With regulations requiring the banks to have two factor authentication, it is possible to see a massive deployment of two factor authentication system within couple of years. With two factor authentication being the norm, it is possible that within a year of wide scale two factor authentication deployment in a country, the attackers could already be fluent in attacking the online banking clients using two factor authentication.

Methods of attacks

Let's review some of the methods attackers can use to break the protection offered by two factor authentication. Remember, these are only some of the possible scenarios, the rest is up to imagination.

Trojans are pretty common these days and we are already seeing some trojans such as Bankers trying to steal username and password from victims. These trojans generally steal credentials by keylogging or fake login forms and then send the credentials to a collection site for later exploitation by the attackers. With a full two factor authentication system, username, password and the passcode of second factor are not going to be useful at a later time (unlike the username and password only system). At the surface, it would look like the trojans are not effective anymore. Unfortunately, this is not the end to the trojans, there are still attack avenues left for the trojan attackers.
Remote control is a possibility, if the attacker is able to remotely control the victim's computer and wait until the user logins to their online bank, the attacker can easily execute transaction right in front of the victim. Techniques used by existing trojans such as keyboard/mouse disabling and IE window name monitoring (alert the attacker) can aid the attacker in such attack.
Another possible trojan attack method is through automated transactions submitted by the trojan. The trojan would have to detect the user logging in and then submit the transaction using the userís session ID. This requires quite a bit of prep work since every bank's online system is different but with some careful planning, it would still work well.
Phishing!? Yes, phishing can still work but only limited to certain types of second factor authentication and the attack process isn't simple. First, phishers would send out email out phishing email like they normally do (in the past) in order to entice submission of credentials over a look-alike website. The phishers also ask for the second factor information. I will use the example of a hard token solution generating a pseudo random strings periodically. The phisher asks for the token string and the token passcode as well as the user name and password. Right after the victim enters the form info, the phisher's script at the collection point gets to work. Immediately after collecting the credential information, the info entered by the user is used to login to the online bank and the fraud transaction is immediately executed.
The process to immediately execute the fraud transaction can pose some challenges to the phishers, eg. script the correct automated fraud transaction, have the money courier lined up ready to go. The above scheme relies on a weak second factor. If the bank employs a challenge response two factor system, the phishers might have trouble. Overall, phishing will be made more difficult by two factor authentication.
Man in the middle
In the phishing scenario, challenge response type of second factor seems to be problematic to the phishers. However, that really isn't stopping all the attackers. The desperate ones can still leverage Man in the middle type of attack. There are a few ways for man in the middle attacks to work. One is to put up a look-alike malicious site which is basically a proxy to the actual bank's website. When the victim login with proper credentials, the attacker can simply ride on that established online banking session. Notice that even challenge-response type of token would work in this case because the attacker (or the man in the middle) is passively observing the connection between the bank and the victim. The challenge will reach the victim, who will then send in the response. The attack simply proxies the traffic until the session is establish and then sends in the fraud transaction.

So, two factor authentication doesn't work?

We have showed a few ways in which the two factor authentication by itself does not offer sufficient protection for online banking. The pitfall is in the lack of protection from the two factor authentication against real time impersonation attack. Although two factor authentication is not perfect, this is not a good excuse for not deploying two factor authentication system. All cases we mentioned above render the life of an attacker a whole lot more difficult. When the attack is more complicated and difficult, the likelihood of an attack reduces.

Instead of using two factor authentication as the only solution against the security issues with online banking authentication, the financial institutes and government regulators should look into educating the general public about the proper way to safeguard their online transactions. The financial institutes should also start to investigate more ways for the clients to easily identify the legitimate website versus the look-alike. To further protect the financial institute and the clients, it is important to look into improving the real time fraud detection system on the backend so malicious transactions get flagged before they even happen.


As long as there is money to be made, the attack against online banks will not stop. Making it more difficult by using two factor authentication is a good way to cut down on some of the attacks. The more work required to attack, the less likely we are going to see a phishing kit for $20. It's also interesting that the folks from Kaspersky are noticing a shift of cyberattack targets towards the government sector, they are guessing the profit made from individual user is not satisfactory to the attackers anymore.

It is important to note that two factor authentication by itself might not offer the level of protection some people keep dreaming about. Any system has its own deficiency. In the online banking authentication system, we need more than one technology with many accompanying backend processes to ensure it meets the security expectation of clients.