Two-Factor Authentication Is Not Invincible: Why Using a Password Manager Is Your Best Choice
Security professionals are very pedantic when it comes to what should and what shouldn't be said about a product's cyber defenses. If a marketing department is unwise enough to claim that a certain system has 'perfect' protection, the experts will embark on a mission to prove those claims wrong. And you can be pretty sure that it will be a successful mission.
When it comes to cybersecurity, nothing is perfect. The traditional authentication mechanism that relies on a username and password provided by the user, for example, is woefully flawed. Many people will tell you that the imperfections can be addressed by two-factor authentication, but the fact of the matter is, it too is not without its faults. But what are they exactly? And does their existence mean that we should abandon two-factor authentication?
When technology fails
A couple of weeks ago, Reddit, the news aggregation platform that was recently ranked as the sixth most popular website in the world, admitted that it had suffered a data breach.
It must be said that it's not the most horrific cyberattack the world has ever seen. The crooks did manage to steal a database that contained things like usernames, salted and hashed passwords, posts, and even private messages, but that database was put together way back in 2007 when Reddit was far less popular. The way the crooks broke in, however, highlighted one of the problems with two-factor authentication – the fact that it sometimes relies on technology that's vulnerable to attacks.
First, the hackers stole the login credentials that belonged to a few Reddit employees and opened accounts at the news aggregator's hosting provider. The hosting provider did offer two-factor authentication, and the employees had it turned on, but the system relied on a temporary code sent via a text message, and it's pretty clear that the hackers managed to get that code. Reddit representatives were adamant that there was no malware on the employees' phones and they concluded that the crooks managed to intercept the SMSes while they were in the air.
It's hardly something a regular script kiddie could do, but intercepting texts has been technically possible for a while now, and hackers that are both experienced and determined enough clearly know how to do it. If they think that they could steal valuable information, they won't hesitate to attack you as well which is why it is a good idea to stay away from text messages as a second factor whenever possible. Even if you choose a different option, there is still one thing that could fail you: your index finger.
When people fail
In April 2017, white hat hacker Kuba Gretzky demonstrated another way of bypassing two-factor authentication that should work regardless of whether or not the system relies on text messages. It starts with an attacker redirecting victims to a fake login page that mimics the look and feel of the real one.
The fake page doesn't just record usernames and passwords. It acts as a proxy to the real login form, and it would not proceed to the next step until the victim providers the correct credentials. Then, the malicious website requests the second factor which the victim must enter just like they normally would, and when that's done, Gretzky designed the system to redirect the user to a default Google Drive document.
You might think that the fake login page stole the second-factor temporary code, but you'd be wrong. The whole attack revolves around intercepting the session cookie which gives the attacker much more freedom because as long as the session cookie is active, they have access to the victim's account without even needing to enter the username and password.
You might argue that this attack is made possible because of the way the two-factor authentication works, but the truth is, the crooks won't be able to get anywhere near the session cookie if the user doesn't click on a link and gets redirected to the fake login form. So, it's all down to the fact that people aren't trained well enough and are extremely prone to falling victims to phishing attacks.
Does this mean that we should stop using two-factor authentication?
Of course, it doesn't. If you haven't done so already, enable it at all the services that offer it and make sure you use something more secure than SMS wherever possible.
Even with the best two-factor authentication system, you must make sure that all attacks are stopped as early as possible. This obviously includes using strong unique passwords for all your accounts. The easiest way to do that is, of course, with a password manager, and we are happy to present you with our very own solution: the Cyclonis Password Manager.
Using the random password generator, you will be able to create complex, unique passwords for all your accounts, and you won't need to remember them because they'll all be stored in your personal encrypted vault. For your convenience, there's a browser extension that can automatically fill in the login credentials for you, but it will only do it at the legitimate pages which means that if you end up on a phishing website, the extension could actually help you realize that something's not quite right. Best of all, all this won't cost you a penny because Cyclonis Password Manager is completely free.
Security experts have been looking for a one-size-fits-all, panacea-like silver bullet that solves all our problems and lets us enjoy the Internet without worrying about the millions of threats that lurk around every corner. There's no getting away from the fact that if such a thing is even possible, we've got a very long way to go until we reach it. Until then, security will remain dependent on multiple factors which include strong, unique passwords, robust two-factor authentication mechanisms, and our own understanding of what a single wrong click could lead to.