Many two-factor authentication methods are vulnerable to attack and create usability issues, but understanding their differences will help you avoid all of these problems.

With recent disasters like the Target data breach, the Russian hacking of over 1.2 billion login credentials, and now the infamous celebrity photo hack, information security experts have universally called upon users to enable two-factor authentication to protect their user accounts for popular online services.

But this also means that developers need to make sure that they are offering the same security for their services, and CIOs, IT managers, and other information security professionals need to integrate and enable two-factor authentication to protect the user accounts for their enterprise networks, websites, and apps.

Simply using a user ID and password combination for login security is no longer a safe method for protecting your user accounts and preventing unauthorized access by attackers. Brute force attacks, phishing, and malware can easily defeat this outdated login method, but two-factor authentication adds an additional layer of security that helps prevent unauthorized access by requiring the user to verify identity through a separate method that is often inaccessible to attackers.

The most common method is one that is used by some of the biggest names in the tech industry, including Google, Apple, Facebook, and Twitter. It relies on the user’s access to his or her mobile device and uses SMS text codes or one-time passwords (OTPs) to verify access.

SMS two-factor authentication is safer than traditional login methods, but it is also more cumbersome.

Using the SMS or OTP method, whenever two-factor authentication is enabled and required, the user logs in with a user ID and password. The secured service sends a text message containing the required code or password to the user’s mobile phone, and the user must re-enter this information through the login screen in order to complete verification.

Presumably, only someone who knows the user’s ID and password and also possess the user’s mobile device can perform this second verification step, so this helps prevent brute force attacks against the login server.

SMS two-factor authentication is simply not secure.

However, despite the fact that security experts have widely encouraged users and developers to enable and use this method, it remains highly vulnerable to attack.

In recent high-profile cases, this method has been exploited in attacks against prominent online services, including online banking provided by Swiss banks, known for having some of the best cybersecurity in the world.

The biggest problem with this two-factor authentication method and with many others is that they still require the entry of a password along with a user ID during the login process. This fails to address the core problem of cybersecurity, which is the continued use of the password, and it fails to eliminate the primary motivator of cyberattacks, which is to steal credentials like passwords and use them to access confidential information and compromise servers and networks.

By continuing to use sensitive credentials like passwords during the login process, any service using passwords as the first factor in two-factor authentication will continue to give attackers every incentive to target their users and servers.

Malware can easily defeat SMS- or OTP-based two-factor authentication

Predictably, given the incentive of stealing credentials, there are already a variety of tactics that attackers have used to compromise this type of two-factor authentication. The simplest threat is malware. Using software that users have unwittingly installed on their computers by downloading infected files or clicking malicious links, attackers can simply log all the keystrokes entered on the user’s keyboard or in a web browser to steal login credentials, including any SMS codes or one-time passwords that are entered for verification.

Man-in-the-middle attacks are also an effective way to overcome SMS- or OTP-based two-factor authentication

Then there are “man-in-the-middle” attacks, which are a variation on simpler malware approaches. These attacks use malware to trick users into visiting a counterfeit website that is designed to appear identical to the real website that the users intend to visit. The user unwittingly enters the user ID and password combination into the fake website, and the counterfeit site actually connects to the real website and sends the credentials. The real website then sends the user a text message with the required verification code or password, and the user unknowingly enters this information using the fake login screen. The counterfeit website then forwards this information to the real website, which authenticates the user and grants access. The attacker forwards the user to the real website, and everything appears to be normal to the user, but the attacker now has the user’s credentials and can have full access to the user’s account.

SIM card vulnerabilities provide more opportunities for attackers to steal SMS or OTP codes and tokens

Another tactic used by attackers is number porting, in which the attacker tricks the user’s mobile provider into transferring the user’s phone number to a new account under the attacker’s control. Or, alternatively, attackers may compromise a user’s mobile account and order a second SIM card, which the attacker receives and installs on another mobile device. Using either of these methods, an attacker can receive any SMS messages sent to the user and thus use them to authenticate access to any of the victim’s accounts that use this form of two-factor authentication.

Beyond these tactics, there is the prospect of SIM card cloning, in which attackers may be able to take advantage of encryption and software flaws in certain SIM card technologies. This allows attackers to remotely gain control of a SIM card and even clone it, so they can access SMS text messages or simply receive copies of them.

And, finally, another threat to SMS-based two-factor authentication is Trojan malware that is designed to target mobile devices like Android smartphones. Masquerading as a security certificate, these Trojans are capable of intercepting and forwarding inbound text messages. Thus, attackers have yet another means for potentially intercepting verification codes and using them to gain unauthorized access to user accounts.

Hardware tokens and QR codes address SMS vulnerabilities but burden users and discourage adoption

To avoid SMS vulnerabilities in two-factor authentication, some developers have turned to hardware tokens or QR codes as a way to verify user identity without relying on SMS text messages.

In the case of hardware tokens, the user must carry a token or fob, which is typically connected to a computer through a USB port. A user can only access a secured service by logging in using an ID and password and also connecting the USB-enabled token to the computer that is being used to access the service.

This method has potential vulnerabilities of its own, as demonstrated several years ago when RSA Security, a division of EMC Corporation and developer of token-based authentication, was hacked. RSA Security was forced to replace more than 40 million hardware tokens because it had been victimized by a phishing attack and malware that allowed hackers to access sensitive company information that may have included its master key or technical details about its security technology.

But perhaps the biggest problem for two-factor authentication using hardware tokens is that it cannot be used to protect user access to online services through smartphones or tablets. These devices are not equipped with USB ports, so the same security fobs cannot be used with them. This is a major usability issue that limits their application and effectiveness.

This challenge has led some developers to use QR codes as a basis for verifying user identity. During the login process, the user enters a user ID but not a password. But the user must then use a mobile device to scan a QR code that is shown on the login screen. On the mobile device, the QR scanning app contains a randomly generated secret code that is used as a unique identifier. This code or private key is used to sign or encrypt the QR code that is scanned, and when the user scans the QR code, the app can confirm possession of the required private key and confirm identity.

The QR code method uses public key cryptography, which is an ideal approach to two-factor authentication, but it also places a burden on the user in requiring a successful scan of the QR code. Many users have difficulties with scanning QR codes, and this can be a time-consuming and frustrating process that delays logins. And this can also hamper user adoption and compliance.

Ease of use has been the biggest obstacle to the adoption of two-factor authentication, even though the added security is critical to protecting user accounts. The additional steps required by two-factor authentication, along with the difficulty that some users have had with hardware tokens and QR codes, are largely why major tech companies like Google and Microsoft have made two-factor authentication optional for users. Even if it is enabled, most services require it only when a user logs in from a new device. This means that, in all other instances, no additional verification step is used, and thus user accounts are left vulnerable. And it also means that these services are tracking user behavior and hardware, which can be unsettling for some users.

One method eliminates all the security vulnerabilities and usability issues.

With all of the preceding issues in mind, developers may wonder whether there is a truly safe method for two-factor authentication and whether any method can be deployed without burdening the user and without making it only an occasional requirement that does not provide protection for all logins.

Fortunately, there is a simple but incredibly secure solution that uses mobile verification without SMS codes, hardware tokens, or QR codes, and its next-generation cryptography and login method actually simplify two-factor authentication and allow users to verify their identity and access secured services in seconds.

SecSign Technologies has introduced a powerful alternative to other two-factor authentication methods called SecSign ID. It uses mobile authentication using public key cryptography, which is based on the same concept of knowledge and possession used in smart card security. SecSign ID involves three core elements:

• A 2048-bit encrypted private key is encoded and secured on the user’s mobile device. The private key is secured by a patented SafeKey mechanism, which prevents brute force attacks, even if a user’s mobile device is lost or stolen.
• A 2048-bit encrypted public key is stored and secured on the SecSign Trust Center Server, which can be deployed in the cloud or by configuring and operating your own authentication server, with the same powerful security, on your own architecture.
• Physical possession and rightful ownership of the private key is confirmed through one of several verification options, which allow the private key to digitally sign an authentication challenge that is generated by the authentication server and sent to the mobile device.

A simple login eliminates the use of passwords and sensitive credentials.

The login and authentication process is simple and can be completed within seconds using a simple login on a website or through a mobile application, and authentication can be completed using the SecSign ID mobile app.

Users log in through a website or app, as usual, but the user only enters a non-confidential user ID and does not enter a password. The user ID is non-confidential because there is no need to secure it. The ID cannot be used on its own to access the account or obtain any confidential information.

Once the user ID is entered, the web or app server communicates with an authentication server, which issues a challenge that must be digitally signed by the private key on the user’s mobile device. The free SecSign ID mobile app is used to digitally sign the challenge with the private key.

Four options are available to verify user identity.

To confirm possession of the encrypted private key on the user’s mobile device and allow it to digitally sign the authentication request, the user must verify identity through knowledge and/or biometrics. SecSign ID offers four ways to do this.

1. Enter a user-defined PIN or a passcode (which is used only in the app and never transmitted)
2. Use Apple’s Touch ID fingerprint scanner to confirm private key ownership biometrically
3. Combine a user-defined PIN or passcode with Apple’s Touch ID fingerprint. This creates a combination of knowledge and biometrics for extra security.
4. Use only the physical presence of the private key on the mobile device to verify authentication. While this option removes PIN, passcode, or Touch ID fingerprint protection for the private key, it still provides a stronger alternative to password-based logins because the private key exists only on the user’s mobile device, so only someone who possesses the device can access the user’s account.

Tapping an access symbol provides final confirmation of identity.

Once ownership of the private key is confirmed, the app shows a set of four symbols. The user taps the symbol that matches one shown on the login screen of the secured website or application, and this provides the final identify verification. The SecSign ID app notifies the authentication server of the result, and access to the user account is granted.

SecSign ID uses the simplicity of mobile technology to make it physically impossible for attackers to steal user credentials.

In just seconds, a user can complete authentication, and all of this happens without using a password and without entering, transmitting, storing any sensitive credentials. Nothing confidential is entered during login, transmitted between servers and devices, or stored on a server.

This means that there is physically nothing for criminals to steal and use to gain unauthorized access to accounts or data. No amount of brute force, phishing, malware, man-in-the-middle attacks, or SIM card attacks will provide them with a credential that can be used to access a user’s account and cause further damage.

To learn more about SecSign ID, to download the free mobile app, try a sample login, and access plugins for developers, visit https://www.secsign.com/business/two-factor-authentication/.