Two Factor Authentication
5 min read - Text OnlyA second factor helps protect your account when your password has been leaked. Generally it proving something about you or something you have. For example, biometrics or possession of a unique token device. We call this Two Factor Authentication (2FA).
Entire brands on the market exist just to deliver two factor authentication solutions. If you get a text with "Your code is 123 456", you just got a one time password (OTP). These services don't come cheap at scale.
Charging for Time-based One Time Passwords (TOTPs)? I get that for free with google authenticator...
Welcome to enterprise business contracts where nothing is priced sensibly.
There are weaknesses with every method out there except Webauthn. SIM swapping is just the tip of the iceberg for OTPs over SMS. What if someone has your password and tries valid values every single minute of every day? You as the victim might get a lot of spam texts... or you might not if it is a TOTP.
We should not rely upon OTP or TOTP for second factors if the authentication provider does not respond to adversaries with increasing difficulty. Problem is, the most common "safe" second factor option (TOTPs) do not support dynamic difficulty changes. TOTPs specify how long the code should be, usually they come out to 6 digits long.
Any authentication or authorization flow that relies upon a human copying information between devices or processes is vulnerable to phishing. That includes:
- OTPs which are delivered out of band before the event or on demand during the event;
- HOTPs and TOTPs which are generated offline by another process or device;
- Device authorization codes which are normally presented by a device without a browser or keyboard;
- And other authorization code grants.
What about push notifications? An attacker could just spam these until the victim gives in.
Push notifications are generally delivered through an established device-bound channel (that is others cannot listen in like SMS) with a provider like Apple or Google. Like OTPs over SMS, these are noisy. Because it is device-bound, I think this is safer than SMS. However, if the attacker convinces the victim that this is normal behavior during a phish, push notifications do not solve the 2FA problem.
We should put our resources towards Webauthn, which is bound to 1) a device (the second factor provider) and 2) to an origin (where the authentication occurs). I also believe any services that support Webauthn must support multiple Webauthn devices.
Unfortunately some really important services only support one Webauthn device... Such as Amazon Web Services and PayPal.
Good news! Next year, you might not even need to buy a dedicated device (e.g. a Yubikey) for Webauthn!
Apple, Google and Microsoft are working on authentication technology that will replace passwords with smartphone 'passkeys' by 2023
I'd like to add 2FA to my service!
Please do! But also... Please please please force a password reset if the 2FA fails after 10 or so times! Be as noisy as possible when a 2FA fails. Email the victim that something is off, mention IP address and location of the authentication event. Oh and please support multiple Webauthn keys if you can do Webauthn at all.