NetworkWorld recently ran an article entitled Does two-factor authentication need to be fixed?.
The article discusses two topics: malware that processes fraudulent transactions after session authentication has completed and the "Team Prosecco" attack against PKSC11-based smart cards. (I have commented on this paper already, so I will be focusing on the former here..)
Needless to say, the title is overly simplistic. Does two-factor authentication need fixing? Well, that depends on what you are trying to do now, doesn't it?
Nobody is trying to do two-factor authentication. They are trying to work remotely, or secure their customers data or perform online banking. Even the most basic risk analysis shows that the title is misleading.
I find it fascinating that two-factor authentication gets blamed for a malware attack in a report from an anti-malware company. Here's a thought: stop the malware. Apparently, they cannot, so they lay the defeat elsewhere:
"According to the report, code customization that includes rootkits for client-side malware and encrypted links help hide the criminal attack process and avoid antivirus scans. 'And some of the web serves move dynamically so that blacklisting and reputation-centric technologies are not effective.' The report says the techniques used are basically 'a significant breakthrough for the fraudsters" because they represent the "defeat of two-factor authentication that uses physical devices.'"
So, assuming that the anti-malware companies cannot keep malware off PCs, what can be done? Well, actually stronger authentication can be applied at certain points in the online banking process to reduce exposure. When people think of two-factor authentication, they typically mean session authentication. The malware hijacks an existing session.
What can be done? Well, you can add two-factor authentication to a transaction. If done properly (ie, cryptographically distinct from the session authentication) it will reduce the attack surface to when a user a doing a transaction.
Further, if you send a receipt to a mobile phone in a cryptographically secure manner, you can confirm the transaction details with the user.
Can attackers target both a users PC and their smart phone? Yes. Does that make it pointless? No, because the goal is not perfection, but to reduce the amount of fraud.
At WiKID, we have also tried to address network-based Man-in-the-middle attacks for web-apps by validating an SSL certificate for the user. The token downloads a hash of the targeted sites SSL certificate with the one-time passcode.
The token client fetches the certificate from the website, hashes it and compares it to the retrieved hash. If the hashes match, the URL is presented as validated and the default browser is launched to that URL. We have really just applied some basic cryptography to minimized the attack surface.
Does two-factor authentication need to be fixed? It needs to be better. In particular, I think we need to make two-factor authentication less of a hassle for both users and administrators. But it should not be the whipping boy general security failures and a lack of proper risk management.