How Secure is Your 2FA, Really?

For years, sysadmins have fought a losing battle to get users to secure their accounts properly. Preventing password re-use and poor password choices is almost impossible, but adding extra authentication layers can help, as long as those authentication options are robust. Unfortunately, as the recent news about Google Authenticator shows, poorly designed 2FA can give a false sense of security.

Shared Secrets Aren't Secrets

Google Authenticator is one of the more well-known TOTP authenticators. Since it ships with Android phones and is relatively easy to use it's often the go-to option when a user is pushed to activate 2FA on one of their accounts.

Google Authenticator is a TOTP authenticator, so it relies on shared secrets to generate the code users enter when they need to log in to an account. Google recently came under fire for including Authenticator secrets in their account syncing feature, and not using E2E encryption for those secrets.

The secrets are encrypted in transit, and at rest, but should the server that holds a user's backups be hacked, the attacker would have access to those shared secrets and be able to generate 2FA codes whenever they want. The same applies to the authenticating server. Unlike hashed and salted passwords, 2FA secrets are stored in clear text.

Google has confirmed that they'll be adding E2E encryption to their Authenticator app soon, and to be fair to them, this weakness isn't unique to their app. When users set up a TOTP authenticator they're encouraged to back up their secrets and if they do so on a cloud drive or in a document on their computer, they're leaving themselves at risk of having their 2FA compromised.

TOTP is still a step up over SMS-based 2FA, which is vulnerable to sim swap attacks. It could also be considered more robust than some notification-based 2FA, that is often using TOTP anyways, but can sometimes be defeated by MFA Fatigue attacks where a user is spammed by notifications until they approve one, either by mistake or because someone claiming to be "from IT" persuades them to approve it. There are mitigations, however, such as visual verify, a feature from Auth Armor that prevents these attacks.

Give Your Users an Alternative

App developers and sysadmins are faced with a difficult decision. If you use security that is too complex or time-consuming, your users will look for ways around it. Frequent password change requirements will turn to users choosing C0mpl3xp4ssw#rd1, followed by C0mpl3xp4ssw#rd2 and so on. Require the use of dongle-based authenticators and people will leave them plugged into the PC permanently, so anyone walking by can use them.

Good security should be as frictionless as possible, and that's where Auth Armor comes in. Our biometric logins and magiclink emails make use of two things users always have access to. Their email accounts, and their smartphones.

Instead of requiring people to remember passwords (that can be guessed or stolen), we offer passwordless login solutions. By removing passwords and using WebAuthn technology instead, we reduce the attack surface open to malicious actors, while still protecting your user's account security.

Our technology can be slotted in on top of your existing authentication systems, allowing you to onboard new users with a more secure and simple authentication flow while encouraging existing users to switch over.

If you'd like to learn more about how Auth Armor can help you secure your systems, contact us today to request a demo.