2

2-factor authentication means to enter MOBILE app (using username and password) and there you get code to enter your account from PC browser, right?

But if hacker has my password, then he can enter in the mobile app without 2-step login?

T.Todua
  • 2,707
  • 4
  • 20
  • 29
  • how can the hacker get access to the mobile app? – schroeder May 12 '16 at 15:11
  • 2
    If the attacker has your phone, and knows your account, I'd be more worried about surviving what he gave you to get your phone. – Robert Mennell May 12 '16 at 16:21
  • Alos this question is making an assumption that is plain wrong. It should be edited. The truth of the matter is that it's not a mobile app. I think this person needs ot research MFA a bit more – Robert Mennell May 12 '16 at 17:25
  • 2
    @RobertMennell until the OP confirms the assumptions, we can't know what direction to take the question. – schroeder May 12 '16 at 20:14
  • 1
    Possible duplicate of [Two-Factor Authentication: When is it worth it?](http://security.stackexchange.com/questions/24652/two-factor-authentication-when-is-it-worth-it) – atk May 17 '16 at 11:47
  • Thanks for the edit, but you didn't address any of our questions or explain your assumptions. Have you used 2FA? Have you seen an example of the situation you ask about? – schroeder May 17 '16 at 14:34

4 Answers4

7

2FA means to have to two factors for authentication, preferable one is a physical factor ("know" and "have"). The idea is that this way it is not enough to get the password due to hacking, data leakage, phishing etc but that the attacker must additionally have access to the physical device.

There are lots of physical devices usable with 2FA like security tokens, smart cards (for example the "chip" in "chip and pin") or mobile phones. While security tokens or smart cards usually need to be bought explicitly for this purpose mobile phones often already exist and can be used as a second factor simply by adding some app to it.

Properly done the attacker can not simply use it's own mobile with you username and password but needs to have access to your pre-authorized phone - i.e. does not need only access to your password ("know") but also to your phone ("have").

Unfortunately this "have" can also be a remote access if the mobile phone was hacked. More limited 2FA devices like smart cards or security tokens are more safe in this regard but more costly too. Thus mobile phones established as a good enough 2FA method when better security than just a password is needed but dedicated and more secure 2FA devices are too costly.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 3
    It might be nice to add: when the phone used to receive the two-factor authorization token is compromised by malware, the attacker effectively 'has' your phone. – Jacco May 12 '16 at 10:15
  • This doesn't address how hard it is to perform an actual attack against an application that is protected by two-factor auth or if using it is beneficial. The anti-virus companies show that malware is attacking smart phones to get banking creds, but they never tell how effective 2FA was in reducing fraud. Nor do you see banks pulling their 2FA offerings. – nowen May 12 '16 at 12:56
  • @nowen: I've sticked to the question which only asked to explain the idea of 2FA. A deeper risk analysis was not asked for. And it would also be to broad then, because apart from mobile phones you have security tokens, smartcards and other products for 2FA which have each their own risks. – Steffen Ullrich May 12 '16 at 13:21
  • 1
    @nowen: banks using chip and pin is two factor auth. It's not enough that the attacker knows your password/PIN, but the attacker also have to physically possess your card. And stealing the card is useless without also stealing your PIN. Stealing both the PIN and the card at the same time is significantly more difficult than just stealing either. – Lie Ryan May 12 '16 at 15:43
  • Might be nice if you fleshed out the explanation of 2FA, since the asker clearly doesn't have much background in the area. – Jesse K May 12 '16 at 19:15
  • @SteffenUllrich sorry for any confusion, I was responding to jacco's comment and should have made the clear. – nowen May 13 '16 at 13:28
3

2-factor authentication means to enter MOBILE app (using username and password) and then from that app you get codes to enter your account from a browser on a PC browser.

No, no it doesn't.

There are several kinds of 2FA. One is by getting a text message. You don't enter your site.com credentials on your phone to get a text message, you tell site.com your phone number when you register.

Another is TOTP. You setup Google Authenticator, or similar, with site.com and they now have a shared secret. You don't enter your site.com credentials to use Google Authenticator.

There's also U2F, which doesn't even involve your phone.

Neil McGuigan
  • 3,399
  • 1
  • 17
  • 21
1

The major threat that mobile-based 2FA is designed to protect against is not a loss of your phone. It is against a network attack. It is very hard to imagine how an attacker at some random location on the planet can spoof your login to a website if you use mobile-based 2FA and they don't have your phone. They would need to physically get the phone. This is where the second factor, something you have, comes into play.

Mobile-based 2FA does a poor job at adding security to authentication when your mobile is in the hands of an attacker.

The advantages of mobile-based 2FA is that, compared to token-based 2FA such as RSA SecureID, is that it is cheaper and more convenient.

For many use cases, preventing remote attacks is a big win, making mobile-based 2FA a good strategy. The Wikipedia articles on 2FA discusses pros and cons in further details.

Neil Smithline
  • 14,702
  • 4
  • 38
  • 55
0

It's conceivable that there exists an mobile app that one could log into with name/pass and that app will take the name/pass plus some unique identifier from the device to generate a code which can be entered into a website for authentication.

I think the OP wants to know why the generated code would be necessary if the attacker already has the name/pass. He may reason that if the attacker has the correct name/pass and enters it into the mystery app, he would get the code to enter on the website. The part that the attacker is missing, though, is the unique identifier on the original device, so his code would not be valid.

Another example would be when I log into Google. I have Google set up to text a code when I log in. I get that code on my phone. If I log into Google from my phone, the "2nd" factor gets sent to the very same phone. This is still 2FA because one has to know the name/pass and have access to the phone.

If an attacker has access to both the "know" and the "have" then it's game-over anyway. Just like if a thief had your house keys and your alarm code.

Stephen Spencer
  • 1,042
  • 8
  • 8