Having weak passwords are so easily cracked by hackers and quantum computers that people introduced an extra layer of security, called Two Factor Authentication. How it works is it sends a message to your phone number and you enter the code that you received or you use an authenticator app such as "Google Authenticator" that can constantly generate codes that you use to authenticate yourself. However, because of many organizations generally wanting their users to use 2FA so their private information doesn't get stolen, how safe is 2FA, and can it ever be broken?
-
1There are scam schemes that consistently tricks user into revealing their 2FA token to the criminal. Can this kind of non-technical social-engineering cosidered a break in your opinion? – DannyNiu Oct 18 '19 at 03:09
-
[strongly related](https://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens) – Sefa Oct 18 '19 at 06:43
-
Your question is too general. Of curse it can be broken because many systems involved in the 2FA can be compromised. Even FBI and NSA state that 2FA does not guaranty your security, but it helps with it and they still keep it as a recommended option. – Overmind Oct 18 '19 at 07:31
-
Given ideal conditions everything can be broken. But therotical conditions does not exist in practise. That's why asking if it can be broken or not, we talk about how hard it is to break with given condition. – defalt Oct 18 '19 at 08:48
-
This question would really benefit by being split into several questions... How can email-based 2FA be broken? How can SMS-based 2FA be broken? How can OTP-based 2FA be broken? How can TOTP-based 2FA be broken? How can biometrics-based 2FA _not_ be broken? – Ghedipunk Oct 18 '19 at 15:30
-
1Easy way to break CAC card 2FA is the obligatory [xkcd](https://xkcd.com/538/) – doneal24 Oct 18 '19 at 15:59
-
2FA is an approach, not a technology. Are you asking if the approach can be circumvented regardless of implementation? If that's what you are asking, then this is too broad. If you are asking how different types of 2FA can be circumvented, then you need to need to be explicit. Also, have you looked this up? There are results as of this month where 2FA is being circumvented in come cases. – schroeder Oct 19 '19 at 19:47
3 Answers
Is 2FA secure,
It is more secure than single factor authentication.
and can it ever be broken?
Yes, it can, with different methods being easier or harder to break. SMS-based 2FA is easy, in practical terms, to break. Hardware-based tokens are very difficult. Software-based tokens are somewhere in the middle.
- 72,355
- 17
- 162
- 199
There are ways that 2FA can be broken. For example, if an attacker is able to lure a victim to a phishing web site, and the victim enters their password and the 2FA authentication code at the phishing site, then the phishing site can quickly (before the 2FA code expires) use these credentials to login as the victim at the real site.
- 21,098
- 2
- 47
- 66
Multi Factor Authentication(MFA) is generally better than single factor. No system is full proof. In some systems, the MFA can be bypassed entirely, for instance with insecure account recovery procedures, an XSS or other attack, many things are required beyond authentication for the system to be secure.
MFA can also be poorly implemented, allow multiple retries, give feedback for password correctness independently of changing token(directly or via timing) and many harm it's security.
I once saw a Telco company implement MFA for their VPN in a totally insecure fashion, all users had the same fixed password(From the top 100 most common list). And in order to get the changing part you didn't get a physical device nor SMS or use authentication app, the user calls a call center and requests a token. They didn't even attempt to authenticate the caller and read out a brand new short lived token, they would also remind you nicely what your fixed password was. Instead of 2 factors, they had 0 factor authentication.
Intercepting SMS messages is not very difficult. Imitating one time token without access to the cryptographicly secure generator is prohibitively hard. If the generator is software based extracting the key from the device may be easy or hard depending on the device (for instance full disk encryption is always a good idea). From a hardware device extracting the key is likely to be very difficult.
In some cases we can convince the legitimate user to just give us the credentials. Users are likely to give us the one time code, even if they are trying to login to a totally different fake site, many don't look at who the SMS is from or what it says exactly, User was expecting an SMS with a code, he got a code and types it in.
If we have an app installed on victims phone, intercepting SMS is even easier, just ask for permission to read SMS messages and authenticated as the user at will.
A phone is often used as a recovery device, so if we get hold of the phone or the ability to intercept SMS messages we can often take over an account even without the password.
So, yes, please user MFA, Prefer Google Authenticator or similar time based token generator over SMS. Don't assume MFA magically means your authentication or system are secure.
- 1,672
- 1
- 10
- 12