Egor Homakov recently published a post entitled Why You Don’t Need 2 Factor Authentication on the Sakurity company blog. The post brazenly stated that using two-factor authentication was equivalent to using a password manager. Because two-factor authentication is a technology that offers one of the best returns on investment with respect to security posture, it is important that views on two-factor authentication aren’t swayed by misinformed write-ups (especially when written and advertised by entities that are otherwise credible). Allow me to first address some of the misinformation provided by Egor, and second to offer some additional context as to why 2FA is one of the best things to hit infosec since the movie Sneakers.
Addressing the Inaccuracies
There are too many inaccuracies in the aforementioned post to address them all, so let me address the ones that are most important.
There are no “knowledge” and “inherence” factors, there’s only possession factor. You possess a password by having it in your neurons (or whatever used for memory), you also possess your fingerprints (fingers happen to be attached to your body since you were born).
Reading this bit reminded me of a scene from one of my favorite shows growing up – linked here for your enjoyment.
I’m not going to go the philosophic route and debate what level of abstraction we can take the term “possession” to. Instead, I’m going to rely on the work of someone far smarter than I – Lawrence O’Gorman, fellow of Bell Labs and the IEEE. Lawrence put together a pretty epic paper exhaustively comparing the pros and cons of different methods of authentication. In it, he demonstrates why the categories of what you know, what you have, and what you are deserve distinction. For instance, take a look at the table below:
As shown above, the attacks and defenses on the different forms of authentication vary greatly. These attacks and defenses, however, tend to follow similar trends when grouped by what you know, what you have, and what you are. For example, consider what happens when one of your credentials is compromised. If your password is compromised, you change it. If your token is compromised (ie: stolen) you disable it and are issued a new one. If your fingerprint is compromised, you cut off the compromised finger.
The fact of the matter is that this subject of differentiation between different authentication factors has been well-researched by incredibly brilliant people, and the distinction holds significant value when discussing matters of authentication.
If the attackers managed to infect your computer with malware, they can wait a couple of days until you type a valid OTP code. “Be hacked right away” vs “be hacked next week” is not major advantage
Time is a critical aspect to consider when attempting to secure something. There is no such thing as perfect security, and defensive controls exist only to increase the difficulty or amount of time required to compromise an asset. Successful defense isn’t a matter of complete resilience to attacks. Rather, successful defense hinges on the defender’s ability to slow down the attacker, to detect the attacker’s activities, and to proactively defend against the attacker after detection (ie: incident response, this one’s for you Z3n). The longer an attacker is in your systems mucking around, the more forensic evidence you can gather and the better chance the defenders have for detection.
Out-of-band 2FA is another story though and I didn’t see it implemented properly anywhere.
This comment really threw me for a loop. Upon reading it, I had sufficient motivation to get my butt off the couch and write this post.
For exhibit A, I offer you the Google search results after searching for the phrase “two factor authentication providers”:
The fifth item in the search results (second if you don’t include the ads) is a link to Duo Security. For the uninitiated, Duo Security is a 2FA implementation that can only be described as thebomb.com (to be read as “the bomb dot com”). I’ve used many of the various 2FA offerings from soft tokens to hard tokens to SMS messages, and Duo is easily the least painful. Even better, it’s free to use for the first couple of users and offers an API for integration with any Internet-connected application. Lastly, it provides the out-of-band 2FA that Egor claims to never have seen properly implemented.
A 2FA app is essentially a password manager. A 2FA seed/code is essentially a password. “Time-based” thing does not add any security, and 6-digits thing makes security even worse. 2FA is obscure, inconvenient, hard to backup, bruteforce-able password manager.
At this point the post devolves into more of a rant than anything. I’m unfortunately admonishing this statement by posting it here, but there is genuinely no part of this blurb that is true. I’ll leave it to the next section to provide detail as to why this blurb is so wrong.
What You Actually Should Know
When talking defensive controls, defenders have to balance security with usability. Poor controls will commonly offer either significant security at significant cost to usability, or little security at a disproportionately large cost to usability. The sweet spot for defensive controls exists in mechanisms which provide large gains in security at a tolerable cost to usability.
Two-factor authentication, when done correctly, hits this sweet spot. It offers a substantial increase in security posture and incurs a mild annoyance to its users. I can tell you from experience that when my penetration testing colleagues and I see something secured by 2FA, we move along to the next target.
Passwords are the worst, and they aren’t going anywhere for the foreseeable future. They’re ubiquitously used and commonly present one of the weakest links in an organization’s security posture. 2FA can help mitigate this risk to varying degrees depending on how and where it is implemented in an organization’s infrastructure. Consider the following use cases:
- Require 2FA to log in via RDP to sensitive Windows boxes – Sure there are plenty of ways to pop a Windows box without touching RDP, but the way Windows-based networks fall is by the abuse of domain credentials across sensitive hosts. Unless the Windows box has vulnerable services exposed, an attacker will have to jump through various hoops to get on the box even if they have valid credentials!
- Require 2FA to SSH into production servers – Yes, you read that right, you can absolutely put 2FA on SSH servers. If you use private keys for authentication, then 2FA can even protect you against private key theft (that’s a big deal). The most secure organization I have ever seen required a password, private key, and 2FA token for SSH’ing to any protected network segments. That network lives on as the one that was not popped :’(
- Require 2FA to connect to the company VPN – If your organization does not currently require 2FA to connect to its VPN, then all it takes to join your internal network is a compromised password. It amazes me how often I can compromise a target network with only a valid username and password – no shell popping required!
- Require 2FA to log in to sensitive business applications – HR administration software, user administration, accounting software, network management platforms, and file sharing solutions are present on nearly every internal network I have ever seen. If all it takes to view all employees’ social security numbers is compromising Billy in HR’s password, then consider those social security numbers gone!
Most importantly, 2FA is a tool to ameliorate the security pandemic that is the password. Password re-use, weak password complexity, and insecure credential storage are the harbingers of doom for corporate networks. If you’ve never had the pleasure of using Mimikatz then give it a whirl and enjoy the sinking feeling in your stomach as you realize how your passwords are rarely adequately secured. Even if you use a password manager with long, unique passwords for everything that you log into, you stand to benefit by requiring 2FA as well. As the cute little girl in the El Paso commercial says so eloquently:
The morals of the yarn that I’m spinning here are (1) you stand to benefit at both an individual and organizational level by using 2FA and (2) 2FA and password managers are like peanut butter and jelly – great when used alone but so much better when used together.