In the preceding blog post, we explored how AiTM phishing attacks have elevated the level of sophistication in phishing. In this blog post, we will delve into the impact of this novel phishing approach on most two-factor authentication (2FA) mechanisms and highlight the vulnerabilities of certain authentication mechanisms.
Introduction to 2FA
Two-factor authentication was created in response to the surge of cyberattacks that occurred at the beginning of the 2000s. Consider this scenario: once an individual's login credentials have been obtained through techniques like phishing, brute-force attacks, or data breaches, it becomes nearly impossible for the victim to prevent unauthorized access to their resources.
The introduction of the second factor of authentication is an additional level of access protection. Usually, the "second factor" is a dynamic numerical code sent via SMS, generated by hardware or a smartphone. Recently, with the introduction of increasingly intelligent smartphones and devices, the second factor can also be a biometric distinctive feature, such as a fingerprint, facial recognition, voice, etc.
It's not hard to gauge the first active users of this additional security system. Obviously, governments, credit institutions, and banks. And almost certainly, over the years, you have had, or still have, a device like this:
Although there are very advanced 2FA mechanisms, such as biometric ones, today, the majority of services still offer OTP-based 2FA as an option.
The bank's hardware token can be a practical example, but even the famous Google Authenticator falls into this category.
In AiTM attacks, the attacker is able to intercept communications between a victim and the targeted website. Naturally, among all the information exchanged between the two, authentication messages and 2FA codes are also included.
In the following example, you can see how an AiTM attack successfully works, eventhough the victim is protected by 2FA with OTP codes.
Another example is when authentication requires approval via a mobile application, with a push notification system.
At this point, it is clear that if two-factor authentication uses methods that are not resistant to this type of attack, it becomes useless. Which mechanisms are insecure and which are not?
In general, we could say that all 2FA mechanisms are insecure except those based-on FIDO standards.
FIDO (Fast IDentity Online) is a set of protocols created with the aim of supporting any authentication system, such as One-Time Passwords (OTP), USB security tokens, Bluetooth, but also Biometrics, Near-Field Communication (NFC), Trusted Platform Modules (TPM), etc. for both desktop and mobile devices.
The FIDO protocols utilise standard public key cryptography techniques to provide more robust authentication.
The FIDO Alliance has published three sets of specifications for simpler, stronger user authentication: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and the Client to Authenticator Protocols (CTAP). CTAP is complementary to the W3C’s Web Authentication (WebAuthn) specification; together, they are known as FIDO2. fidoalliance.org
FIDO has provided a massive boost in the field of computer security, proposing important specifications capable of combating cyber-attacks such as phishing, while at the same time offering a more streamlined user authentication.
With FIDO2, passwords will disappear. The future will be Passwordless!
During phishing attacks, we often encounter companies that have implemented top-notch security standards for authentication and access control. However, too often we find cases where a strong 2FA mechanism is combined with a weak mechanism as a fallback solution.
When a strong 2FA mechanism is in place, the attack dies during the second factor authentication phase.
Even if the victim attempts to authenticate using their secure mechanism, e.g. YubiKey or similar device, the authentication is denied. This is because the phishing domain is different from the original one for which the device was registered, causing the authentication flow to fail.
However, what happens on the victim's side is quite interesting. Imagine that the victim has entered their credentials and has not yet realized that they are on a phishing site. When they touch their key and authentication fails, they try again, not just once, but multiple times, failing to realise that they are on a fake site. They may even attribute the authentication failure to their sweat interfering with the YubiKey sensor.
At this point, the victim sees the message at the bottom of the screen that says, "Do you want to try an alternative method?" or something similar. The victim thinks, "Why not?" and decides to use the backup option, which is always welcome in emergency situations.
Unfortunately, at that moment, the victim has just undermined all the good that was done up to that point. By falling back to a less secure mechanism, such as SMS or even TOTP (Google Auth, for example), they have weakened the protection system, nullifying all the good that was done up to that point.
In an ideal scenario where all authentication systems solely rely on FIDO-based solutions, AiTM attacks would significantly lose their significance.
Although attackers can intercept the credentials, they wouldn't be able to proceed with the authentication process due to its failure. However, this additional security measure comes at a cost of always having the USB key for authentication in hand, which for companies could mean managing additional devices and implementing supplementary mechanisms and procedures for account recovery in case of lost USB keys.
Nevertheless, with the adoption of FIDO2 and the introduction of Passwordless Authentication, USB keys will no longer be the only means to complete authentication. Alternative mechanisms such as Apple's Touch or FaceID and Microsoft's Windows Hello with various fingerprint and face detection technologies, will come into play.
The adoption of FIDO2 will make phishing attacks increasingly challenging and even theoretically impossible in some cases. However, its widespread implementation as a best practice will take time.
Until then, the adage "per aspera ad astra" applies to phishers.