What is 2FA, MSA, OTP, TOTP, ECT...? - Why use them?

2

Mon Aug 23, 2021 5:37 pm
Clan Leader
Top Dog
2659 Posts
coRpSE
Online
Most Played:
This week: 23.3hrs.
Total Played: 253hrs.
  
Taking a break from work!
For the past year or so, I have been talking to a few guys from both in [HSX], and other clans that I am friends with, about the different two-factor authentication, (2FA), and should they use them, why should they use them, and can it be implemented. After having some discussions about it, and hearing peoples concerns about needing to download a separate app on their phone/tablet, and the consensus that they rather just use email verification 2FA instead, I figured I would write this post to explain what it is, and why email 2FA is possibly the one you don't want to really use especially on site/app that has personal data, purchased items, or sensitive data. So let's hop right into this and go over some different types you will find and a little about what they are.

Before I get into this, I know some areas I am going to make it like the system is bad, but think of this, any and all 2FA is better than none, so not using one is always going to be worse than using one.

Now, before we get into 2FA, I want to point out that if you are curious if your password that you use is out there, then you may want to check out this site:
Please login to see this link
Get registered or Log in

Just type in any password you have ever used, and it will check it against a database to see if that password is found in the database.


Email 2FA:

You guys are probably most familiar with this one. You go to a site, try logging in, then it says it "emailed you with a code", then you go to your email and either copy and paste/ type that code, or sometimes, it also provides you with a 1 time use link to click. This is good because it requires you to now go to your email, login, then get the code/click the link.  

Now, why in my first paragraph I said this it probably the one you don't want to use. The reason is, with this system, you really only need to compromise one factor. The problem with email as a 2FA delivery channel is that the most common first factor, a password, can usually be reset via an email. That means that an attacker only has to compromise one factor, your email, to take over your account. This can happen if they know your email account password or if they have access to a live session (e.g. if you leave your email logged into a shared computer).

This kind of threat leaves some people in already vulnerable situations, like those with distrusting roommates or partners with access to your device, at risk. They also attack using with brute force, guessed passwords, credential stuffing, (
Please login to see this link
Get registered or Log in
), and even types of malware like keyloggers. One most common that I know all of you have seen, and probably didn't realize it, is a phishing site, (I will go into more details on that at the end).

Overall, once they have access to your email, any system that you have set up using that email is now vulnerable.


OTP (Hard & Soft) 2FA:

One time passwords, (OTP), are a popular choice for organizations looking to step up their security with two-factor authentication (2FA). These randomly generated passwords are only valid for a single login session and overcome many of the vulnerabilities of traditional passwords.

OTP soft tokens are a single use password that is sent to you either by SMS or email, where OTP hard tokens are exactly what they sound like: hardware tokens, often in the form of a key fob that can be carried on a user’s keyring. The hard token generates a random number—which expires after one use and can only be used during a specific period of time—at fixed intervals. When a user needs to log in, they simply enter the number, along with their username and optionally, a PIN or password.

Behind the scenes, the server that is authenticating the user also has a copy of the hard token’s seed record, the algorithm used to generate the numbers, and the correct time. Once validated to match, the user is permitted to access the website, application, or operating system.

Now, the drawbacks of both these options.

OTP Soft Token:

  • Emails can be compromised, like I talked about in the first section.
  • Phones can be stolen. Of course, any physical device can be stolen—particularly if it’s something people carry around with them all day. And unfortunately, your fingerprint lock is probably less secure than you think, so it won’t necessarily keep the thief from breaking in.
  • Texts can be viewed without authorization. Many smartphone users enable text notifications to be visible, so any SMS codes they receive are able to be read without unlocking the phone. Therefore, an attacker could simply take your phone or even just look over your shoulder to steal your authentication code.
  • SMS codes can be intercepted.
  • SMS verification can be spoofed. A popular phishing technique enables hackers to gain access to people’s email accounts. The attacker only needs to know the victim’s email address and phone number. Then, he or she simply visits the email login page and requests a “reset password” 2FA code be sent to the victim’s phone. Next, the hacker sends the victim an SMS message that says something like, “Suspicious activity has been detected on your account. Respond with the code sent to your phone in order to prevent unauthorized access.” Now, the hacker has the code and can easily gain access to the email account.
  • Phone accounts can be hijacked. You would be surprised how serious of a problem this one is. Years ago, Linus from Linus Tech Tips had his phone hijacked. In an attack called a SIM swap, hackers who know some personal information about their victims, such as the last four digits of their social, call the phone company and have the victim’s phone number moved to an entirely new device. This has happened to all people on all devices, so don't think this can't happen to you because you use X device.


Don't take this list and show why not to use it, because in reality, every security measure will have some extent of a vulnerability.

OTP Hard Token:
  • Like every physical item, can be lost or stolen.
  • Far harder to administer. Really, only good for corporations where they can physically be given to each user.
  • Cost. You would need to buy everyone their own, and if one is lost or stolen, then you need to replace that and remove the lost on from access.
  • Less convenient in the sense now you need to carry yet another thing around with you and hope not to lose it.
  • Susceptible to Man-in-the-Middle attacks. Unsuspecting users can be tricked into entering a valid OTP into a fraudulent, phishing site, which would then forward the OTP on to the official site, allowing an intruder to successfully gain illicit access to a user’s account.


TOTP Soft Token
This is another common one, especially if you use Steam and use their Steamguard 2FA, is the Time based One Time Pass, (TOTP). Using such apps like Google Authenticator, Authy, Steamguard, ect... on your tablet/phone/computer allows the system to provide a time based code that will only stay active for about 30 seconds to 1 min, before it refreshes. Basically, a user must download and install a free 2FA app on their smartphone, tablet, or desktop. They can then use the app with any site that supports this type of authentication. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app use. Like hardware tokens, the soft-token is typically valid for less than a minute. And because the code is generated and displayed on the same device, soft-tokens remove the chance of hacker interception. That’s a big concern with SMS or voice delivery methods.

Best of all, since app-based 2FA solutions are available for mobile, wearables, or desktop platforms — and even work offline — user authentication is possible just about everywhere.

Cons:

  • It requires some sort of device. Can't get the code if you don't have that device.
  • Code expires fast. Most of the time, you get between 30 seconds to a minute, but for some people, that is not enough time to get the code and type it. There are some real slow typers out there.
  • TOTP 2FA uses a secret key shared between the authenticator app and the server hosting it. If a bad actor were to clone that secret key, they could generate valid codes at will and gain access to the user’s account.




Overall, my final take on this is, 2FA is something that should be used, since most people don't use a password manager while using different unique passwords on each site they register on. Using something like email 2FA is the worst, (besides no 2FA), since like mentioned above, all they really need to do is get into your email to gain access to all your accounts that aren't secure. I understand that some of you are reluctant to install apps, or quick to blame a piece of software because you don't quite have a full understanding of what it is, but, I hope in this post, I answered some of those questions or at least, gave you a better understanding of what it is.

Here are two videos. First one is basically going over what I said above. The second video is for those that want to activate Steamguard but don't know how to.



Expand
Forums ©