David's Blog

A Response to Two-Factor Authentication Might Not Keep You Safe

Last week I read an OpEd in the NYTimes with the above title that I found to miss the mark a fair bit. It may even result in discouraging people from setting up this important protection on their most critical accounts, which would be a most unfortunate outcome. You should enable two-factor authentication on any account that you can. The end of the article concludes with a call for more data about the effectiveness of two-factor against various forms of account compromise which I can entirely agree with; however, this is buried deeply beneath paragraphs casting doubt on the effectiveness of two-factor auth.

The primary two complaints seem to be that two-factor authentication cannot protect against sophisticated phishing attacks and that we have not enough information about its effectiveness, given the perceived inconvenience. Admittedly, it does state that these facts alone are not enough reason not to enable it, but that is after seven paragraphs describing phishing attacks against various types of account but then equivocates by introducing the complaint about lack of data for its effectiveness.

My primary issue with this is that it seems to conflate phishing - one type of account compromise attack - with the broader class of account compromise attacks. There is not a single mention of the protection that two-factor authentication can provide against a compromised primary credential (i.e., a password). The protection provided against credential dumps from breached services cannot be ignored. Even if you follow other best practices and do not reuse any passwords across websites, there is often a gap of months between the time a breach happens and the time it is known publicly. Without two-factor authentication, an account on a service that has had a password breach is even more vulnerable than it would be without the second factor. Assuming no password reuse, I would go so far as to say that two-factor authentication vastly mitigates primary credential theft since it would require a secondary attack (e.g., phishing, phone compromise, etc.) to bypass the second factor.

Is the author right that some two-factor authentication methods are vulnerable to phishing? No doubt about it, yes they are. However, even the weakest forms (e.g., SMS as a second factor) can mitigate primary credential compromise as described above. There are also two-factor auth methods that are much stronger against phishing attacks than SMS or one-time passcode generator devices/apps. U2F devices are one such method. They prevent phishing as there is no passcode to phish - they work via a challenge-response mechanism that fails on a phishing website even if the human doing authenticating is fooled. Another lesser protection is a push-based mechanism like Duo Push where you have a chance to inspect the login request. Chances are that it’s still possible to be fooled by a phishing attempt with a push-based second factor as mentioned in the original article, but, given a location for the login attempt, it is at least possible to notice that the attempt didn’t come from where you expected. A mismatch in the location of the phishing server and the authenticating user is likely to be the case in many less sophisticated phishing attacks. (Full disclosure: I previously worked for Duo.)

Lastly, we have the call for more data from larger organizations about the effectiveness of 2FA against phishing attacks. I’m on board with this and wish larger organizations like Google or Facebook’s security team were more transparent about results here. That said, the existence of an attack against specific 2FA methods does not equate to proof that 2FA doesn’t work at all. I worry about people not well educated in computer security reading critical articles like this and concluding 2FA isn’t worth the hassle. I’m not arguing that we shouldn’t question our current best practices but that when it comes to security discussions consumed by the general public, we have to be well balanced because there is a real risk.