Multi-factor authentication, MFA Two-factor authentication

This statement makes sense and applies primarily to companies in the financial sector, as well as a number of companies performing research, development and technological work (R&D) in high-tech market sectors.

According to the RF standard on information protection, three main properties determine the safe state of the information being processed - its confidentiality, accessibility and integrity. Recall that password authentication is one of the first barriers that appeared in IT systems simultaneously with operating systems that implement multiple access to information resources. For almost 20 years, it is she who stands at the first line of control. Obviously, among the main advantages of this protection technique is its simplicity. And hardly anyone will dispute the sufficiency of the use of password authentication in many organizations and the level of security in the use of information, with an appropriate organizational approach. However...

80% of information security incidents occur due to the use of weak passwords - this is the conclusion reached by Trustwave based on its own research, which covered a number of companies in 18 regions of the world. Analysts have devoted their research to the vulnerability of elements in information security systems, during which they studied more than 300 incidents that took place in 2011. The main conclusion made in the end: weak passwords of users in IP are the most vulnerable place actively used by cybercriminals. This applies to both large and small companies.

A weak password is bad in terms of information security standards, but the flip side of using complex passwords is the difficulty of keeping them in a person's memory. As a result, the negligence of their storage in the form of work records, and in this case it no longer matters whether the login/password pair will be recorded in the employee's personal notebook or fixed on the monitor with a sticky sheet. Knowing the tradition of handling such data by employees of Russian companies, for example, an attacker will easily receive this information... If you also consider the often used "synchronization" of passwords to access various applications and corporate systems... And now, at least two of the three pillars of information security of the enterprise are thrown into digital dust.

Some foreign companies operating in the field of analyzing incidents in security systems conclude: unauthorized access to information of limited use about the financial activity of the enterprise, contracts and schedules can not lead to losses - ruin. Annual losses from information leaks in the United States are estimated in billions of dollars. The Russian industry portal "Information Security of Banks" in assessing the financial damage from possible abuse of employees refers to research by the Association of Anti-Fraud Experts (ACFE, USA), which sees this amount at 6% of the bank's profit for the year. According to the association's observations, losses in such incidents, on average, reached $100 thousand, and in 14.6% exceeded $1 million.

The research company Javelin Strategy in its annual study, published in February 2012, estimated the global volume of fraud and data leaks from companies and organizations for 2011 at $18 billion. There is no reason not to trust experts, and everyone has the right to make an amendment to Russia's lag in the field of informatization and non-publicity of Russian banks and companies.

Despite the many computing tools and a wide range of technological solutions, the choice of authentication methods for companies planning their future is small - multifactor authentication (of course, unless there is a technological breakthrough in managing computing systems using thought in the near future). Single-factor or password authentication is no longer enough for secure work with information systems in a developed business.

Two-factor authentication is an access control technology in two stages: when, in addition to entering a login and password to an account, the user is asked to confirm his identity in an additional way, for example, enter the code received in an SMS message to a mobile phone into the form. In addition to this option, TeleSign offers additional verification through voice commands and tokens.

Mobile identification

Mobile identification allows access to corporate applications only from "trusted" devices and users. To implement these capabilities, various technologies can be used (in a particular case, one or more): certificates (for users and devices), application coding, authentication, etc. Increasingly, EMM tools use various contextual information (for example, time or location) to help make decisions when providing access.

Multi-factor authentication strengths and weaknesses

Advantages include its ability to protect information from both internal threats and external intrusions. A certain weakness can be considered the need to use additional firmware, storage devices and data readers. At the same time, at the moment, the statistics of hacks of systems using two-factor authentication are absent or insignificant.

Multifactorial or extended authentication is already used by a number of Russian companies in the field of finance when creating Internet banking services, mobile banking, file sharing, etc., solutions for end users. It is based on the joint use of several authentication factors (knowledge, means or objects of storing one of the information components of a legitimate authentication procedure), which significantly increases the security of information use, at least by users connecting to information systems via secure and unprotected communication channels.

As an example, a two-factor user authentication process implemented in a number of Russian banks can be used: login to the user's personal account via the Internet is possible after entering the password on the page, after which (in case of confirmed legality), a one-time password (in the form of SMS) should be transmitted to a mobile phone previously registered by the user.

Similar schemes for monitoring and managing the user's powers, his further actions in corporate or other information systems, can be implemented using a variety of means and methods, the choice of which is quite wide, both in terms of manufacturability, cost, execution, and possible combinations of these properties.

The user session may also be monitored for correspondence between the IP address of the last successful session and the MAC address of the corresponding network equipment. Next, there may be actions of confirmation or refusal to access information resources, but trust in these two control parameters cannot be due to their technological weakness: the IP address can be replaced, and the MAC address can simply be rewritten during system operation, and even without rebooting. However, this information can be used as some control values.

The downside of multi-factor authentication

The first problem with multi-factor authentication is how it is implemented. Currently, the most popular second factor used by service providers is the one-time password - OTP^[1].

By applying this type of 2FA, the user enters a personal password at the first authentication level. In the next step, he must enter the OTR token, usually sent by SMS to his mobile device. The idea of ​ ​ the method is understandable. OTR will be available only to those who are assumed in theory to have entered an inaccessible foreign password.

However, alas, sending OTP to SMS, generally speaking, is unsafe, since often messages are sent in plain text. Even novice hackers can read such text messages, because in fact everything they need is the target phone number.

In addition, multifactorial authentication is not able to prevent MitM attacks, which are often used by phishing companies using email. If the attack succeeds, the user will follow a fraudulent link and go to a site similar to the bank's online portal. There, the user will enter login information and other confidential data that will be used by the attacker to gain access to the real site.

And although this attack will be possible to carry out only a limited period of time, it is still possible.

Requirements of the Federal Service for Technical and Export Control for Multifactor Authentication

In early 2014, the Federal Service for Technical and Export Control (FSTEC) approved a methodological document on measures to protect information in state information systems. The document clarified many aspects related to organizational and technical measures to protect information taken in state information systems, in accordance with the approved order of the FSTEC of Russia of February 11, 2013 No17.

FSTEC strongly recommends completely abandoning the usual authentications static passwords for all users, without exception, and moving on to more reliable multifactor authentication. The mandatory requirements for multi-factor authentication are the use of hardware authenticators and a one-time password mechanism for remote and local access.

Examples of two-factor and multi-factor authentication

The method of authentication using SMS is based on the use of a one-time password: the advantage of this approach compared to a permanent password is that this password cannot be reused. Even if we assume that the attacker managed to intercept data in the process of information exchange, he will not be able to effectively use the stolen password to gain access to the system.

But here is an example implemented using biometric devices and authentication methods: the use of a fingerprint scanner, which is available in a number of laptop models. When logging in, the user must go through the procedure of scanning his finger, and then confirm his authority with a password. Successfully completed authentication will give him the right to use the local data of a particular PC. However, a separate authentication procedure for accessing the company's network resources may be provided by the operating procedures in the IC, which, in addition to entering another password, may include a number of requirements for the presentation of subject authenticators. But even with such an implementation, the security of the system is undoubtedly strengthened.

Similarly, other biometric authenticators may be used:

• fingerprints;
• hand geometry;
• outline and dimensions of the face;
• voice characteristics;
• iris and retinal pattern;
• pattern of finger veins.

Шаблон:Main 'Biometrics Шаблон:Main 'Biometric identification technologies

At the same time, of course, the appropriate equipment and software is used, and the costs of its purchase and support may differ significantly.

However, it should be understood that biometric authenticators are not absolutely accurate data. Fingerprints of one finger may differ under the influence of the external environment, the physiological state of the human body, etc. To successfully confirm this authenticator, it is enough to partially match the fingerprint to the standard. Biometric authentication methods comprise determining the degree of probability of compliance of the current authenticator with the template. As for biometric authentication and remote access to IP, so far modern technologies do not have the ability to transmit reliable data through unprotected channels - a fingerprint or the result of a retina scan.

These technologies are more suitable for use in corporate networks.

The most popular technology in this direction in the near future may be voice authentication and the signs of this are obvious. A significant number of developments in this area are already available today, projects for the introduction of such management/control mechanisms have found a place in a number of large banks of the Russian Federation. As an example of practical application of voice biometric authentication systems, one can specify authentication by a key phrase used in a number of call centers, audio passwords for accessing Internet banking systems, etc., confirmation of personnel's actions in carrying out important operations of access to information, control of physical access and presence in the room.

In addition to technologies related to the use of biometric authenticators, there are also software and hardware solutions such as autonomous keys for generating one-time passwords, RFID tag readers, cryptocalculators, software and hardware tokens (tokens), electronic keys of various types - Touch Memory and key/smart card, as well as biometric identification cards. All the systems and methods of multifactor authentication listed in the article, and in addition to them, access control and control systems (MCDS) can be integrated, combined, worked out in turn and in a complex. Hence, we can conclude: there are a sufficient number of proposals on the Russian market to strengthen the protection of information systems, both internal and external intrusions. Companies have a choice that is limited only by the size of the budget.

Today, a large number of foreign companies trust protection methods based on multifactor authentication methods, including high-tech organizations, financial and insurance sectors of the market, large banking institutions and public sector enterprises, independent expert organizations, and research firms.

At the same time, private companies and organizations in the world, in general, are not very willing to spread about the introduction of technological innovations in the field of security and information protection, for obvious reasons. Much more is known about projects in the public sector - since 2006, successfully implemented technological solutions have been publicly known in government agencies in Canada, Saudi Arabia, Spain, Denmark and several other countries.

Russian market

2024: Multifactor Authentication Market in Russia Expects 20% Growth

MTS RED, a member of MTS PJSC, conducted a study of the Russian multifactor authentication market. According to analysts' forecasts, in 2024 this segment expects growth of about 20% to 3.8 billion rubles. MTS RED announced this on February 2, 2024.

Multi-factor user authentication technology provides protection against company hacking by attacking users' passwords, including using their automatic brute force or social engineering. According to MTS RED SOC, in 2023 this hacking method was used in a quarter of all attacks on Russian companies.

The growth of the multifactor authentication market is due to an increase not only in the number of attacks, but also to a number of other factors. Among them - the transition of companies to a remote or hybrid format of employee work, an increase in the volume of online transactions and the e-commerce segment. Also, the spread of strict authentication is facilitated by the launch of payment systems in real time and the introduction of POS systems in retail outlets for the convenience of users.

According to forecasts of MTS RED analysts, by 2027 the volume of the Russian multifactor authentication market may grow by 80% compared to 2023 - up to 5.6 billion. rubles Such dynamics is expected both at the expense of new customers and due to the fact that large organizations using this technology to protect user accounts are starting to implement it more widely. The main demand for MFA solutions Russia in February 2024 is observed from and, financial oil and gas sector as well as from the spheres and. industries power engineering specialists

The demand in the multifactor authentication segment has long been created by quite large and mature companies regarding information security. However, since 2021, the market has also begun to grow due to the organization of secure access to corporate IT resources for employees working remotely. Then Russian companies faced a sharp increase in the number of cyber attacks, which created an increased demand for effective security tools, including multifactor authentication as a measure of additional protection. All these factors are additionally imposed by the requirements of the regulators. in some cases, the use of multifactor authentication becomes mandatory, which actively stimulates the growth of this market, "said Vasily Ognev, head of multifactor authentication at MTS RED.

As of February 2024, about 75% of the Russian market is occupied by hardware suppliers of multifactor authentication, but a trend towards an increase in the market share of software developers of this class is already noticeable. According to MTS RED analysts, this is due to the fact that software solutions are simpler in terms of implementation, logistics and accounting processes, and at the same time provide the same level of protection as hardware. Analysts also predict an increase in the revenue of providers of multifactor authentication services, since they additionally remove from customers the tasks of purchasing equipment or software, as well as the costs of supporting it.

The trends in the global multifactor authentication market are similar to Russian ones: by 2027 this segment will grow by about 70% and amount to 27 billion. In dollars USA 2024, the revenue growth of suppliers of this technology will be 19% and thus reach 19 billion dollars US dollars. Among the drivers of the development of the global multifactor authentication market, analysts note a tightening of legislation, a general increase in demand for cyber security and the spread of the popularity of remote work in various organizations around the world.

2023: Internet authorization law requirements could be relaxed until 2025

Anton Gorelkin, Deputy Chairman of the State Duma Committee on Information Policy of the State Duma, submitted a bill for consideration (No. 487343-8) on changing the law No. 406-FZ adopted this summer, which requires authorization of all Russian users of hosting providers to transfer state information systems to them by September 1, 2024. The law defines the concept of a provider hosting and requires them from December 1 of this year to authorize all users or by phone number, either through, UIAS or through, EBS or through any authentication system (access cannot be authorized without authentication), which is controlled by a Russian company or citizen.

Here is the last point - Russian authentication systems - and there was a small embarrassment. The explanatory note to the bill says:

Currently, a number of large Russian IT companies are completing measures aimed at meeting the above requirements for Russian control. In order to ensure the stable functioning of Russian information resources until the completion of measures to transfer these IT companies under Russian control, the draft federal law "On Amendments to Article 8 of the Federal Law" On Information, Information Technologies and Information Protection " (hereinafter - the bill) provides for the establishment of a transition period until January 1, 2025, during which these Russian IT companies can continue to use their information systems for user authorization.

In fact, this means that now large Russian IT companies, which have their own federated authentication systems, such as Yandex and VK, are not quite under the control of Russian citizens or Russian companies, but are working in this direction. Within a year, apparently, the redomicitation to Russia of such companies will be completed, and then they will comply with the requirements of the law. Over the year, Russian hosting providers should also get rid of foreign federated authentication systems from Apple, Microsoft and others.

The operation of the federated Yandex authentication system built into the Direct ad display system (photo by Yandex)

The purpose of these innovations is to strengthen the safety of the personal data of our citizens, reduce the risks of integrating services from unfriendly countries into Russian resources, - explained Anton Gorelkin in his telegram channel. - We expected that our largest digital platforms will have time to resolve all organizational issues by December 1 of this year. However, after a series of consultations and meetings with the industry, it turned out that the deadlines need to be extended - otherwise there will be no guarantee of the stable functioning of the platforms, which will jeopardize the comfort of Russian users.

In addition, Law No. 406-FZ had a strange clause on the use of a telephone number for authentication. In the law, it is formulated as follows:

Access to the site is allowed for users who have been authorized "using the subscriber number of the mobile radiotelephone operator in accordance with the procedure established by the Government of the Russian Federation, on the basis of the identification agreement concluded by the owner of the site."

That is, all hosting providers were prescribed by law to conclude identification agreements with mobile operators. Moreover, the Government of the Russian Federation was supposed to form rules for this by December 1, but it is unlikely that it will have time for the remaining term. But even if this happens, all hosting providers will urgently need to draw up these agreements. This is inconvenient both for hosting providers and for mobile operators - therefore, Anton Gorelkin proposed to exclude the clause on mandatory contracts and leave only authorization "using the subscriber number of the mobile radiotelephone operator."

In accordance with the decision of the Committee on Information Policy, Information Technology and Communications, it is planned to consider the bill in the State Duma on November 28. For it to enter into force on December 1 (from the moment of signing, as indicated in the text), it is necessary that by December 1 it be adopted in all three readings, and also be approved by the Federation Council and the President of the Russian Federation. Most likely, this does not happen, and therefore there is a non-zero probability of a quantum legal gap: it seems that identification agreements with operators must be concluded in accordance with the law, but there are no rules for this, and this very requirement can be canceled by the adoption of the amendment. The same applies to the legitimacy of the "Russian" federal authentication systems.

2022: Sophisticated phishing campaign circumvents multi-factor authentication

On July 12, 2022, Microsoft detailed an ongoing large-scale phishing campaign in which attackers can steal a user's account even if they use multifactor authentication (MFA). The attacker, who has attacked 10,000 organisations since September 2021, used his hidden access to victims' email accounts to trick employees into sending money to hackers.

Illustration: securitylab.ru

The cybercriminal inserts a proxy site between the victim and the server to which the user is trying to log in. When a user enters a password on a proxy site, the site sends it to the real server and then sends the server's response back to the user.

After authentication is complete, the attacker steals the cookiefile session sent by the site, so the user does not need to re-authenticate when visiting each new page. The campaign began phishing with a letter with HTML an input leading to a proxy server.

Illustration: securitylab.ru

After the compromised account first logged into the phishing site, the attacker used the stolen session cookie for authentication in Outlook Online, said members of the Microsoft 365 Defender research group.

Illustration: securitylab.ru

In many cases, cookies contained an IPA requirement, meaning that even if the organization had an IPA policy, the attacker used a session cookie to gain access on behalf of the compromised account, reported the Microsoft Threat Intelligence Center team in a blog post about the campaign.

A few days after the theft of cookies, the attacker gained access to employees' email accounts and began to search for messages for use in BEC fraud. The cybercriminal fraudulently forced victims to transfer large amounts of money into accounts they believed belonged to colleagues or business partners. The attacker used email branches and the fake identity of the hacked employee to persuade the other party to make the payment.

To prevent the hacked employee from detecting a compromise, the attacker created rules for the Inbox, which automatically moved certain letters to the archive folder and marked them as read. Over the next few days, the cybercriminal logged on periodically to check for new emails.

Once a hacker made several attempts at fraud at the same time from the same hacked mailbox. Each time an attacker found a new fraud target, he updated the Inbox rule he created to include the organization's domains of the new targets, wrote the authors of the blog.

The most effective forms of MFA available are those that meet FIDO alliance standards. These types of IPAs use a physical security key that comes as an Android or iOS key.

Authentication can also use a fingerprint or retina that is always stored on the device to avoid theft. biometric data All FIDO MFA methods cannot be phishing and use server systems that are resistant to this type of ongoing campaign. One hacker can do as much harm as 10,000 soldiers.^[2]

2021

Two-factor identification is no longer the safest way to protect yourself

Two-factor authentication is not as effective as before, it became known on December 31, 2021 from the words of researchers from Stony Brook University and Palo Alto Networks.

Two-factor authentication is a system of two keys, where one comes to the user from the outside (meaning SMS with a code that comes to the phone), the other person remembers (ordinary login and password). Two-factor authentication was considered one of the most reliable ways to protect your account.

According to the researchers, ON to bypass, it is two-factor authentications gradually becoming more democratic and accessible to a large circle of cybercriminals.

It has become much easier to get a hacking kit offered by attackers. If you used to have to explore the darknet to find such tools, now they are available on the Internet. Hacker kits allow you to steal authentication cookies with minimal (or no) effort. After that, the site will consider the cybercriminal a legitimate user and without any problems will allow you to enter under his name. This does not require even a regular password.

The fact is that cookies usually store user account authorization tokens so that they do not have to enter a login on the site every time it is opened.

According to the researchers, the proposed hacker kits are effective on most large sites and applications. During the study, they found at least 1,200 kits.

It is noted that hackers have been able to bypass two-factor authentication for several years. However, on the other hand, the widespread adoption of hacking kits and their easier receipt is of serious concern to researchers^[3] longer^[4] yourself].

Fraudsters have learned to bypass two-factor code authentication from SMS

In December 2021, it became known that fraudsters learned to bypass two-factor authentication (by code from an SMS message). Kaspersky Lab told about the new scheme.

As Izvestia writes with reference to the experts of the antivirus company, cybercriminals organized a newsletter to motorists with a proposal to extend the OSAGO agreement, while the message indicates a phishing site that copies the portal of the insurance company. After clicking on the link and entering data, the user transfers the card to the code entry form. At this moment, the client does receive SMS from the credit institution, but such SMS confirms the application for the transfer of money, and not for the payment of goods and services.

Attackers have learned to bypass two-factor authentication

When the user enters an SMS code on the page that appeared after waiting, the attackers complete the attack, confirming the transfer of money.

According to experts, the emergence of a new scheme is due to the fact that Russians are already accustomed to the fact that you cannot call codes from SMS by phone, but when shopping on sites, they are still less vigilant and indicate verification figures without a doubt.

Usually a person receives a letter with a proposal to extend OSAGO, follows the link and sees that all the data of his car are displayed there, including the license plate. Next to the payment link. It is worth moving along it as the owner of the vehicle is trapped, "said Alexey Marchenko, head of the department for the development of content filtering methods at Kaspersky Lab.

Experts say that even though attackers find ways to bypass two-factor authentication, it should still be trusted. This method of confirming the legality of the operation implies that the user is aware of his actions and understands on which site and for what purpose he enters the password and code, said Nikolai Agrinsky, CEO of Infosecurity a Softline Company.^[5]

2019

Introduced a new way to bypass two-factor authentication

In late December 2019, a group of hackers allegedly linked to the Chinese government was accused of hacking networks around the world. Experts believe that hackers have developed a new bypass technique, two-factor authentications which alarmed the community. cyber security

For the first time, hacker activity attributed to the APT20 group was discovered in 2011. She was involved in hacking and accessing data from government agencies, large companies and service providers in the United States, South America and Europe. In 2016-2017, the group disappeared from the field of view of specialists, and only recently the Dutch company Fox-IT, specializing in cybersecurity consulting services, found traces of the interference of APT20 in the network of one of its clients, who asked to investigate violations in the integrity of the network.

Hacker group allegedly linked to Chinese government accused of hacking networks around the world

Fox-IT researchers have detailed the hacking technique. According to experts, a group of hackers used web servers as an entry point, in particular, the Jboss enterprise application platform. Having penetrated the system and installed web shells, the hackers diverged over the networks of the victims. The found passwords and accounts allowed attackers to steal data using standard tools, without installing viruses.

But worst of all, the group was APT20 able to bypass two-factor authorization by gaining access to secure VPN accounts. It is most likely that hackers were able to steal the RSA SecurID software token from the hacked system and modify it in such a way as to disconnect the connection with the local system. Usually, without it, the RSA SecurID program produces an error, but hackers bypassed the entire complex of initial verification and, using the stolen program, were able to freely generate one-time codes to bypass two-factor protection.^[6]

Use of multi-factor authentication blocks 99.9% of hacks

Cloud services Microsoft make about 300 million attempts every day to fraudulently log into accounts. Multifactor Authentication (MFA) can help protect accounts from many types of attacks^[7]

According to experts from Microsoft, users who have enabled multifactor authentication for their accounts eventually block 99.9% of automatic attacks^[8]. The recommendation applies not only to Microsoft accounts, but also to any other profile, website or online service. If the service provider supports multifactor authentication, Microsoft recommends using it, whether it is something simple, like one-time SMS passwords or advanced biometric solutions.

Old tips like "never use a password that's ever been compromised" or "use really long passwords" have not been very helpful in recent years, according to researchers at Microsoft. Currently, cybercriminals have various methods at their disposal to obtain user credentials, and in most cases the password and its complexity do not matter.

Enabling multifactor authentication will protect against constant fraudulent login attempts. It will not be able to block only 0.1% of attacks in which cybercriminals use technical solutions to seize MFA tokens, but they are extremely rare.

Lawsuit against Apple for 'illegally' including two-factor authentication

On February 11, 2019, it became known that California resident Jay Brodsky sued the company Apple for "illegal" inclusion. two-factor authentications Brodsky complains that two-factor authentication makes life much more difficult for users, since they are required not only to remember the password, but also to have access to a trusted phone or phone number. More. here

2017: Google drops SMS with two-factor authorization

Google plans in the summer of 2017, instead of one-time verification codes sent using SMS, users display screen notifications asking them to confirm their login. This approach is considered more reliable than sending secret codes via SMS, since they are more difficult to intercept.

Messages from Google will indicate the device from which the login is carried out, its physical location, as well as the time of the login attempt. Users will need to closely monitor this information to prevent unauthorized entry of strangers.

The transition to on-screen notifications will be offered only to those Google users who have two-factor authentication already activated. It is not necessary to accept the offer - there is an option to save sending the code via SMS.

2016

SMS passwords are considered unsafe

The USA National Institute of Standards and Technology (NIST) presented in the summer of 2016 a preliminary version of the future Digital Authentication Guideline (a document that will establish new norms and rules regarding digital methods): authentications the SMS OTP mechanism was not originally intended for authentication and cannot be considered a full-fledged authentication factor Based on ^[9]

The document contains a direct indication that the use of SMS messages for two-factor authentication may be "invalid" and "unsafe" (section of the document 5.1.3.2).

The entire paragraph appears as follows: "If verification via an external channel is carried out through an SMS message in a public mobile telephone network, the verifier must make sure that the pre-registered telephone number used is actually associated with the mobile network, and not with VoIP or other software service. After that, it is possible to send an SMS message to a parked phone number. Modification of a pre-registered telephone number should not be possible without two-factor authentication during the modification. SMS messages are not allowed in external channel authentication and will not be allowed in future versions of this manual.

The main concerns of experts at the National Institute of Standards and Technology are that the phone number can be tied to a VoIP service, in addition, attackers can try to convince the service provider that the phone number has changed, and such tricks need to be made impossible.

Although the document recommends that manufacturers use tokens and cryptographic identifiers in their applications, the authors of the amendments also note that a smartphone or other mobile device can always be stolen, or may be temporarily in the hands of another person, "the NIST document says.

There are a lot of mechanisms for compromising SMS passwords, and they have already been repeatedly used mainly to steal funds from customers of Russian banks. It is enough to list only a few methods of cracking SMS passwords:

• Replacing SIM the card using forged documents
• Exploiting vulnerabilities in the OSS-7 protocol
• Mobile Carrier Call Forwarding
• False Base Stations
• Specialized Trojans for smartphones that intercept SMS passwords

Hacking the gateway between the bank and the telecom operator can be considered another method.

The fact that the SMS password mechanism is used by all banks opens up wide prospects for hackers. Obviously, having written a Trojan for a smartphone once, it can be used to attack all Russian banks, with its (Trojan) minimal customization.

At the same time, it can be predicted that large banks will be the first to be "distributed" - the large client base of the latter allows fraudsters to count on a significant result even with small balances in customer accounts.

One-time passwords via SMS

• delays in delivery
• ability to intercept at the communication channel level or enter into the system
• ability to intercept at the mobile operator level
• possibility of re-issuing a client SIM card to a fraudster under a fake power of attorney (and interception of SMS)
• possibility of sending SMS messages from the replacement number to the client
• increase in operating costs in proportion to the customer base

One-time passwords via PUSH

• non-guaranteed delivery
• direct AppleGoogleMicrosoft prohibition//on the use for the transfer of confidential information
• purpose - only informing

Researchers demonstrate simple attack to bypass two-factor authentication

Scientists from Amsterdam Free University Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos demonstrated a practical attack on two-factor authentication using a mobile device. The researchers demonstrated a Man-in-the-Browser attack browser against smartphones the base Android iOS^[10]

The problem with two-factor authentication arose due to the increasing popularity of smartphones and the desire of owners to synchronize data between various devices. Two-factor authentication relies on the principle of physical separation of devices to protect against malware. However, data synchronization makes such segmentation completely useless.

The researchers demonstrated an attack using the installation of a vulnerable app via Google Play. They managed to successfully bypass the Google Bouncer check and activate the app to intercept one-time passwords.

To attack iOS, the researchers used a new OS X feature called Continuity, which allows SMS messages to be synchronized between iPhones and Macs. If this functionality is activated, it is enough for an attacker to have access to a computer to read all SMS messages.

According to the researchers, the app to steal one-time passwords was added to Google Play on July 8, 2015 and remained available to users for two months, until the release of a video showing the attack.

Apple was notified on November 30, 2015, but the researchers did not receive a response.

2015

Yandex and Mail.ru launched two-factor authentication

Usually, two-factor authentication involves entering a password on the site, and then confirming your identity using an additional code received in an SMS message to your mobile phone.

In the implementation of two-factor authentications Mail.Ru, the first factor is the password, and the second is the code that the user receives via SMS to the phone number connected to the account. According to the developers of the solution, this is the most affordable way, including reaching an audience that does not use smartphones on popular operating systems.

"It's still easier for us," says Vladimir Ivanov, deputy head of Yandex's operations department. The company suggests not entering a password on the website at all. Instead, the user will need to photograph the QR code on the service page (for example, Yandex.Mail) using a smartphone and enter a four-digit pin code on the smartphone, he said.

A photo of the QR code will go to the Yandex.Key application and it will already need to enter the specified code. The Yandex.Key application must be installed on the device in advance if the owner wants to use the new Yandex technology. In addition, it will be necessary to enable two-factor authentication in Yandex.Passport in advance, Ivanov said. Owners smartphones and tablets Apple , instead of a pin code, can use the Touch ID fingerprint scanner (if available in the model)^[11]

Two factors of authorization in the Yandex system are as follows: information about the ownership of the device to a specific user, which is stored on Yandex servers, and the user's knowledge of his four-digit pin (or his fingerprint), the company explained.

Each time you enter a PIN (or when Touch ID is triggered), the application generates a unique one-time code that lasts 30 seconds. At the same time, part of the code is generated from the pin code, which only the user and Yandex know, and part - from the application data. Both "secrets" are encrypted in one-time code. "Thus, the option is excluded when one of the factors was compromised and the attacker selects the data of the second factor," Yandex added.

If you cannot count the QR code, for example, the smartphone camera does not work or the Yandex.Key application does not have access to the Internet, it will create a one-time password of characters. It will also be valid for only 30 seconds.

After switching to two-factor authentication, the existing user password will stop working on all installed programs using the Yandex login and password, including Yandex.Disk, mail programs configured to collect mail from Yandex.Mail, synchronization in Yandex.Browser, warned in the company. Each application will require its own new password - it will be created in Yandex.Passport, in the "Application Passwords" setting. It will need to be entered once in each application.

Authentication server will combine validation processes

The purpose of authentication is to make it as difficult as possible to use other people's (stolen, selected) credentials. This process should be simple for a legal user, and the inventing and memorizing of strong passwords with a length of at least nn characters and the inclusion of special characters in them, numbers with a high probability annoys users^[12].

A company can have several different information systems, resource sources that require authentication:

• enterprise portal,
• e-mail,
• CRM system,
• remote VPN access,
• Wi-Fi.

And since the user is faced with the task of complying with the requirements of the security policy for the complexity and uniqueness of passwords, its solution presents certain difficulties for the user to execute, and technologically - these are disparate authentication systems that are not interconnected, not flexible, requiring a large amount of resources for support. Everything together leads to additional costs and "slowness" of the company when making changes in the methods of authentication.

The authentication server can resolve questions and help solve current problems - a single center of administration of all authentication processes at once for all applications/services/resources. Industrial servers of this type support a whole set of authentication methods. Typically, these are OATH HOTP, TOTP, OCRA, PKI certificates, RADIUS, LDAP, regular password, SMS, CAP/DPA and others. Each resource using an authentication server can use the method that it requires.

Using authentication servers, IT administrators have a single user account management interface, flexible options for changing authentication methods. Business receives reliable protection of access to services and resources in the form of two-factor authentication, which increases the loyalty of users, both internal and external.

Adding a second authentication factor, with an existing authentication server, will not require the company to create new software and hardware and purchase new tokens.

As an example: Bank A verified the authenticity of debit or credit card holders in a client bank using certificates on USB tokens. His payment cards were exclusively with a magnetic stripe, but at one point the bank set up issuing cards with an EMV chip, which is essentially a microcomputer. A card with an EMV chip can be used for authentication using the Master Card Chip Authentication Program (CAP) algorithm. That is, now Bank A can refuse to use expensive PKI tokens for each user and change this authentication method to CAP, which only requires an inexpensive cryptocalculator. After some time, Bank A begins issuing payment cards with a display and the implemented OATH TOTP algorithm and, in order to save the user from using an additional cryptocalculator, configures TOTP authentication for the client bank. It should be understood that in addition to remote banking, Bank A has many other services, both internal and intended for customers or partners requiring authentication. For each application, the information security service can put forward its own requirements for the necessary methods of user authentication. All bank A authentication can be performed on the authentication server. There is no need to develop for each application separately.

This flexibility and ease of adding new authentication methods is not achievable without an authentication server. The reduction in time for these tasks is so significant that it allows us to talk about the speed of putting the product into operation as a competitive advantage.

The availability of strict authentication in the form of specialized software allows you to add multifactoriness to applications that previously do not have such functionality, without complex improvements. Almost all information systems, services, applications that do not support strict authentication out of the box can use the capabilities of the authentication server for user access.

2014: Google vs passwords: Sales of USB keys for accessing sites have begun

Google announced in October 2014 that it would launch on its sites two-factor authentications using a physical USB key. You can buy a key at (Amazon link). Now the store has three models of keys worth from $6 to $60^[13]

All keys use the open Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance. The keys can be used on any site (not only Google), which will add support for this protocol.

USB keys do not require installation - just put it in the USB port of the computer after entering the password on the site, when the site asks for it. All keys work with Windows, OS X, Linux and Chrome OS. To work with a USB key, you need to use Google Chrome browser version 38 and higher.

Using USB keys is completely free, but users must purchase them at their own expense. The keys differ in design. The most expensive model for $60 is equipped with Java Card technology.

Google launched two-factor authentication with an SMS message with a confirmation code in 2011. In January 2013, the corporation announced that it plans to develop and offer physical means of confirming identity. In particular, it was then that we were talking about accessing Google services using USB keys.

2013: Two-factor authentication of mobile transactions

Scientists from the corporation IBM developed and presented in October 2013 a new mobile protection technology authentications based on the near-field communication () standard NFC. The technology provides an additional layer of protection for access to the corporate network or private cloud when conducting transactions through mobile devices that support NFC and contactless smart cards.

According to the results of the research company's report, in ABI Research 2014 the number of devices in use with the function NFC will exceed 500 million. This data, as well as the fact that by 2017, 1 billion mobile users will be performing bank transactions using their devices *, confirm the growing risk of data loss due to fraudulent activities.

To solve this problem, employees of the IBM laboratory in Zurich, who also created an operating system that ensures the functioning and security of hundreds of millions of smart cards, have developed an additional layer of protection for mobile transactions, implying two-factor authentication.

Many users already use two-factor authentication when working on a computer, for example, entering not only a password, but also a confirmation code received in an SMS message. Scientists from IBM applied the same principle when processing a personal identification number (PIN) and using a contactless smart card. A smart card can be issued by a bank for service at ATMs or by an employer as an employee's certificate.

"Authentication technology two-factor based on the Advanced enciphering Encryption Standard provides a high level of security," commented Diego Ortiz-Yepes, IBM Research a mobile security specialist.

How the technology works

The user holds a smart card near the NFC reader of his mobile device. After entering the PIN, the card generates a one-time code, then sending it to the server through the mobile device.

IBM technology is based on subscriber encryption of data transmission between a smart card and a server according to the Advanced Encryption Standard (AES) standard, approved by the National Institute of Standards and Technology (NIST). Modern mobile technologies on the market require a user, for example, a random password generator, which is not always convenient and in some cases less reliable.

The new technology, which is now available on any device running Android 4.0 with NFC, is based on a IBM Worklight mobile platform that is part of the portfolio of solutions. IBM MobileFirst Future updates will allow the use of new NFC devices, taking into account market trends.

The results of a new IBM Institute for Business Value study conducted among "mobile" enterprises confirmed that organizations recognize the importance of ensuring a high level of security for mobile transactions. According to a survey of specialists, security is in second place in the list of the most difficult tasks of the enterprise.

2011: Two-factor authentication too complex, administrators say

60% of one hundred information service managers surveyed by GrIDsure are concerned about the excessive complexity of two-factor authentications user methods, and more than half of them believe that its implementation will be too expensive (2011 data). At the same time, one in five is skeptical about the chances of two-factor authentication to solve the problems of traditional authentication with one password. Nevertheless, 36% of respondents consider multi-level authentication to be the most important factors in ensuring access security. 32% put employee training first, and only 7% favor completely disabling remote access.

Password authentication is no longer enough to protect valuable data, concluded in GrIDsure. However, the cost of the system is the decisive factor. Most of the solutions on the market are too complex and expensive to implement and support. Any system that requires a hardware key or sends passwords to a mobile phone only makes the authentication process more cumbersome.^[14]

Only 34% of respondents are confident that employees are able to do everything necessary to protect the company from computer threats.

Notes