"One of the biggest problems that's not adequately solved is recovery," said Duo Security's Oberheide.Īccount recovery works as a tool for breaking two-factor authentication because it "bypasses" 2FA entirely, Fenton explained. Account recovery resets your current password and emails you a temporary one so that you can log in again. If you remember what happened to journalist Mat Honan, his accounts were compromised by leveraging the "account recovery" feature. There is a another way, however: account recovery.Īn RSA SecurID key fob. This can happen in several ways, including a phishing attack, malware or credit-card-reader skimming. To hack two-factor authentication, the bad guys must acquire either the physical component of the log-in, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. "When you make an attack harder, you're disabling a certain subset of the hacker community," he said. 2FA mitigates the problems, but a lot of awful attacks can run on 2FA."Īt the same time, he said, two-factor offered more protection than logging in without it. "The thing that concerns me as a security guy is that people don't look at what the cause of the threats might be. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA revealed that its SecurID authentication tokens had been hacked.įenton explained both sides of the effectiveness problem. It's true that two-factor authentication is not impervious to hackers. Well, that's a loaded question when it comes to security. Will two-factor authentication protect me? "So, 2FA is a good thing, but it does make the user experience more complicated.It's done when you're logging into an account on your device for the first time, for example." "An attacker might be able to collect a cookie or an OAuth token from a website and essentially take over their session," he said.
0 Comments
Leave a Reply. |