2-Factor Authentication is great, but it's not a silver bullet
This week's featured article is more like a featured topic: Two-factor authentication, or 2FA. 2FA is getting more and more common, and it's great, but we think it's important to remember than it is not the silver bullet of secure authentication. 2FA can be bypassed, either by a flaw or by design, and phishers are getting better at bypassing it.
2FA can be badly implemented, resulting in the authentication system being no stronger than classic, password-based login. This is what happened with LastPass recently, which stored the 2FA secret seed under a URL that could be derived from your master password
. While this URL needed authentication to be accessed, and the content of the querystring was protected by HTTPS, it was possible to get it by forcing the target to make the request for us using Cross-Site Request Forgery (CSRF). Thankfully, this is now fixed.
Please also remember that you often have ways to login without 2FA, this is generally the case for API or third-party application accesses. The Russian hacking group blamed for targeting U.S. and European elections has been breaking into email accounts levering this fact. They sent fake emails, pretending to be from Google and suggests users install a security app called “Google Defender.” However, the application was actually a ruse which duped users into giving up a special access token for their Google account
, known as an OAuth token. OAuth tokens car provide long-living, stealth backdoor to your account, and often reseting your password won't even revoke this access.
Finally, a lot of services enforcing 2FA allow you to "remember this device for X days", so that they conveniently just ask for your password for a month after you've logged in once using 2FA. This can be leveraged by phishing websites, which will act as a proxy between you and the targeted service. They will ask for your password (and steal it), pass it back to the target site to login, then forward you the request for the second factor. Once fully logged in, they will keep the "remember me" cookie so they can log whenever they want, just using your (stolen) password. Some tools, such as Evilginx, even allows to automate this for popular targets, such as Google or Facebook.
Enabling 2FA wherever you can is still a tremendous enhancement for your account's security, please do it, but remember you can still get pwned while having 2FA, stay vigilant of what accesses you give to third party systems and where you fill your credentials