5331 private links
Many people (even infosec experts) seem to be confused about what "two-factor authentication" (2FA) really is.
Let me begin with some basics. There are 3 fundamentally different ways in which a human can authenticate themselves to a computer:
- With something they know (password, passphrase, PIN)
- With something they have (e.g., a smartcard)
- With something they are (biometrics - fingerprint, face scan, palm scan, etc.)
Is authenticating via password and SMS send to your phone "2FA"? No, it is not! While the phone itself is "something you have", it is not the phone that performs the authentication. It is you. You learn something (e.g., a number sent by SMS to this phone) and use this "something you now know" for authentication (together with your password). The correct term for this process is not "2FA" but "2SV" - "two-step verification". You use two instances of the same factor ("something you know") but obtained via different ways.
Why is this important? Because authentication based solely on a "something you know" factor(s) is vulnerable to phishing. If the attacker can con you that the page of his that you're visiting is a legitimate login page, they can steal any "something you know" information that you enter for authentication purposes and use it themselves. The only inconvenience (to the attacker) that 2SV introduces is that the second step sent to the phone usually expires soon (in a few minutes) and is different each time, so it cannot be stored and used for a long time in the future. But this isn't really the problem, because the attacker can easily automate the process of token stealing and immediate use.
Now, while most people are aware that SMS-based authentication is insecure because of this (and because of other flaws, like SS7, but let's not get into this right now), they are usually quite surprised to learn that things like Google Authenticator running on your smart phone have exactly the same problem. The aren't 2FA; they are 2SV and are vulnerable to phishing. Hardware tokens that display different numbers at the press of a button (like the RSA Token) suffer from exactly the same problem. Using them is not 2FA; it is 2SV.
