Remember that 2FA can still be phished

It’s very important for any organization which employs 2FA (Two Factor Authentication) to understand that it is likely still possible for someone to phish your employees. There is such a thing as “unphishable” credentials. But by and large most organizations are not yet using them. This means that enabling 2FA is not a silver bullet to perfectly save your organization. Let me explain what I mean.

If you want to avoid being phished, you need to enable the use not just of a second factor – but specifically of a second “unphishable” factor. Generally, this means using security keys. Here are a few examples of authentication ‘factors’ which can still be phished:

  • SMS (Text)
  • Call (Voice)
  • Email
  • Authenticator Codes
  • Security Question (don’t get me started)

Using any one of these factors in combination with a password is a big improvement over simply using a password by itself. For starters, if your password is compromised (say – in a public breach) then the attacker might be able to simply login to your account if you hadn’t used one of these second factors. However, using one of these second factors does not automatically make your account perfectly secure.

Any second factor which transmits a code, and then has you type the code into the webpage – is almost certainly still vulnerable to phishing. The reason for this is because you can unwittingly give the code to the attacker – and they can type it in to the webpage just the same as you can.

The attack in this case is called “real time phishing”. This is when an attacker tricks someone into going to a website that they think is a legitimate website. Imagine instead of going to mycompany.com they accidentally go to mycomany.net – a site that the attacker has purchased and controls. When you try to login to mycompany.net, the attacker can simply take whatever you type in there and instantly type it into the real website.

Obviously this works for your password, but it also works for your second factor in most all cases. If you receive a text on your phone with a second factor code, when you type that into the evil website, the attacker can then take that code and type it into the real website. Now they have logged in as you! It really is that easy. And this attack works with all those methods I mentioned above, even with most uses of authenticator apps.

So what can you do? If you really want 2FA to protect you against phishing you need “unphishable” credentials. This generally means security keys – or some other smart card technology. You need the second factor to not just be using a simple ‘code.’ Rather, the authentication should involve the use of a private key. For a security key – the “private key” is stored on the device itself. Then the security key uses this private key data to sign messages to the site you wish to authenticate to. Since the security key signs a different message depending on the site (using a different private key pair actually) then when the security key tries to login to mycompany.com and mycompany.net, it actually uses different key material – keeping your logins separate.

So, in conclusion, please note that 2FA can almost always still be phished.

About the author

Professional hacker & security engineer. Currently at Google, opinions all my own. On Twitter as @zaeyx. Skydiver, snowboarder, writer, weightlifter, runner, energetic to the point of being a bit crazy.

Leave a Reply

Your email address will not be published. Required fields are marked *