The general feeling by security analysts and specialists around user authentication is that two factor authentication alone is not enough to protect against the misuse of stolen credentials. This is in part because many forms of second factor authentication can be exploited.
One such example is “Push-to-Accept”. This method utilizes something the user has (typically a mobile device) and something the user knows (username and password) for authenticating the user, but often can be easily exploited.
This is largely due to the hustle and bustle society that we live in today. The appearance of the smartphone ushered huge innovation into our lives. This is great from an enablement standpoint but it also means that we’re never really disconnected. With all the methods of communication available to us on our mobile devices, it is easy to get distracted or even sometimes overwhelmed with notifications from Email, text, instant messengers, social media and news applications.
This is where the exploitation by hackers comes in. We’ve all been in similar scenarios. We’re trying to capture a flight, catch a train, get out the door or get to that next meeting. Trying to be hyper productive, we’re attempting to catch up on e-mail and respond to text messages while ‘on the run’. Behold a popup authentication message comes to our phone just as we are responding to that critical email. At the moment, the message is keeping us from completing the immediate tasks at hand. When we are rushed, this is simply one more annoying task that needs to be completed so we can move on to the remaining critical tasks.
Cyber attackers know this and prey on it. They play the odds that if they go ahead and request authentication using stolen credentials that involve prompting the user for a login request that there is a percentage of users that will simply accept the login request without reading the details around the request or even asking themselves “did I just try to authenticate to an application or resource?”. Unfortunately, many users treat it like the accept button for the terms and conditions on a new mobile application. The vast majority of people never really pay attention and simply auto-push “Accept”.
The solution to this exploitation comes in two forms. The first is to educate the users so that they ask the question “have I just requested access to authenticate to an application or resource?”. In doing so it should cause a moment of pause around the login request to ensure that it is a valid request initiated by them. The second is to force the user to think and get out of auto-pilot mode. For example you can have the user choose a specific item from a series of images, numbers or letters on their phone that match what is displayed on a PC or tablet screen. This causes that user to take pause from what they are currently doing to read and understand the details of a login request presented to them because there is no yes/no or go/stop option. Requiring the user to choose among four random images, numbers, or letters and match them to what is seen on an access device screen, becomes a forcing function that is much more difficult for users to simply auto-respond to.
At SecureAuth, we have developed what we call ‘Symbol-to-Accept’, a safer alternative authentication method to ‘Push-to-Accept’. See the diagram below for an example:
Second factor authentication is still a great step toward protecting resources and gating access. At SecureAuth we believe to have true confidence there is not a misuse of stolen credentials, organizations need to combined multi-factor authentication with additional risk analysis layers, we call Adaptive Authentication. These pre-authentication risk checks ensure that the person misusing the stolen credentials and exploiting a second-factor will still be prevented from gaining access to your resources and applications.
