Why a hardware authenticator is more secure than a 2FA app
Two-factor authentication is a safety belt against identity theft and data loss. However, sophisticated phishing kits and current political developments are threatening companies with a veritable wave of 2FA attacks. So it’s high time to put your own procedures to the test and replace insecure smartphone apps with a hardware authenticator.
The German Federal Office for Information Security (BSI) has identified an increased threat situation for Germany in light of global political developments. Companies, organizations and authorities should therefore review their IT security measures and adapt them to the current threat situation. This also applies to two-factor authentication, as not every 2FA procedure offers sufficient security. In the worst-case scenario, the Trojan could even be hidden directly in the authenticator app on the smartphone!
Why 2FA with TOTP is more secure than with calls or SMS
In the Microsoft Entra (Azure AD) Tech Community blog, Alex Weinert, Director of Identity Security at Microsoft, strongly advised against phone-based 2FA solutions that send one-time passwords via SMS and voice call back in 2020. SMS and voice protocols do not use encryption and can be intercepted. There is also the threat of attacks via second SIM cards (SIM swapping) or Trojans that intercept text messages on the smartphone. However, phone-based two-factor authentication also harbors other dangers. For example, hackers who already have a user’s username and password (the first factor) now send entire series of requests for phone-based authentication to the user’s cell phone in order to obtain the second factor as well.
If the user now presses the # key to confirm their 2FA login, the attackers gain full access to their user account. A member of the ransomware group Lapsus$ describes the simple procedure as follows: “Call the employee a hundred times at one in the morning while they are trying to sleep and they will most likely accept it.” According to the hackers, they also hijacked the VPN access of a Microsoft employee in this way. However, the method is not entirely new, because according to the security experts at Mandiant, the hacker group Nobelium, which US intelligence services attribute to the Russian foreign intelligence service SVR, previously used so-called “MFA Prompt Bombing” for their attacks.
The transmission of the second factor by phone call or SMS is much more secure than the transmission of the first factor by phone call or SMS.
In the Microsoft Entra (Azure AD) Tech Community blog, Alex Weinert, Director of Identity Security at Microsoft, strongly advised against phone-based 2FA solutions that send one-time passwords via SMS and voice call back in 2020. SMS and voice protocols do not use encryption and can be intercepted. There is also the threat of attacks via second SIM cards (SIM swapping) or Trojans that intercept text messages on the smartphone. However, phone-based two-factor authentication also harbors other dangers. For example, hackers who already have a user’s username and password (the first factor) now send entire series of requests for phone-based authentication to the user’s cell phone in order to obtain the second factor as well.
If the user now presses the # key to confirm their 2FA login, the attackers gain full access to their user account. A member of the ransomware group Lapsus$ describes the simple procedure as follows: “Call the employee a hundred times at one in the morning while they are trying to sleep and they will most likely accept it.” According to the hackers, they also hijacked the VPN access of a Microsoft employee in this way. However, the method is not entirely new, because according to the security experts at Mandiant, the hacker group Nobelium, which US intelligence services attribute to the Russian foreign intelligence service SVR, previously used so-called “MFA Prompt Bombing” for their attacks.
Time-limited TOTP one-time passwords are much more secure than transmitting the second factor by phone call or SMS. These time-based one-time passwords can be generated with the help of an authenticator using a secret key. However, the confidentiality of this secret key is crucial when using 2FA and TOTP.i limited one-time TOTP passwords. These time-based one-time passwords can be generated with the help of an authenticator using a secret key. However, the confidentiality of this secret key is crucial when using 2FA and TOTP.
How risky authenticator apps on the smartphone are
According to Verizon’s Mobile Security Index 2021, 40 percent of companies surveyed have recognized that mobile devices pose the greatest IT security threat to their company. Despite this, many companies continue to rely on smartphone apps for two-factor authentication. This can have fatal consequences for the confidentiality of secret keys and other login data:
- Phishing overlays: The Escobar Trojan discovered in March 2022 not only steals bank details and SMS messages, but also TOTP one-time passwords generated via Google Authenticator for 2FA login. According to Cyble Research Labs, the malware disguised as a McAfee antivirus program uses overlay login forms to conceal input screens and steal login data unnoticed.
- Malware dropper: In early 2022, researchers from Pradeo discovered a smartphone app called 2FA Authenticator, which was installed more than 10,000 times via Google Play. Cybercriminals used this app to download the malware Vultur, which steals sensitive data through screen recordings. In theory, malware droppers like this can be used to smuggle any type of malware onto a smartphone.
- Remote access Trojans: In August 2019, Avira reported on the Cerberus banking Trojan, which sends stolen banking data to the attacker’s server. In January 2020, security researchers at ThreatFabric discovered a new version of the malware, which is now also targeting the 2FA tokens of the Google Authenticator as well as PIN codes and swipe patterns for the smartphone screen lock.
These examples clearly show that although two-factor authentication offers a useful additional layer of security, it does not protect companies from hacker attacks per se. This is particularly true if employees generate the one-time TOTP passwords required for the 2FA login on compromisable devices that can transmit data to the attacker in real time via an internet connection.
Why a hardware authenticator provides significantly better protection
TOTP generators with dedicated hardware that work without an internet connection are much more secure than an authenticator app on a smartphone. The REINER SCT Authenticator, for example, is a handy and intuitive solution that manages up to 60 user accounts. The compact device is just as easy to configure using QR codes as a smartphone app and offers companies maximum security:
- No malware: As a closed system with its own hardware “Made in Germany”, the REINER SCT Authenticator is significantly more secure than a smartphone solution and offers the best possible protection against external attacks. Malware has no chance here.
- No data theft: The hardware-based authenticator does not use any online services and works without an internet connection. Real-time transmission of the time-limited TOTP one-time passwords to potential attackers is therefore impossible.
- No shadow IT: Company-wide use of the hardware authenticator prevents barely administrable shadow IT through private smartphones that may no longer be supplied with security updates.
In view of the dangers posed by smartphones, even private users are asking themselves whether an authenticator app still guarantees sufficient “state-of-the-art security”. Companies, on the other hand, must ask themselves this question – not only to protect their own IT infrastructure, but also to meet the strict requirements of the EU General Data Protection Regulation (GDPR). If necessary, it may even make sense to regulate the exclusive use of two-factor authentication and the use of a hardware authenticator for employees by means of a corresponding declaration of commitment.
The advantages of a hardware authenticator for IT
In addition to the security aspects, company-wide standardized, hardware-based end devices for two-factor authentication also offer various advantages for IT administration. This is because solutions such as the REINER SCT Authenticator are “Easy to Use – Easy to Integrate – Easy to Support”. The intuitive operation reduces support requests when rolling out the devices. Business and private use of the hardware authenticator poses no risk, but rather increases awareness of IT security. And there is no need to maintain different device versions or even different smartphone worlds (iPhone/Android).
Ultimately, standardized solutions for 2FA and TOTP relieve the burden on corporate IT, freeing up more time for employee training – training that is urgently needed in the face of fully automated cyber attacks and sophisticated phishing kits. Because this is where the next wave of attacks threatens: At least 1,200 phishing kits that capture or intercept 2FA security codes through man-in-the-middle attacks have already been identified by researchers at Stony Brook University and Palo Alto Networks.