Protect your organization from scandalously easy-to-hack MFA security “solutions” 

Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How? Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually easy to hack. That’s right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. Hacking Multifactor Authentication will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised. 

This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You’ll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book. 

• Learn how different types of multifactor authentication work behind the scenes
• See how easy it is to hack MFA security solutions—no matter how secure they seem
• Identify the strengths and weaknesses in your (or your customers’) existing MFA security and how to mitigate

Introduction xxv

Who This Book is For xxvii

What is Covered in This Book? xxvii

MFA is Good xxx

How to Contact Wiley or the Author xxxi

Part I Introduction 1

1 Logon Problems 3

It’s Bad Out There 3

The Problem with Passwords 5

Password Basics 9

Identity 9

The Password 10

Password Registration 11

Password Complexity 11

Password Storage 12

Password Authentication 13

Password Policies 15

Passwords Will Be with Us for a While 18

Password Problems and Attacks 18

Password Guessing 19

Password Hash Cracking 23

Password Stealing 27

Passwords in Plain View 28

Just Ask for It 29

Password Hacking Defenses 30

MFA Riding to the Rescue? 31

Summary 32

2 Authentication Basics 33

Authentication Life Cycle 34

Identity 35

Authentication 46

Authorization 54

Accounting/Auditing 54

Standards 56

Laws of Identity 56

Authentication Problems in the Real World 57

Summary 58

3 Types of Authentication 59

Personal Recognition 59

Knowledge-Based Authentication 60

Passwords 60

PINS 62

Solving Puzzles 64

Password Managers 69

Single Sign-Ons and Proxies 71

Cryptography 72

Encryption 73

Public Key Infrastructure 76

Hashing 79

Hardware Tokens 81

One-Time Password Devices 81

Physical Connection Devices 83

Wireless 87

Phone-Based 89

Voice Authentication 89

Phone Apps 89

SMS 92

Biometrics 92

FIDO 93

Federated Identities and APIs 94

OAuth 94

APIs 96

Contextual/Adaptive 96

Less Popular Methods 97

Voiceover Radio 97

Paper-Based 98

Summary 99

4 Usability vs Security 101

What Does Usability Mean? 101

We Don’t Really Want the Best Security 103

Security Isn’t Usually Binary 105

Too Secure 106

Seven-Factor MFA 106

Moving ATM Keypad Numbers 108

Not as Worried as You Think About Hacking 109

Unhackable Fallacy 110

Unbreakable Oracle 113

DJB 113

Unhackable Quantum Cryptography 114

We are Reactive Sheep 115

Security Theater r 116

Security by Obscurity 117

MFA Will Cause Slowdowns 117

MFA Will Cause Downtime 118

No MFA Solution Works Everywhere 118

Summary 119

Part II Hacking MFA 121

5 Hacking MFA in General 123

MFA Dependency Components 124

Enrollment 125

User 127

Devices/Hardware 127

Software 128

API 129

Authentication Factors 129

Authentication Secrets Store 129

Cryptography 130

Technology 130

Transmission/Network Channel 131

Namespace 131

Supporting Infrastructure 131

Relying Party 132

Federation/Proxies 132

Alternate Authentication Methods/Recovery 132

Migrations 133

Deprovision 133

MFA Component Conclusion 134

Main Hacking Methods 134

Technical Attacks 134

Human Element 135

Physical 137

Two or More Hacking Methods Used 137

“You Didn’t Hack the MFA!” 137

How MFA Vulnerabilities are Found 138

Threat Modeling 138

Code Review 138

Fuzz Testing 138

Penetration Testing 139

Vulnerability Scanning 139

Human Testing 139

Accidents 140

Summary 140

6 Access Control Token Tricks 141

Access Token Basics 141

Access Control Token General Hacks142

Token Reproduction/Guessing 142

Token Theft 145

Reproducing Token Hack Examples 146

Network Session Hijacking Techniques and Examples 149

Firesheep 149

MitM Attacks 150

Access Control Token Attack Defenses 157

Generate Random, Unguessable Session IDs 157

Use Industry-Accepted Cryptography and Key Sizes 158

Developers Should Follow Secure Coding Practices 159

Use Secure Transmission Channels 159

Include Timeout Protections 159

Tie the Token to Specifi c Devices or Sites 159

Summary 161

7 Endpoint Attacks 163

Endpoint Attack Risks 163

General Endpoint Attacks 165

Programming Attacks 165

Physical Access Attacks 165

What Can an Endpoint Attacker Do? 166

Specifi c Endpoint Attack Examples 169

Bancos Trojans 169

Transaction Attacks 171

Mobile Attacks 172

Compromised MFA Keys 173

Endpoint Attack Defenses 174

MFA Developer Defenses 174

End-User Defenses 177

Summary 179

8 SMS Attacks 181

Introduction to SMS 181

SS7 184

Biggest SMS Weaknesses 186

Example SMS Attacks 187

SIM Swap Attacks 187

SMS Impersonation 191

SMS Buffer Overflow 194

Cell Phone User Account Hijacking 195

Attacks Against the Underlying Supporting Infrastructure 196

Other SMS-Based Attacks 196

SIM/SMS Attack Method Summary 197

NIST Digital Identity Guidelines Warning 198

Defenses to SMS-Based MFA Attacks 199

Developer Defenses 199

User Defenses 201

Is RCS Here to Save Mobile Messaging? 202

Is SMS-Based MFA Still Better than Passwords? 202

Summary 203

9 One-Time Password Attacks 205

Introduction to OTP 205

Seed Value-Based OTPs 208

HMAC-Based OTP 209

Event-Based OTP 211

TOTP 212

Example OTP Attacks 217

Phishing OTP Codes 217

Poor OTP Creation 219

OTP Theft, Re-Creation, and Reuse 219

Stolen Seed Database 220

Defenses to OTP Attacks 222

Developer Defenses 222

Use Reliable and Trusted and Tested OTP Algorithms 223

OTP Setup Code Must Expire 223

OTP Result Code Must Expire 223

Prevent OTP Replay 224

Make Sure Your RNG is NIST-Certified or Quantum 224

Increase Security by Requiring Additional Entry Beyond OTP Code 224

Stop Brute-Forcing Attacks224

Secure Seed Value Database 225

User Defenses 225

Summary 226

10 Subject Hijack Attacks 227

Introduction 227

Example Attacks 228

Active Directory and Smartcards 228

Simulated Demo Environment 231

Subject Hijack Demo Attack 234

The Broader Issue 240

Dynamic Access Control Example 240

ADFS MFA Bypass 241

Defenses to Component Attacks 242

Threat Model Dependency Abuse Scenarios 242

Secure Critical Dependencies 242

Educate About Dependency Abuses 243

Prevent One to Many Mappings 244

Monitor Critical Dependencies 244

Summary 244

11 Fake Authentication Attacks 245

Learning About Fake Authentication Through UAC 245

Example Fake Authentication Attacks 251

Look-Alike Websites 251

Fake Office 365 Logons 252

Using an MFA-Incompatible Service or Protocol 253

Defenses to Fake Authentication Attacks 254

Developer Defenses 254

User Defenses 256

Summary 257

12 Social Engineering Attacks 259

Introduction 259

Social Engineering Commonalities 261

Unauthenticated Communication 261

Nonphysical 262

Usually Involves Well-Known Brands 263

Often Based on Notable Current Events and Interests 264

Uses Stressors 264

Advanced: Pretexting 265

Third-Party Reliances 266

Example Social Engineering Attacks on MFA 266

Fake Bank Alert 267

Crying Babies 267

Hacking Building Access Cards 268

Defenses to Social Engineering Attacks on MFA 270

Developer Defenses to MFA 270

User Defenses to Social Engineering Attacks 271

Summary 273

13 Downgrade/Recovery Attacks 275

Introduction 275

Example Downgrade/Recovery Attacks 276

Alternate Email Address Recovery 276

Abusing Master Codes 280

Guessing Personal-Knowledge Questions 281

Defenses to Downgrade/Recovery Attacks 287

Developer Defenses to Downgrade/Recovery Attacks 287

User Defenses to Downgrade/Recovery Attacks 292

Summary 294

14 Brute-Force Attacks 295

Introduction 295

Birthday Attack Method 296

Brute-Force Attack Methods 297

Example of Brute-Force Attacks 298

OTP Bypass Brute-Force Test 298

Instagram MFA Brute-Force 299

Slack MFA Brute-Force Bypass 299

UAA MFA Brute-Force Bug 300

Grab Android MFA Brute-Force 300

Unlimited Biometric Brute-Forcing 300

Defenses Against Brute-Force Attacks 301

Developer Defenses Against Brute-Force Attacks 301

User Defenses Against Brute-Force Attacks 305

Summary 306

15 Buggy Software 307

Introduction 307

Common Types of Vulnerabilities 308

Vulnerability Outcomes 316

Examples of Vulnerability Attacks 317

Uber MFA Vulnerability 317

Google Authenticator Vulnerability 318

YubiKey Vulnerability 318

Multiple RSA Vulnerabilities 318

SafeNet Vulnerability 319

Login gov 319

ROCA Vulnerability 320

Defenses to Vulnerability Attacks 321

Developer Defenses Against Vulnerability Attacks 321

User Defenses Against Vulnerability Attacks 322

Summary 323

16 Attacks Against Biometrics 325

Introduction 325

Biometrics 326

Common Biometric Authentication Factors 327

How Biometrics Work 337

Problems with Biometric Authentication 339

High False Error Rates 340

Privacy Issues 344

Disease Transmission 345

Example Biometric Attacks 345

Fingerprint Attacks345

Hand Vein Attack 348

Eye Biometric Spoof Attacks 348

Facial Recognition Attacks 349

Defenses Against Biometric Attacks 352

Developer Defenses Against Biometric Attacks 352

User/Admin Defenses Against Biometric Attacks 354

Summary 355

17 Physical Attacks 357

Introduction 357

Types of Physical Attacks 357

Example Physical Attacks 362

Smartcard Side-Channel Attack 362

Electron Microscope Attack 364

Cold-Boot Attacks 365

Snooping On RFID-Enabled Credit Cards 367

EMV Credit Card Tricks 370

Defenses Against Physical Attacks 370

Developer Defenses Against Physical Attacks 371

User Defenses Against Physical Attacks 372

Summary 375

18 DNS Hijacking 377

Introduction 377

DNS 378

DNS Record Types 382

Common DNS Hacks 382

Example Namespace Hijacking Attacks 388

DNS Hijacking Attacks 388

MX Record Hijacks 388

Dangling CDN Hijack 389

Registrar Takeover 390

DNS Character Set Tricks 390

ASN 1 Tricks 392

BGP Hijacks 392

Defenses Against Namespace Hijacking Attacks 393

Developer Defenses 394

User Defenses 395

Summary 397

19 API Abuses 399

Introduction 399

Common Authentication Standards and Protocols Involving APIs 402

Other Common API Standards and Components 411

Examples of API Abuse 414

Compromised API Keys 414

Bypassing PayPal 2FA Using an API 415

AuthO MFA Bypass 416

Authy API Format Injection 417

Duo API As-Designed MFA Bypass 417

Microsoft OAuth Attack 419

Sign In with Apple MFA Bypass 419

Token TOTP BLOB Future Attack 420

Defenses Against API Abuses 420

Developer Defenses Against API Abuses 420

User Defenses Against API Abuses 422

Summary 423

20 Miscellaneous MFA Hacks 425

Amazon Mystery Device MFA Bypass 425

Obtaining Old Phone Numbers 426

Auto-Logon MFA Bypass 427

Password Reset MFA Bypass 427

Hidden Cameras 427

Keyboard Acoustic Eavesdropping 428

Password Hints 428

HP MFA DoS 429

Trojan TOTP 429

Hackers Turn MFA to Defeat You 430

Summary 430

21 Test: Can You Spot the Vulnerabilities? 431

Threat Modeling MFA Solutions 431

Document and Diagram the Components 432

Brainstorm Potential Attacks 432

Estimate Risk and Potential Losses 434

Create and Test Mitigations 436

Do Security Reviews 436

Introducing the Bloomberg MFA Device 436

Bloomberg, L P and the Bloomberg Terminal 437

New User B-Unit Registration and Use 438

Threat-Modeling the Bloomberg MFA Device 439

Threat-Modeling the B-Unit in a General Example 440

Specific Possible Attacks 441

Multi-Factor Authentication Security Assessment Tool 450

Summary 451

Part III Looking Forward 453

22 Designing a Secure Solution 455

Introduction 455

Exercise: Secure Remote Online Electronic Voting 457

Use Case Scenario 457

Threat Modeling 458

SDL Design 460

Physical Design and Defenses 461

Cryptography 462

Provisioning/Registration 463

Authentication and Operations 464

Verifiable/Auditable Vote 466

Communications 467

Backend Blockchain Ledger 467

Migration and Deprovisioning 470

API 470

Operational Training 470

Security Awareness Training 470

Miscellaneous 471

Summary 471

23 Selecting the Right MFA Solution 473

Introduction 473

The Process for Selecting the Right MFA Solution 476

Create a Project Team 477

Create a Project Plan 478

Educate 479

Determine What Needs to Be Protected 479

Choose Required and Desired Features 480

Research/Select Vendor Solutions 488

Conduct a Pilot Project 490

Select a Winner 491

Deploy to Production 491

Summary 491

24 The Future of Authentication 493

Cyber Crime is Here to Stay 493

Future Attacks 494

Increasing Sophisticated Automation 495

Increased Nation-State Attacks 496

Cloud-Based Threats 497

Automated Attacks Against MFA 497

What is Likely Staying 498

Passwords 498

Proactive Alerts 498

Preregistration of Sites and Devices 499

Phones as MFA Devices 500

Wireless 501

Changing/Morphing Standards 501

The Future 501

Zero Trust 502

Continuous, Adaptive, Risk-Based 503

Quantum-Resistant Cryptography 506

Interesting Newer Authentication Ideas 506

Summary 507

25 Takeaway Lessons 509

Broader Lessons 509

MFA Works 509

MFA is Not Unhackable 510

Education is Key 510

Security Isn’t Everything 511

Every MFA Solution Has Trade-Offs 511

Authentication Does Not Exist in a Vacuum 512

There is No Single Best MFA Solution for Everyone 515

There are Better MFA Solutions 515

MFA Defensive Recap 516

Developer Defense Summary 516

User Defense Summary 518

Appendix: List of MFA Vendors 521

Index 527