Cookie theft, real-time phishing and MFA fatigue attacks threaten multi-factor authentication, which has long been considered unassailable.
It is 2020 and accounts which contain valuable and private data can still be created without two-factor authentication. However, it might be some consolation that this is happening less and less. And accounts that do not enforce two-factor authentication at least offer it as an option. Although the first factor is not irrelevant, every second factor makes life that little bit more difficult for attackers. And the occasional reports of successful attacks despite 2FA do not change this.
Usually proxies are used, which intercept communications between the victim's device and target server and take over active session cookies in order to use them to make their own, already correctly authenticated requests to the target server. New tools like Muraena and NecroBrowser automate the process, making it accessible to a larger number of attackers. Muraena acts as a reverse proxy, while NecroBrowser keeps a large number of Chrome instances alive with the stolen sessions. There is no question that such attacks are real and dangerous. However, they need the victims to actively click on a phishing link and connect to the reverse proxy. It is not possible without the proxy connection. Detecting a phishing email is not impossible, this is the task of awareness training and handling IT and sensitive accounts appropriately. If credentials are simply stolen – and this is still the main reason for successful attacks on privileged accounts – they are worthless without the second factor. This means that two-factor authentication is useful and effective and probably will be for a long time to come. Incidentally: Authentication tokens according to the U2F standard can defeat Muraena and NecroBrowser.
Second factors come in many different forms. In the past, hardware tokens were state of the art, then SMS became popular and since Authenticator Apps provided by various manufacturers have become much more common. Whether from Google, Microsoft, Authy, LastPass and now NCP, these straightforward apps can be used to manage authentication factors quickly and easily. In theory, a hardware token is more secure. In order to compromise it, either the common secret must be known or the hardware must be hacked. Soft tokens such as SMS or App authenticators rely on the integrity of the operating system. If the attackers can gain access to a mobile device, no app can protect it. But to do so, the attacker must first get their hands on the device, either physically or via malware.
Usually, new accounts can be added to an authenticator app by barcode scan and are ready for use straight away. During authentication, the authenticator app and two-factor authentication exchange an original key (the secret) for basic authentication. After this, the app regularly generates a new One-Time Password (OTP) based on the time and the secret. Not everyone knows that authenticator apps can be used to access third party services. For example the Microsoft Authenticator not only works for Azure and Office 365 but can also manage almost any other account. The same applies to the new NCP Authenticator, which also has the advantage of being offered independently to one of the major American IT companies. In addition, it can be deployed and configured by a company using the tools supplied.
The functionality of the apps varies greatly. Google's app is very basic and can only generate OTPs. Other apps offer better management and categorization of accounts, which is particularly important if you have many accounts. Equally important are features for transferring the accounts to another phone if the device is lost, stolen or simply replaced. Some of the apps offer significantly more convenience than others with automated backups. NCP has also integrated fingerprint and facial recognition to unlock the app. No matter which app organizations and users ultimately choose, it's important that they do use one. A second factor is still orders of magnitude safer than just one factor. And it should stay that way for a while.