Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

How Device-Aware 2FA Can Defeat Social Engineering Attacks

While device-aware two-factor authentication is no panacea, it is more secure than conventional SMS-based 2FA. Here's why.

In the ever-escalating arms race between attackers and defenders, the latest defense to crumble under fire is two-factor authentication (2FA). Hackers have become increasingly successful in using social engineering techniques that defeat 2FA and let them take control of victim accounts.

Many of these attacks, however, including account takeover using SIM-jacked phone numbers, can be thwarted by restructuring part of the authentication process, using a minor modification to existing methods. It's a shift from account-based 2FA (usually using SMS one-time passcodes, or OTPs, sent to registered phone numbers) to device-aware 2FA. Using device-aware 2FA, the bank, email service or other service provider only accepts attempts coming from a recognized device previously associated with the account.

How Attackers Defeat 2FA with Social Engineering
SMS-based two-factor authentication has been widely adopted by service providers including financial institutions, email services, social networks and online marketplaces. Among consumer websites using any form of 2FA, about 57% use SMS OTPs, according to data derived from a 2019 report by Javelin Strategy & Research.

Websites using SMS-based 2FA send a code by SMS to the registered cellphone number. The user then types or pastes this code into the website. Attackers can obtain that code either by hijacking the cellphone number through SIM-jacking, or by using social engineering to trick the victim into giving the code to the attacker.

In SIM-jacking, with a bit of competent social engineering and persistence a scammer can convince an employee of a wireless carrier to transfer a victim's telephone number to a new SIM card used by the attacker's phone. The attacker then starts receiving all SMS OTPs sent to the victim, putting all of the victim's accounts associated with those SMS passcodes at risk of takeover.

Awareness of SIM-jacking and other threats to multifactor authentication (MFA) is rising, though to date few technical solutions have been identified. In September, the FBI warned that cybercriminals are using social engineering and technical attacks to circumvent MFA. In a widely publicized incident in August, an attacker took over the Twitter account of Twitter CEO Jack Dorsey by SIM-jacking his phone, and then used the account to tweet Nazi propaganda.

In November, Twitter began allowing users to choose to use 2FA methods other than SMS-based 2FA. But the options offered (authenticator apps and security keys) have their own vulnerabilities, including technical or social engineering risks. Rather than solving the problem, Twitter now in effect allows the users to select which vulnerability they face.

Using Device-Aware 2FA to Thwart Account Takeover
Account providers can implement a more secure version of 2FA by switching the method of authentication. Conventional SMS-based 2FA requires the user to prove she has access to the phone number associated with the account. With device-aware 2FA, the user must prove she has access to both the phone number and the actual phone (or other device) associated with the account. (From the user's perspective, no extra step is required.)

With conventional SMS-based 2FA, the website sends an SMS containing the passcode. With device-aware 2FA, the website instead sends an SMS with one or more clickable links, for example, the question "Have you asked to reset your password?" with two clickable answers, representing "Yes" and "No." When the user clicks on the "Yes" link, the device profile is automatically checked by the website.

Unless the attacker has also stolen the victim's phone and unlocked it, the attacker's device won't be recognized as having been previously associated with the account, and the website will deny access. (If the user clicks "No," both the user and the site become aware of the attack and can take actions to restore security.)

Methods for Recognizing Devices
Device-aware 2FA takes advantage of device-identifying technologies that are already widely deployed, but uses them differently. These device-identifying technologies, which can be used in combination, include various types of cookies placed by a website onto a device; "read-only" browser characteristics like the "user agents" and related local data that websites normally check in order to send the correct display instructions for the particular device type; and other characteristics such as network name, carrier name, and geolocation.

Almost all websites already use cookies and other device identifiers, whether for personalization or fraud detection. In fact, 2FA is often activated if a user attempts to log in from an unusual location or a device that is not recognized. Options for identifying devices include standard HTML cookies and variants such as flash cookies or cache cookies.

When a user accesses a website, the website is also able to check the characteristics of the user's web browser, such as browser type and version installed, touch-screen support, system fonts installed, languages installed, screen size, color depth, time zone, and browser plug-in details. While these digital fingerprints aren't unique to each device, there are so many permutations of user hardware and software attributes that it is highly unlikely an attacker's device will share a common fingerprint.

Special Case: New Device
New security measures often impose some friction on normal activity. For device-aware 2FA, the added friction is minimal in most situations. The device used to establish the account (or to set up 2FA for the first time) would be automatically linked to the account. If the user accesses the site from a new device, the site could send a device-aware 2FA message to the old device to obtain authorization. If the authentication succeeds, and the user states that the new device indeed belongs to her, then the new device will be automatically enrolled, and then it can be used to approve future device-aware 2FA verifications. Other options for adding new devices to a user profile include allowing a new device to be authorized by scanning a QR code displayed on the original device, or allowing access from a new device if the device shares browser settings (such as a synchronized Google Chrome account) with the original device.

But what happens if the user replaces his phone and has no other device enrolled? Nearly all institutions provide escalation methods to regain access to accounts even if a user has lost access to the cellphone number or email account used for authentication. Similar escalation procedures can be used with device-aware 2FA if the user replaces or loses his phone. For example, the user might be asked to respond to knowledge-based authentication questions, or to accurately report very small payments made to a checking account already associated with the user.

While device-aware 2FA is more secure than conventional SMS-based 2FA, it is of course no panacea. In the endless game of leapfrog that security professionals play with cybercriminals, nearly every security method can be eventually defeated by a determined and resourceful attacker. All we can do is continue making our leaps smarter and longer.

For more research details, click here.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "7 Steps to IoT Security in 2020."

Markus Jakobsson, chief scientist for ZapFraud, has worked for more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. He leads ZapFraud's security research with a focus on using ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...