CHICAGO, July 23, 2014 (GLOBE NEWSWIRE) -- Two-factor authentication has not been defeated by the Emmental attack despite widespread reports to the contrary. In fact, it was the use of an SMS-delivered one-time password (OTP) that was exploited.
"It's disappointing that generic reports of two-factor authentication being beaten are circulating again when not all two-factor authentication techniques are of equal strength," said Alan Dundas, vice president of Product for Authentify.
Dundas should know. As a former security architect at Symantec, he was responsible for authentication technologies that touched 1 billion end points globally.
According to Dundas, "The problem lies with the practice of delivering a one-time password to the end user via SMS. In general, OTP approaches are not as secure as they once were."
The attack, dubbed Emmental by the researchers who uncovered it, is a variation of a man-in-the-middle (MITM) attack. Communication with the bank is being redirected to servers the hacker controls. The twist is that it also includes the redirect of an SMS message on the end user's mobile device, the second authentication factor in the two-factor schema. The required OTP is also delivered to the hackers.
Numerous MITM/phishing/malware attacks have demonstrated the vulnerability of SMS messaging for some years. SMS messages, however, are still used due to their low cost, convenience and ubiquity. The continued use of SMS is a risk vs. cost assessment a financial organization must make.
Authentify has long been an advocate of transaction verifications that are applied via voice channel "post-login" after a transaction has been initiated. The process includes communicating the actual transaction details to the end user as they will be executed. If they are different from what the user expects, they have the opportunity to cancel the transaction. This process is effective against MITM and phishing attacks that compromise legitimate login credentials and would protect against an Emmental type of attack.
"Authentify began investing more than three years ago to build our Authentify xFA™ platform specifically to provide an easy-to-use, substantially more secure and affordable authentication solution that could compete with SMS," said Dundas. "These attacks can be mitigated by using xFA and/or Authentify's voice channel out-of-band authentication, both of which do not rely on the attacked communication channel."
Either voice channel or the xFA application can add a biometric authenticator instead of an OTP for transaction approval. In addition, the xFA solution utilizes mutual PKI and full encryption, which also eliminates MITM threats.
Authentify will provide demos of xFA during the upcoming Black Hat USA 2014, happening August 2-7 at Mandalay Bay in Las Vegas.
Authentify also recently published a white paper on defeating latest-generation MITM attacks and other "post-login" exploits. It is entitled "Innovative Authentication Workflows for Protecting Online Accounts" and can be downloaded from the Authentify website at www.authentify.com.
About Authentify
Founded in 1999, Authentify, Inc. provides automated authentication services for many of the largest online financial services firms and business enterprises operating online today. The Authentify service enables organizations to quickly and cost-effectively perform real-time, multi-factor user authentication during an internet session by leveraging the end user's telephone or other mobile smart devices. Authentify delivers effective flexible multi-factor authentication processes that are practical for businesses and intuitive for end users.
Authentify's technologies are protected by multiple U.S. and International patents.
© July 23, 2014 Authentify, Inc.