No. Not really.
Are bad 1-time passcodes a corporate liability? Yes, but bad anything is a liability.
In the wake of the Twilio breach, my buddy Brian Krebs posted an item titled “How 1-Time Passcodes Became a Corporate Liability”. In one sense, he is right because most companies chose the easiest one 1-time passcode to implement.
Most companies also spend the least time and least money training their employees to resist phishing attacks.
On the other hand, companies are taking the path of least resistance in what they can get employees to do with minimal cost and minimal time.
One thing a secure 1-time passcode strategy requires is strong and active management support.
One owner at a client of ours on the east coast has a standard response to employee complaints about security requirements. Do you want me to sign your term-check now?
That is pretty aggressive, but no one has ever taken him up on the offer. In fairness, you have to explain WHY security is important to the company.
Lets talk about two of the least-secure 1-time passcodes: SMS Text messages and phone calls.
Text messages are bad because phones can be compromised and the text messages eavesdropped on. In addition, with SIM attacks, the employee’s phone number can be moved to another device. And then, of course, the employee can be socially engineered.
Next is the phone. There are several sub-methods for phone 1-time passcodes. One is a push notification. With push notifications, when the hacker tries to log on, the employee’s phone gets a message asking if he/she just tried to log on. Employees seem to respond with yes, even if they are not even using a computer. Combine that with an attack that sends a thousand push notifications in an hour and the employee will definitely say yes to make the noise go away.
Another variant of the phone attack is the system being protected calls you and asks if you tried to log on. Press 1 for yes and 2 for no. Again, after a thousand phone calls and many employees press yes instead of putting the phone on silent.
The last phone method is for the system being protected to call you with a code for you to enter in the web site. In theory, this should be attack resistant, but employees are often easily socially engineered to give up that passcode.
Why? Because employers do not want to spend the time or money to train employees. Neither do employees. Remember training is not a one time event. You have to repeat it. Often.
More resistant to these attacks is a password generator on your phone like Google Authenticator or Authy (but not perfect). This is more resistant because nothing is sent to the employee and there is no way to overwhelm the user with hundreds of bogus text messages of phone calls.
BUT, in the Twilio attack, the attackers sent bogus text messages to the victims asking them to click on a link, enter their credentials and also enter their 1-time passcode from the app. The link had a URL that sort of looked legitimate. How do you train people not to click on things? It is hard. Send many people with a text message that claims to be a layoff list or promotion list or salary list – or a link to nude pictures of coworkers or celebrities – and a lot of people will click. It is hard.
A better way is hardware based solutions.
I use an RSA token for my bank. The only way to get around that would be to socially engineer me to give up the code of the moment. That code changes every few seconds.
Other hardware solutions include Yubikeys – something you have to plug into your computer or tap your phone with, Squirrel, which is a secure key exchange or a client-side certificate. All of these are more secure than the options above.
Note that there is a direct tradeoff between ease of use and less training and a more secure solution.
Also, in most cases, if you want to use a more secure solution, the service that you are using has to support it. And, you have to be willing to deal with the extra effort of using it.
For example, if you want to use an RSA token with your online banking, your bank has to support that. In addition, your bank has to give you the option to disable less secure methods like a text message. Otherwise using the more secure method is mostly theatre – for show and not for security.
To learn more about this, read Brian’s post, here.
If you need help sorting our multi-factor authentication, one time passwords and employee security training, please contact us.