Two-factor authentication is no longer secure, that's why

Two-factor authentication is no longer secure, that's why

Two-factor authentication is no longer secure

The title is disturbing, we know, especially since this security method is increasingly adopted in the context of protecting one's accounts and online data. In essence, it involves integrating a password for a given account with a one-time authentication code (OTP), whether obtained via email, SMS or an app such as Google Authenticator. And, unfortunately, the title isn't all that apocalyptic: two-factor authentication, which was believed to be an absolutely secure method for protecting one's logins, has been breached. But let's take a step back.

About a year ago, a group of Italian researchers consisting of Franco Tommasi, Christian Catalano and Ivan Taurino, demonstrated the functioning of an attack known as Browser-in-the-Middle ( BitM), which allows you to effectively bypass two-factor authentication. And although big companies like Mozilla, Google and Apple have already been informed of the disturbing discovery, it seems that BitM attacks are still effective now.

Let's go on for ten months: a hacker known as mr.d0x has tested this technique and demonstrated how it works. The data is worrying: if some attacker decides to exploit the attacks with this method, there would be no antivirus suite able to protect you, since no malware needs to be installed on the target system.

| ); }
Gubiani also stated:" A BitM attack could be initiated by phishing techniques and in some cases coupled with the famous Man-in-the -Browser (MitB). Vectors for this attack could be phishing or smishing (SMS phishing) ".

Smishing techniques are increasingly in use among cybercriminals. Among the possible countermeasures, it is recommended to pay extreme attention to the senders of SMS and e-mails, taking the precaution of never using the links provided in the messages, but to connect directly to the sites of their accounts.

Introducing two-factor authentication at the UiO

Most people are already used to confirming logon with their mobile phone when they log in to the online bank, see a tax return or use Now UiO also becomes 'safe as the bank' and introduces two-factor authentication.

Quick introduction

USIT, the IT department at UiO, has this spring worked intensively to prepare for increased security for all UiO's IT users and for UiO. - The good news is that we are now increasing the security of the IT systems at UiO. We are already known for being at the forefront of IT security in the sector, and now we are introducing a new layer in the security processes, namely two-factor authentication. The introduction of two-factor authentication requirements will initially only apply to logging in to Microsoft 365, ie the web-based products from Microsoft, such as Teams and OneDrive, explains project manager Frank Paul Silye.

Illustrative image of a computer with a locked screen and a mobile phone showing a keyWhat is two-factor authentication?

Two-factor authentication is something that most people already use, for example in connection with contact with public offices and banking services. In short, this is a safer way to confirm who you are. Entering a password is no longer sufficient. You must use two factors:

Something you know, ie your password, and something you have, ie your mobile phone.

Other factors such as fingerprints and other objects and tokens can also be used, but at UiO, login with a password has been chosen together with a confirmation code in an app on the mobile.

Schedule for the introduction at UiO

The new solution has been tested on IT staff since March 9, and the rest of the UiO is now on its way. The Faculty of Theology is first out already on April 6, and the other units will implement the solution in turn in the period up to 5 May. The introductory project has created a schedule for the introduction that you can check if you want to know when it's your turn. Remember that this time it only applies to logging in to Microsoft 365, not all IT services or logging in to computers or anything else. Other services will follow, but then you are already used to it.

What will happen?

- The change is that you will also have to use your mobile phone when you log in. It works much like with BankID on mobile, as most people know. We log in, and receive a message on our mobile to confirm the login, says project manager Silye. - But the first time you log in with two-factor authentication, it's a little different. You need to install authentication app on your mobile and pair the app with your Microsoft login. You do this by scanning a QR code with the app on your mobile. We have good guidelines for this. After the first login, you will not notice anything new until after 30 days, when you will be asked to confirm the login when using Teams or another MS365 product. Then the phone beeps and you just press 'approve' in the app. You will be asked for such approval every 30 days, or the nearest login after 30 days, he concludes.

An easy way to secure our documents and data

UiO's IT security manager, Espen Grøndahl, is the project owner for the introduction of two-factor authentication at UiO. He explains that there are good reasons why you now have to confirm that it is actually you who is trying to log in. - Only passwords are actually not sufficiently secure. When we now introduce two factors, ie password and confirmation from another device, it becomes much more difficult for attackers to get inside. Passwords can be guessed with hacking tools (brute force), or they can be leaked by mistake. Now it will no longer be enough for unauthorized persons to gain access to your and my data, or misuse UiO's IT infrastructure, says Grøndahl.

He says that there are four main ways a password can go astray:

  • Leakage of passwords from a website,
  • Malware on computers where usernames and passwords are picked up,
  • Man in the middle attack - where someone picks up a username and password between you and the service you are logging in to, and
  • Phishing attacks - when someone tricks you into entering a password in the wrong place (typically via email)
  • Common to these attack methods is that they can not be used as long as two factors are required for login. If an attacker were to obtain your password using one of these methods, he would not be able to obtain your mobile phone, and then he could not use the password for anything.

    The way forward

    Grondahl is pleased that we are now well on our way to introducing extra login security. But is it only for the Microsoft 365 login? - No, absolutely not. This is where we start. Before the summer, there will be a two-factor login on first some services with Feide login and then on our e-mail. We try to take it a little later, so that not all the load comes at the same time. We do not expect many people to have problems, but we want most people to start with two-factor authentication before we put it on the e-mail, as it is one of our most important work tools. There is good and thorough information about when and how two-factor authentication is introduced on the other services. - Other universities have introduced two-factor authentication without it leading to many inquiries for support, so then I am sure that we can do it here at UiO as well, the IT security manager concludes.

    Do you want to know more?

    Two-factor authentication is now an IT service at UiO, so you will find information and guidelines on the IT service pages. To make it easy, the introductory project has created a shortcut to it called To get the best user experience when you now have to confirm login with an app on your mobile, the introductory project recommends that you read the guide and make the settings recommended there. Then you do not have to confirm with a code, but just need to press 'Approve' in the app on your mobile.


    Published Apr. 3, 2022 5:56 PM - Last modified Apr. 5, 2022 12:50 PM

    Powered by Blogger.