That’s not how 2FA works

Another day, another high-profile website cloned to phish credentials.

Is this a phishing attempt? Goes to "https://t.co/7b0EaPdGZR" and asks for username and pw

(if so, it nearly got me!)

/cc @github pic.twitter.com/jgt4oNvjF2

— Tess Rinearson (@_tessr) January 16, 2021

In the replies, you’ll see lots of techbros saying “this is why you should switch on 2FA people!!!”

Except, and I hate to bring accuracy to a technical discussion, that’s not how 2FA works!

A second factor allows a site to better authenticate you. It does not help you identify the site.

If you log on to fake-bank.com, the scammers will immediately take your username and password and send it to real-bank.com – the fake bank will then ask you for your 2FA token. That could come via SMS, email, an authenticator app, or even post. Then the fake site uses your real token and logs in as you.

Game Over.

There is almost nothing you can do to authenticate that a site is legitimate.

• Any information that you can request from the real site can be proxied to the fake site.
• The green SSL padlock means nothing for validity. Anyone can get one.
• The top result on Google is invariably an advert for a scam site.

Realistically the only thing you can do is look for “out of band” verification. What’s the URL stamped on your credit card? What’s written on the welcome letter sent by snail mail?

None of these are infallible – and they can all be manipulated by a suitably determined attacker.

The best defence is to use a password manager. I recommend the open source Bit Warden.

A password manager stores your passwords. But it also stores the web address of site’s login page. If you visit githud, the password manager won’t prompt you to use the login details for github.

Defence in depth. Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.

What About YubiKeys?

No. I’m not a big fan of YubiKeys. In theory, a hardware token can help with this. You register the token with the device and it spits out a code only to the correct site.

But it has significant downsides.

• Cost. The average YubiKey is £50. There are a few around the £30 price point. That’s a huge expense given the small number of sites that support them.
• Usability. Buy a device, register it, install the app, configure it, find the setting in the website, enable it, hope your machine has the right sort of USB ports, press the button at the right time. Take 10 minutes to watch a normal user try to set one up – then tell me if you think this is a good solution.
• Convenience. My YubiKey is on my keyring. My keys are in my coat. My laptop is not near my coat. Given how often I need to log into things, it means adopting a significant change of habit. Or leaving my YubiKey plugged in all the time. Which leads to…
• Risk. YubiKeys have no password lock of their own. At least my crumby Android has a fingerprint lock to prevent people getting my 2FA tokens. But if you’ve stolen my laptop and the YubiKey is plugged in, then you’ve got the keys to my kingdom.
• Support. WebAuthn is a great standard – but only a few sites support it. While it is good at protecting a handful of sites, I encounter it so infrequently that I regularly forget how it works.

While a WebAuthn request can’t be proxied – there’s nothing stopping a fake site from asking for your token, then rejecting it and asking for a separate factor.

If fake-github.com said “Hmmm we’re having problems with our WebAuthn backend – please use a one-time code from your authenticator app for added security” would you be fooled?

WebAuthn and hardware tokens are probably the future. And they’re probably the best way we have to verify site legitimacy. But they’re also currently a poorly supported usability disaster.

Stay safe out there.