Why do we need adaptive 2FA (two factor authentication)?

Two factor authentication (2FA) has helped everyone connected to the internet in keeping their accounts, data, services… safe from the attackers. It’s a highly robust security layer, which is extremely hard to crack. The question is, if it is that safe to use 2FA, why do we need adaptive 2FA. The answer is simple, better security and accessibility. Let’s justify the answer over this discourse.

Adaptive 2FA

Adaptive authentication is a new security feature that uses machine learning to verify the authenticity of a login before prompting the user for two factor authentication. Let’s break this up. First, from user’s point of view, adaptive authentication is just an add-on to their 2FA authentication solution. The user will not interact with adaptive authentication security layer directly. Second, it uses machine learning. Machine learning uses algorithms to learn patterns in data and make predictions based on that data. This gives machines (processors) the ability to decide. Third, the veracity of the login attempt is confirmed on the service provider’s end. This process checks from various patterns learned from the account owner, if the login attempt is valid and secure.

New authentication factors lead traditional methods towards deprecation.

Choosing the authentication factors

Two factor authentication adds complexity to the login process. Each additional authentication factor added to the login process (3FA, multi factor authentication, etc.) incorporates inefficacy. Adaptive authentication strengthens the security of a user’s account without adding any complexities to the login process. Utmost attention is paid while choosing the authentication factors. Too many authentication factors may ultimately slow down the authentication process and make it cumbersome. A balance is maintained between security and usability by adding only the most significant factors, like login time, device used for access, IP at which the login originated, geolocation, and security of the communication channel. A user’s behaviour is recorded and analysed based on these authentication factors to create the user’s risk profile. The machine learning algorithms adapt to the user’s risk profile and tendencies to develop an effective mechanism for verifying the veracity of the login attempt.

Effortless security for users

Identity management gets easier with the use of adaptive authentication, both for the end-user and enterprise. The user will not have to be bothered with different authentication layers. Instead, the entire process of authentication will be swift and easy. Enterprises will not have to dedicate security personnel to verify the reliability of a login attempt, saving both resources and time. Also, machines are fast. The entire adaptive 2FA process executes in the background with negligible time delay. In most cases, the user will not be even aware of the verification that has taken place.

Efficacy and Usability

Adaptive authentication can verify several factors associated with the login attempt, before the user gets to 2FA. Not only this, adaptive authentication can even allow a user to bypass 2FA based on the veracity of the login attempt. e.g. When not in office, Max always uses his personal mobile device to login to his work account. Before implementation of adaptive authentication, each time Max tried to log in, he was subjected to two factor authentication. But few days after adaptive authentication was implemented on his company’s server, Max stopped getting 2FA requests and could login through user ID and password alone. Through adaptive authentication the server knows that it is Max who is trying to access his account from the same mobile device he’s used in the past. Isn’t it easier? And it’s just through a single factor. The adaptive authentication algorithms use a number of factors and complex statistics to build user profiles.

Dynamic and (per the name) Adaptive

The processes and algorithms involved in adaptive 2FA are dynamic. They keep building and updating the user risk profile. At each attempt, along with verifying the authenticity of the login the attempt, the login pattern is analysed and recorded. The entire process of learning, analysing, and authenticating is dynamic in approach and adaptive to situation. The algorithms learn from and adapt to the login conditions. For high risk profiles or questionable login circumstances, more authentication factors may be incorporated.

Adaptive authentication can even identify malicious users and malicious bots trying to gain access to a user’s account through hacked or stolen passwords and deny them authentication altogether. Any malicious user will not even get to the two factor authentication.

Adaptive authentication is a hidden layer of security that verifies the veracity of the login attempt through machine learning. It is simple, secure, efficient, and dynamic of all things. It uses large range of inputs and factors to build a user’s risk profile to facilitate authentication. It reinforces security of an account without adding any extra verification steps for the user.

Can ZeuS Malware Bypass Two Factor Authentication?

Multiple 2FA solutions are available today, e.g. SMS-based OTP, TOTP-based OTP, PUSH notifications, token generators, etc. Time-based One Time Password (TOTP) service is one of the strongest and most secure two-factor authentication solutions available. This authentication algorithm (TOTP) contrives providing absolute and impenetrable security to its users, to protect the integrity and privacy of their data. ZeuS malware, on the other hand, is a malware/trojan that is designed primarily to infiltrate or bypass a user’s security and steal their confidential data. There is continuous war for security between the 2FA solutions that use TOTP and ZeuS, and ZeuS has just won a battle, if not the war itself.

What is ZeuS malware?

ZeuS a.k.a. Zeus or Zbot is a Trojan horse malware, that was primarily designed to steal financial data from Windows-based systems. It was first identified in 2007 when used to steal information from United States Department of Transportation. Since then, it has compromised the accounts on websites of many companies, such as NASA, Oracle, Cisco, and Amazon, to name few. Even to date, it is very hard to detect because of its stealth techniques.

What does it do?

While ZeuS can already carry out a number of malicious activities on the infected systems, it can be tailored to perform some more, depending on how the owner of the malware wants it to function. It is mostly used as a financial services trojan to target the credentials from the machine it has infected. ZeuS hides itself in the user’s device and intercepts the transactions/activities that the user performs on the infected device. ZeuS malware creates a botnet, a network of malicious servers, that collect user-data and perform large scale attacks. Through activity monitoring and keylogging, it steals a user’s credentials and confidential data. It may also generate fraudulent notifications that redirect the user to a malicious command and control server controlled by the attacker and mislead them into providing confidential information.

How it affects SMS-based 2FA?

ZeuS malware can also infiltrate the security standards on a user’s mobile device and monitor the user’s activity, such as key presses, visited websites, and notifications. Till date, many users rely on SMS-based OTP for two-factor authentication. While monitoring the user’s mobile device, ZeuS steals the credentials entered by the user, such as login ID, password, and registered mobile number to send SMS-based OTP. SMS-based OTPs can be intercepted both on the user’s device and on the carrier signal. ZeuS malware sends these details to the attacker, who can bypass the security through the stolen credentials. The attacker can also request new SMS-based OTPs and use it to infiltrate the user’s data. ZeuS botnets have been able to bypass 2FA and attack banks and other financial institutions in the past.

How to protect against ZeuS?

The safety and security of the device on which the 2FA token is delivered or generated, comes first. The weakest link is the device and the human that uses it. Smartphone devices that use hardware level encryption, such as Apple, are nearly impossible to crack. Also, Apple devices can only install or run applications available on the App Store, which itself scans each app for the presence of malicious code and discards/blocks any app that fails the check. On the other hand, cheap devices may only have software level encryption that can be broken by attackers. Keep your device free from malware and do not run any app from unknown/insecure origins. Also, browse the Web safely, learn tips on how to avoid malicious links and websites.

While ZeuS malware may intercept the credentials and SMS-based OTPs on the user’s device, it is still difficult for ZeuS or any malware to break the encryption of many 2FA solutions, e.g. TOTP and token generating devices (disconnected or connected). It is hard to duplicate the disconnected token generating devices because they have no connection to a user’s device. Software tokens (e.g. TOTP) and connected token generating devices have a strong encryption that is nearly impossible to break in time constraint in which the token has to be inserted for verification. The easiest solution to safeguard your privacy and enforce security are tokens that use TOTP-based 2FA. Against malwares and spywares, such as ZeuS, 2FA still has the upper hand.

Give up SMS-based authentication, and update to the new standards of security. Use 2FA solutions such as Google Authenticator or REVE Secure that provide multi-level security in the app itself to safeguard the user’s private key used for time-based OTP generation. 2FA solutions remain one of the largest and most secure security solutions to safeguard privacy.