4

I understand that 2FA increases security if you are using two different devices, for instance a computer and a mobile phone.

I fail to understand how these security measurements help if you are doing everything on your mobile device.

Imagine if I login to my bank website with username and password om my mobile phone. I will then get an SMS code on my mobile phone, which I can of course read, so with which I can simply proceed to login. The same principle applies if the 2FA is an e-mail or an authenticator app.

Of course your mobile phone can be locked by a PIN code and you still need the username/password for the bank website. However your browser allows you to remember the username and password, leaving only the PIN code as only safeguard (if you have one).

Isn't this just as insecure as just having 1FA ?

Shouldn't we consider anyone who logins via his mobile phone just as insecure as 1FA?
And if so why don't websites block this approach? What's the point of 2FA anyway if an increasing amount of users just use their mobile phone for these things? Isn't the risk of people having their phone stolen a lot higher than a computer or laptop stolen ? Even worse here is that most website allow you to use "forgot my password" to send to your e-mail account, which probably is also on your mobile phone. So in that case even your bank account is only protected by the PIN code of your mobile phone.

Is there a possibility to improve the security when one is using only his mobile phone ?

servi Servaas
  • 43
  • 3
  • You're right for targeted attacks (i.e., someone who knows you and has physical access to you/your devices). But some hacker in some other *country* (for example) still cannot get in, and that's the vast majority of attacks in real life. –  Jan 27 '21 at 02:20

4 Answers4

3

No, it’s not as insecure as 1FA. 2FA is about making life inconvenient for an attacker, not for yourself. With 1FA, anyone anywhere in the world can access your bank account if your username and password leak or can be guessed. 2FA means that the attacker has to have your phone, or another way to access your text messages if your second factor is SMS (which is deprecated). It’s true that you should avoid storing your first and second factors in the same place where possible, but even if you don’t do that, it’s still far more secure than 1FA.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
  • 1
    It is exactly as insecure as 1FA because it _is_ 1FA. The factor is the phone _instead_ of the password. The attacker has to have logical access to the phone, which can mean a software compromise. Between the security of a password and the security of a smartphone, there isn't a clear winner. – Gilles 'SO- stop being evil' Jan 26 '21 at 17:53
  • 2
    @Gilles'SO-stopbeingevil' The post mentions a PIN on the phone. That’s something you know. – Mike Scott Jan 27 '21 at 07:27
  • @MikeScott Does that mean that a totp generating program/browser extension on your desktop PC protected by a PIN would be as secure as using a smartphone for totp generation, to achieve 2FA? or maybe even more secure? – user9203881 Jan 31 '21 at 03:19
  • 1
    @user9203881 It wouldn’t be as secure as using a separate smartphone, but it would be vastly more secure than 1FA, because now an attacker would have to have some kind of access to your PC or its data. – Mike Scott Jan 31 '21 at 07:13
  • @user9203881 Yes, that would be 2FA. Because you're using 2 of the 3 factors commonly thought of - Something you Know (password; either the bank password or a password to login to your PC if you have autofill), and Something you Have (your PC with the TOTP gen/key) (Something you Know could be Something you Are, if your PC has biometric hardware - i.e. if your laptop has a fingerprint scanner that you use to unlock it) – Delioth Feb 03 '21 at 17:55
  • @Delioth aren't totp keys considered something you know? the fact that you have it on the hardware isn't interfering with the authentication system, rather it's the 6 digits you temporarily remember and input in the form; which is why I assumed you need a PIN to protect access to the totp – user9203881 Feb 03 '21 at 21:47
  • @user9203881 No, TOTP is a way to turn a shared secret key into something you have rather than something you know. Because you _don’t_ know the TOTP key, only your device does. – Mike Scott Feb 03 '21 at 21:49
2

Even in that particular scenario, it's still two factors: a PIN to unlock the phone and access to the device. This combination protects the bank against a range of threats that regular passwords do not. Stealing the phone is not enough to impersonate you. Knowing or guessing the password for the bank website (through phishing, an interception or man-in-the-middle attack, brute force against the service provider or compromise of another one of your accounts) isn't enough either.

This particular combination of factors is especially weak compared to some other approaches (e.g. a password together with a dedicated hardware token, an OTP generator app on a separate device or an OTP generator with a PIN and smartcard) for several reasons. SMS come with their own weaknesses: they can be intercepted remotely or, depending on your settings, read without unlocking your phone. A remote software vulnerability on the phone could also be exploited to circumvent the authentication.

The risks are high enough that some banks do implement additional measures to improve upon this while still letting you access online banking with only one phone. For example, you can be prompted to enter an app-specific PIN or authenticate biometrically (touch or face ID) every time you open the app or do something sensitive. Those are not saved in the browser's password manager. I am not sure how vulnerable these apps might be against a phone compromise but I suspect the protection is not ironclad. Of course, if you want to enforce this type of authentication (as opposed to offering it as an option), you also need to make sure it's not possible to use the website intead of the app or make it hard to save the password used to log in onto the website.

Relaxed
  • 1,680
  • 12
  • 10
1

On your phone, yes, 2FA that makes use of your phone is a little silly.

But, 2FA is not meant to protect from an attacker who has your phone. The whole idea of using a phone as a 2FA device, is the assumption that only you will have your phone, or at least only you will be able to unlock it or view codes on it. Breaking that assumption obviously breaks the security of the system.

2FA is meant to protect you from someone else, without physical access to you or your personal possessions. Some forms of phone-based 2FA are better than others, but all of them offer at least some protection from random cyber criminals on a computer in Romania from using a stolen password database to get into your account.

Ben
  • 3,846
  • 1
  • 9
  • 22
0

What Mike Scott is explaining is the different MFA factors. The three most commonly discussed are:

  1. What you know
  2. What you are
  3. What you have

So you know your password, that falls under the first factor. Your phone is a physical token, it's something you have. So that falls under the third factor. As an example, biometrics falls under the second factor.

This distinction also makes it clear why writing down your password is a bad idea. Because now what you know has become what you have. You've bridged those factors for an attacker.

CorruptedHeapScapeGoat
  • 354
  • 1
  • 6
  • I would argue writing a password down, but in exchange using a much stronger password, is still a worthwhile idea. Everything has upsides and downsides. –  Jan 26 '21 at 15:56
  • @MechMK1: In a nut shell, that's the motivation of MFA: use complementary factors to address weaknesses in one factor and build a system that is more secure overall. – CorruptedHeapScapeGoat Jan 26 '21 at 17:28
  • In practice “know your password” is replaced by “have once entered your password into the phone”. So a lot of the modern authentication is in fact single-factor, just a what-you-have, and for a weak version of “have” since a smartphone can be compromised by a remote attacker (most smartphones in service stopped receiving security updates a long time ago). – Gilles 'SO- stop being evil' Jan 26 '21 at 17:56