Is something missing in 2FA? Perhaps!
The problems with 2FA are obvious, or so I thought.
Below are my notes from an interview had with a cybersecurity consultant and expert.
In a recent interview, I discover what I see as obvious may be a wow moment for others. 2FA solutions, be they web, email, smartphone, PIV card or a specialty device such Yubikey or secureID token, typically do not address possession status by answering the question, is the device or document in possession of and use by its real owner? I’m aware of none that do and failing this implies anyone with possession can impersonate the owner. Indeed, most 2FA solutions fail to even address the question, is the device in possession of a human? Ignoring the human component of identification ushers in an opportunity for phishing attack landing a bot on the device after which the bot grabs an authenticator OTP or token, and it’s off to the races.
Failing to verify possession by a specific person and treating the human component as optional in the 2FA process defies logic and opens the door to impersonation attack.
Presently there are two widely used 2FA solutions, those that ignore the human factor altogether and those that require a modicum human involvement.
Most 2FA solutions ignore the requirement of human involvement in the identification process. Some require no more than the “click here” acknowledgment of an email or text message. Some deliver a One Time Password (OTP) to a web form, some send it to an email address, and others send it as a text message to a smartphone or other like device. Other 2FA variants produce the OTP as an automated process of an App running on a smartphone. I have three such Apps, each producing a new 6-digit OTP every 30 seconds or so. In all, the human component is optional and unverified. Any human or well-implemented bot will do.
Another class of identification solution is 2FA methods attempting to force “human” involvement in the process. There are devices like the Yubikey with a little button that must be pressed; ostensibly pressed by a human. There are the chip-and-pin cards matching human provided PIN to that known by the chip on the card and the PIV/CTC variant requiring a biometric in place of or addition to the PIN. Devices of this type require human involvement but in all “any” human will do.
In other words, it’s obvious that most 2FA solutions make no attempt to affirm human involvement in the process of human identification. Those that do fail to verify the human is the specific person the identification device or document belongs to.
These are serious failings that if ignored put the user and their accounts and those that depend on accurate identification at risk. It was this observation that prompted me to invent the “Personal Identifier” that mandates human involvement and then only that of a very specific human.