Recently I encountered a bug in one of my second factor authentication apps that caused me to lose all the registered tokens for multiple sites. As you can imagine, losing (or having destroyed) the second factor for important sites can be a heart-in-the-throat moment (or three). Several of the sites I use fairly frequently, and I knew some of the sites would make resetting token generators difficult. Or so I thought. Hence the reason for this blog post.
In this post I shall discuss the challenges I faced, and the laughable situation of MFA recovery across the industry. Keep in mind, I’m examining this from my viewpoint of how much value each site held for me, and how I viewed the level of effort to gather the information to impersonate myself. This means I’m not going to dismiss SMS or email verification out of hand, but if you have something of particular value (identity, financial assets) I consider it a bad idea to use SMS or Email as the only element for verification.
A couple of posts that describe the issues with SMS and email for MFA: https://auth0.com/blog/why-sms-multi-factor-still-matters/ https://www.youtube.com/watch?v=SOQgABDSYZE&t=250s
I have only named one company in this list, and that’s because they deserve it. You’ll see why.
And lastly, yes, yes, I know. Backups or synchronization would be great. But that’s before I was enlightened. After this mess I have looked at several options, but they are few, and did not include the (popular) token generation tool that I have been was using for years.
Allora…
Do You MFA?
The first step in my journey was to try and remember every account that I had MFA for. Fortunately I had just done a rough accounting of them. I created a list and started stepping through them one by one.
My accuracy was pretty good. Except one, and it happened to highlight something I didn’t expect. We expect financial services institutions to implement some form of MFA, and same for large CSP, and domain registrars, largely because the security industry and auditors have harped about how important it is in today’s Internet society. So I was happy to see that ISC2 had MFA. However ISACA does not. Yes, your friendly association of auditors does not walk the walk. I am in the process of serving them with a material audit finding.
Two is Better Than One
The next batch of sites I had to recover were not quite as disappointing, but still not great.
Most asked me to push a button to send a link in an email or a code in an SMS I had previously supplied. While this might seem reasonable for a recovery option, and for some of the sites this didn’t upset me terribly – particularly where the loss of the account wouldn’t impact me financially – it did bother me that some were tied to services that I did care about maintaining the service and value I had paid for them. I absolutely understand the argument that SMS MFA is better than no MFA, and that many people (probably a generation older than me) still use phones without apps, or struggle with the concept of apps, but not giving me better MFA options for those accounts frustrated me. I want to protect them because I’ve invested time into them being useful for me. Knowing that someone could take advantage of that (particularly being in my line of work, and the couple of interesting blips I’ve notice the last two years) made me quite concerned, particularly because most of these never notified me that I had registered a new MFA. Although some did.
What did really amuse me was a company that used email and SMS together. You first had to validate the pre-shared email to then click on a link that started a phone call via your pre-shared phone number. I found it amusing because both SMS and Email are susceptible to hijack and intercept, and are usually the easiest pieces of information to gather about someone. If I thought of the big, big, big companies who do use one of their product lines for some big-name stuff, the whole email/phone validation process became quite concerning. Of course the probability of one of those companies using a well known email address like service-admin@mybigcompany.com is really unlikely right, but so is the probability of them assigning the admin account a phone number that is real.
Know Your Friends, Know Your Enemies Better
One particular site with sensitive information actually started to give me a greater degree of comfort. It first asked for email verification of my request. Then it proceeded to ask a series of questions about certain pieces of information that generally only I would know. It was not perfect. I know this information is stored in some locations that may not be that secure (not as a result of my own choice mind you), but at least there was a degree of obscurity to the information, and multiple factors to verify my identity.
Kill and Recover
The most dramatic of all my recovery efforts was one particularly sensitive account. I had saved recovery keys, and pre-shared contact info. However it didn’t accept any of these. It is likely that when I first registered for this site (probably 10 years ago) I captured recovery codes that didn’t carry over when they updated their authentication system. Sigh.
Their resolution to this problem was to delete the authentication ID, create a new one, and then relink the products I owned back to that ID. While the process of deleting the account was fairly painless (it did require a 24 hour waiting period), deletion of the account only required my password. No other verification was needed. To their credit however, I did receive an email letting me know that the account was being deleted, and I had 24 hours to rescind the deletion. But knowing that just that piece of information could be used to delete my account was a little unsettling, if only for a threat to availability.
Relinking the sensitive services to my account required a sensitive piece of information, so that was reasonably secure, but given the sensitivity, I would have liked if they verified my identity through another means.
Recommendations (My Real Favorites)
- If your customers are in the camp of “must have SMS or email” then give customers options. Several sites had “use token”, “use SMS”, “use email”, “use recovery codes”. This gave me options to decide how I could protect my assets. It also gives me options based on what I can support. (I’ll take 47 full ASCII character one-time-passphrases please – I love to hunt for non-US keyboard characters!)
- Leverage multiple discrete methods of verification for anyone looking to reset their MFA. Create a form of MFA for MFA resets. Mix together different elements that typically will not be found together; recovery secrets and SMS; personal information and SMS. Frankly three different elements would be the best. Individually these items are not secure, but together they raise the bar and provide a greater level of resistance to an attacker.
- For more secure sites, use methods that provide greater integrity. Pictures of identity documents coupled with SMS, recovery codes, (and fast customer service) can provide a level of certainty for sites containing highly confidential information.
- If you feel the need to use personal data to verify an individual, make sure that information is not likely to be floating around in the public eye. Social Security Numbers, pay stubs, mother’s maiden name are all items that are possible to retrieve by anyone. If you are going to go this route, include multiple pieces of information and utilize a completely different method of verification. Raise the bar.
- Notify through multiple means that MFA has changed. Just like a single method to verify, also notify via multiple methods. It makes it clearer when something malicious is happening to your account.