The Weakness in Two-Factor Authentication—Your Lost Phone Policy

by Avi Gesser, John R. Kapp, and Michelle Adler

Two-Factor authentication is one of the most common measures that companies use to reduce cyber risk, but it is not very effective if companies don’t also have a good lost phone protocols.

Various regulations and industry rules require two-factor authentication (also referred to as multi-factor authentication or MFA) including the NYDFS cyber rules (PDF: 97.5 KB), the NIST identification and authentication requirements, the Payment Card Industry (PDF: 1.05 MB) (“PCI”) Data Security Standard 8.3, as well as the proposed amendments to GLBA.

MFA involves confirming that a purposed user of a certain login credential and password is actually the authorized user, by employing an additional verification method, such as a passcode sent to an employee’s phone by text message or through an authenticator app like Duo or Google Authenticator.  But, not all forms of verification are equal.  In 2016, the NIST considered not recommending SMS messages as a form of second-factor authentication due to their susceptibility to being redirected by attackers.

Hackers always look for the weak link, and they have learned to get around MFA by exploiting gaps in companies’ lost phone protocols.  They do this by calling the IT help desk, saying they are employees who have lost their phone, so they can’t use the MFA app to login, and they have some emergency that requires them to get immediate access to the network.  They often claim to be a senior executive, which is effective for two reasons.  First, there is often a lot of publicly available information about senior executives, including when they are out of the office at speaking events.  Second, senior executives are likely to seem credible when they are yelling at IT help-desk staff asking for login credentials on an emergency basis, impatient with delays or policy-related excuses, and threatening people that they will lose their jobs if the executives don’t get what they want.

In light of these scams, companies should consider developing clear protocols for verifying the identity of people claiming to be employees who have lost their phones, along with training for help-desk staff.  Companies should be careful not to use authenticators for lost phones that can be easily obtained from public sources or recent data hacks like home addresses, social security numbers, dates of birth, places of birth, and names of spouses or children.  Instead, companies should verify users who claim to have lost their phones using authenticators that would not be known by anyone external to the company, like the rough amount of the employee’s last paycheck, their last purchase in the company’s cafeteria, the name of the co-worker they most recently called, or the location of their last meeting at the office. 

Companies often spend enormous amounts of time and money implementing MFA.  It is worth spending a little extra to make sure there are no gaps in their lost phone protocols that undermine all the good work done on MFA.

Avi Gesser is a partner, John R. Kapp is the Global Director of Information Technology, and Michelle Adler is an associate at Davis Polk & Wardwell LLP. This piece was originally published on DavisPolk’s Cyber Blog.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.