I recently wrote about multi-factor authentication (MFA) in the context of voiceprint analysis as a biometric authenticator. One authentication method I briefly mentioned was Fast ID Online, or FIDO. It’s gradually picked up momentum as a phishing-resistant technology. Compared to other authenticators — specifically one-time pad (OTP) — it’s still not widely used, even in 2023.
Ars Technica recently wrote about a popular attack vector on MFA: time-based OTP (TOTP), whether it’s delivered by authenticator app, SMS message, or hardware token. Because TOTPs are relatively short — typically six or eight digits — and they are hand-typed in the clear, they’re at risk of being phished or skimmed:
The phishing attack that breached Twilio’s network worked because one of the targeted employees entered an authenticator-generated TOTP into the attacker’s fake login site.Dan Goodin, Ars Technica, March 14, 2023
The Ars article discusses a Microsoft Security post examining a specific attack on TOTPs, but it critiques the post on an interesting point: the mitigations. Microsoft recommends a number of mitigations, including MFA with FIDO2, but Ars argues that they breeze past that point, instead focusing on other items like threat hunting and conditional access policies:
Unfortunately, the post glossed over the most effective measure, which is MFA based on the industry standard known as FIDO2. So far, there are no known credential phishing attacks that defeat FIDO2, making it among the most effective barriers to account takeovers.Dan Goodin, Ars Technica, March 14, 2023
FIDO is built on public key cryptography. You generate a key pair per service, and the private key remains on the device. It’s not possible to access the private key through device APIs, and even if that were possible, the compromise of a single private key doesn’t lead to a further compromise of other services. Additionally, devices can be configured to require a physical action (e.g. button press) to trigger FIDO authentication, or require separate biometric authentication (e.g. fingerprint) for an additional level of verification.
As Ars and the FIDO Alliance make clear: it’s a superior way to do MFA. I completely agree. And with the advent of FIDO2 and collaboration with the World Wide Web Consortium (W3C) on the Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP), there’s widespread browser and device support for it.
It’s time for TOTP to go to the dogs. Woof.