Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×

MFA(Multi Factor Authentication) Its purpose, design and critical flaw


Recommended Posts

Often down the line, we deemed to design system that requires user to submit their public identity be it the most common public identity(email/phone number) such that we can provide questionable security to user. We will design the system in a way such that we can really make sure that it's indeed the user through authenticating user in multiple ways first through the system maybe like a password? Secondly then authenticate using SMS or using email. The lists can go on without stopping. 

The core purpose of MFA is to make sure that the user is really who they say they are because the user obviously hold the email and phone or whatever kinds of applicable stuffs/ to recover lost accounts in case user lost their passwords on the system that you design. 

It all sounds good, you have a CA signed certificate or a CA signed X509Certificate(C#), now we need to talk about how does most people design a system that has MFA, first off, usability, human error and ease of use is put into place in designing a system that has MFA, what does it means? It means that because of the fact that we as a user can lost our passwords, there's no way in latter days, we can remember back our passwords. It's illogical to say it's possible. So what does it means to us developers? By putting ourselves as user we want to just key in our recovery email or whatever kinds of recovery data, and just to wait for the system to send something like password reset in email or an SMS(not quite common). If we follow down this design route, by following the 3 principles I stated, it means to us developer our options are very limited, the most common used 2 ways are to either not encrypt the MFA data like user's email or we encrypt it but because of the fact that the server needs to send recovery data to whatever associated email/any other applicable stuffs, the encryption key to encrypt the MFA data is CENTRALIZED or store in server . I don't think that there's other possible ways to do so when the system would like to use MFA or to provide account recovery features to user. 

Because of the way we commonly design system with MFA or Account recovery features, it means that if someone so skilled and talented(be it insider/outsider) breaks into the system or server or network, regardless if it's encrypted or not encrypted, most of the time MFA data is user's private data regardless we like to deal with it or not (if the system is public), data leakage still happens.

Currently there may or may not be solutions to this problem regarding on how to protect MFA data, but my hope towards MFA is pretty slim as the option to enable it will always deemed to be centralized solutions which is prone to both insider's and outsider's attack.

Some of the most common attacks that could perform to user after MFA data leaked includes but not limited to phishing, social engineering, scamming, spamming.

One of the examples of huge data leakage that sources from big company that uses MFA functions in the system
https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4

I am not quite sure if this was easy and simple to understand enough to most of you. If it isn't do let me know.

Edited by chrono_legionnaire
  • Like 1
Link to post
Share on other sites

For Account recovery feature, it should be done by machine (user send request, machine sent verify code, user enter verify code).

No one shall interact with this process, and system shall not give any email / phone number except user himself / herself.

(only when user call / email to support team, then they'll get the contact info)

 

for MFA (most common are 2FA), the server which sent the verify code (sms / email), this feature shall be only access by process.

This sms / email server should be one of the high sensitive server, which handle incoming / outgoing message.

 

by the way, to reduce data leakage by insider,

control list of records (e.g. export to excel, show customer list, search customer name like '*john*' ), only accessible with proper permission.

 

🙂  

 

  • Like 1
  • Good 1
  • Thanks 1
Link to post
Share on other sites

The one whom send SMS to reset password (very rare) is MySejahtera.  It does not look good to click hyperlink in a plain text message, as SMS was not meant to work that way.

Anyway, I understand your laymen term and I appreciate your sharing of knowledge. But you miss one point, now they use Authenticator app as well (e.g. Microsoft & Google).  At least it is the third option, after password, and SMS text messages.

Do you know why WhatsApp discontinue their AccountKit (WhatsApp verification code) years ago? It was so convenient, more convenient than SMS to receive verification code.

And thanks @flashang for the additional information.

  • Like 1
  • Confused 1
Link to post
Share on other sites
Posted (edited)

I am new to what my goal was the same applies to security stuffs, I am limited by what I know. 

Flashang, I am trying to understand what u are stating as the flow in the first part of the message, to do that essentially, what u are trying to say was to ask the user to type in their username in the system or to use some of their nickname? then proceed with the account recovery flow. Because from what I understand, you are saying that asking user to enter their recovery email/something similar then proceed with the account recovery is not a good idea.

Fliermate, mind fill me/this community in with details regarding the AccountKit ? 

Edited by chrono_legionnaire
Link to post
Share on other sites
1 hour ago, chrono_legionnaire said:


Fliermate, mind fill me/this community in with details regarding the AccountKit ? 

Good idea.

https://developers.facebook.com/blog/post/2019/04/30/whatsapp-verification-codes-account-kit/

 

Introducing WhatsApp verification codes for Account Kit

May 1, 2019

Quote

We're releasing the SDK to integrate WhatsApp verification into Account Kit for iOS and Android. Developers can now give people the option to use WhatsApp to send verification codes as an alternative to SMS for phone number login. This has been available on the web SDK since late 2018. Account Kit helps you grow your app or website by giving people a choice to sign in with their phone number or email address without the need for a password.

But then they discontinued it....

Link to post
Share on other sites
Quote
  • September 9th 2019 – No new apps will be able to integrate Account Kit, existing integrations will continue to work as usual
  • December 9th 2019 – The daily SMS limit will be reduced to 1,000 messages per app ID per day. All other channels (including WhatsApp) will continue to work as usual
  • March 9th 2020 – Account Kit will no longer be available
  • June 2020 – Developers will have until June 2020 to retrieve any data or information from the Facebook platform unless they initiate shut down beforehand, in which case they will get 30 days from shut down to retrieve information / data before it’s deleted from the system

 

Link to post
Share on other sites
11 hours ago, chrono_legionnaire said:

I am new to what my goal was the same applies to security stuffs, I am limited by what I know. 

Flashang, I am trying to understand what u are stating as the flow in the first part of the message, to do that essentially, what u are trying to say was to ask the user to type in their username in the system or to use some of their nickname? then proceed with the account recovery flow. Because from what I understand, you are saying that asking user to enter their recovery email/something similar then proceed with the account recovery is not a good idea.

Fliermate, mind fill me/this community in with details regarding the AccountKit ? 

 

When you login to a system, e.g. gmail, facebook, banking web site, ...

the system will ask for username and password.

The username could be your email, phone number, "username", IC, staff code, ...

If a user forget their password and try do to a password recovery, system need to know "who" or technically "which account".

 

so the system will ask "what is your username / email / phone / blah blah blah".

and the "password recovery link with special key code" for recovery password will send to user "registered contact" which is either email or phone.

without the "special key code", the password recovery process will not work.

 

🙂

 

 

Edited by flashang
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...