Password reset links and 2FA codes exposed- SecureAuth
November 2018 by Keith Graham, Chief Technology Officer of SecureAuth
In relation to the news story that a security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more; which has affected 2FA users of HQ Trivia, Booking.com, Amazon and others, Keith Graham, Chief Technology Officer of SecureAuth has provided a following response on this data breach below.
"Too many organizations are overly reliant on passwords and two-factor authentication to verify users’ identities - that is, those users’ credentials in this latest example were never fully secure in the first place.
In this latest example, the use of a simple two-factor authentication method – a one-time passcode sent over SMS - could be easily intercepted in near-time, eroding any possibility of establishing a level of trust. As organizations seek to prevent credential-based breaches they must move beyond password and simple two-factor authentication methods which are no longer enough to safeguard against today’s attacks.
The way organizations are securing themselves needs to be rethought with identity as the third pillar of security along with network and endpoint. With 83 percent of data breaches attributed to attackers walking through the front door with stolen credentials, organizations must use modern approaches that go beyond two-factor authentication such as adaptive and risk-based authentication that strengthens security, prevents these types of attacks without burdening the end user.
Increasingly today, two-factor authentication can be circumvented, especially when two-factor codes are obtained which is why it is critical to reinforce with adaptive authentication techniques that perform risk analysis in the background. Such techniques include device recognition, geo-location, and phone number fraud detection when consumers or employees log in to corporate networks."