Is two-factor authentication (2FA) enough to secure access management?
“Make sure to enable and enforce two-factor authentication” — That’s always been our best advice, and don’t get me wrong, it still is.
However, a few recent developments may have tipped the scales a bit in favor of cyber attackers.
In early July 2020, amid the continued global adoption of remote work, the cybersecurity world was startled by a ‘novel’ incident that managed to turn off 2FA for a company called Amos WITHOUT actually going through the enabled 2FA step.
In other words: Attackers managed to make 2FA redundant, casting security doubts around its effectiveness.
Hacking 2FA – How did they do it?
Normally, when 2FA is enabled, any attempt to log in from an ‘’unfamiliar device’’ requires additional verification (ex: using a code, text you receive on your phone, email, etc.). Without successfully passing that second step, access is denied.
However, there are TWO important factors to consider here:
1. Human error
Human error is the most common security scenario and why we always emphasize the importance of having a cloud security tool to get it happens.
✅ In this scenario, Amos used a service called ‘NoMachine’ to access virtual desktops remotely. The problem occurred when Mr. Amos, who used NoMachine to operate the virtual desktop of macOS, saved his login information to Safari after logging in to his Google account from there. Which he admits ‘’shouldn’t have been done’’.
2. Google’s Password Manager
Everyone loves password managers. They ‘delightfully’ prevent you from having to re-enter those passwords on and on. Especially when you’re in a rush or can’t quite remember your password.
But here’s the catch: Disabling Google 2FA doesn’t need 2FA if you’re already logged in.
✅ When Mr. Amos logged in, Google had cached a recent session token on their machine. Attackers were then able to re-use the cached password in Safari auto-fil. They refresh the session token, and subsequently, disable 2FA on that account.
Two-factor Authentication VS Constant User Identity Verification
So how to outsmart attackers even when human error plays its part?
Simple, by making identity verification ‘Constant’ rather than a single event at log-in using Zero trust security.
That way, even if attackers manage to get in, the constant verification mechanism will detect the imposter right away. As a result, it will kick them out of the session.
How it works:
Constant identity verification works as the three-factor authentication mechanism (3FA) and keeps working in the background, throughout the entire session, while the user is logged in, to confirm their identity.
GAT’s ActiveID – Zero Trust 3FA
GAT’s ActiveID is the perfect example to explain how constant identity verification works.
ActiveID continuously learns and monitors the unique typing style of each user, actively verifying that the user behind the keyboard is in fact the user who is logged in, at all times, in Google Chrome.
If an impostor is detected, a whole range of corrective actions can be taken. From alerting an Admin or Security Officer with a webcam shot of the ‘impostor’, to logging out the user.
Configure GAT Shield with ActiveID and it will instantly start learning who each user is. Build a unique mathematical model for each user, and use AI to process the live typing stream data, simultaneously monitoring and learning.
Two-factor authentication remains an important security step and is certainly better than using a username and password alone.
However, as cybercriminals continue to figure out ways around traditional authentication methods to hacking 2FA, Zero trust solutions that offer constant identity verification become the more popular cloud security choice, especially for remote work security.
Stay in the loop
Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.