Faking It - When is 2 Factor Authentication Not?

I got an interesting email from a colleague today, about PayPal's "2-factor authentication".  Admittedly when I first bought my secure authentication token from PayPal a while back I remember thinking how significantly more secure PayPal was for this type of security.  Apparently, though, it's a bit of smoke & mirrors.

As Brian points out here in his post - your PayPal account is securely guarded with 2-factor authentication until you tell their system you don't have your token.  Then everything sort of devolves back into the old days of passwords and secret questions.  I'm not comfortable with this ...so I started thinking.

After a little bit of thought, I realized that my online banking account which is protected by a one-time-password sent to my phone via SMS is much the same.  If I simply change my user-agent to an iPhone or mobile equivalent (which doesn't have Flash...) I get a simple username and password authentication.  I'm just not OK with this.  But these aren't the only examples ...I bet you have more, and I know I certainly have 4 tabs open right now which all have the same problem.

So what's the moral of the story here?  Be careful what you consider saf(er) as far as 2-Factor authentication goes.  Take a look at the authentication scheme from a 360-degree view ... and see if the strong authentication 2-factor provides extends to all platforms (mobile device? HTML-only?)  If not then your account is protected by the lowest common denominator and for most sites that's a simple username and password.

Ask yourself if you're OK with that?  Then ask yourself ...is there anyone serious about security out there?  Who?  And are you willing to change banks, credit card companies, whatever to get that better protection?  ...because that's the only way things are going to get better - if we pull away from platforms that are faking their strong authentication.

(anon) | ‎02-08-2011 10:57 AM

What would you suggest as the way around this?  For example, if you lose your token for real, how will you like to reauthenticate? I'm not being snarky, I'm asking seriously, what would you consider acceptable and secure enough?

Rafal Los (Wh1t3Rabbit) | ‎02-08-2011 12:14 PM

Hi Andy - so what would I suggest ...well...here's some thoughts off the top of my head:


- Allow the "forgot my token" only ONCE before requiring a phone call, or the re-use of the token

- Provide an additional level of authentication when the token is bypassed (probably require some back-end analytics such as IP address of last login, geo-location, and other analytics that banks use every day)

- Notify via registered email that a non-token authentication was used, as an alert to the user just in case fraud is being perpotrated ... require email confirmation (from the person's registered email) to complete the purchase/transaction (requires some more additional complicated process here)

- Stop using Adobe Flash (sorry Adobe) or other technologies that aren't usable across all platforms such as iPhone, etc... this removes a condition where the whole security of the system depends on the ability to run a SWF file on the client


Those are just some suggestions. They're not simple, or free - but have to be cheaper than paying out for fraud?  Or maybe not, and that's why we're not seeing more advanced security?


Anyone from PayPal want to weigh in on this?

(anon) | ‎02-08-2011 02:18 PM
Hehe. Andy IS from PayPal (at least, the last time I checked). :-) And yes, I agree that there should not be a downgrade option that can be influenced by the user (-agent). While I know that the last thing that any internet-based company wants to do is get more people into the loop, I suggest that for high-value transaction (i.e. those that deserve to be protected by a token in the first place), the user should indicate that they need a once off "waiver" from using the token, a call-center agent then calls them on the registered contact number, and performs a manual verification based on things like last several transactions, account balance, and other items that both parties should know/can verify.
(anon) | ‎02-09-2011 09:09 AM

One could argue that if something is that high a value then it should not be online. Let’s face it, PayPal, Internet banking and services like that are just conveniences.


Adding more security can start to become inconvenient and costly for both parties. I’m not saying that we should skip securing these systems but it’s my choice to skip the online transaction if I don’t like how it’s secured.


That’s ok for me but for those that don’t understand security it’s not so easy. The industry has everyone convinced that if you have SSL you are secure. That’s a bigger issue. Most people don’t even know what 2-factor means. (Some infosec people don’t even know :-))


Does 2-factor authentication even matter that much with all the client side exploits that are available?

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation