twitter logo linkedin logo facebook logo

When two-factor authentication is not enough (4 min read)

Dr Michael Scott
MIRACL Trust ID, 2fa, mfa, multi-factor authentication

Our resident crypto expert, Dr Michael Scott, explains the security principles of two-factor authentication and how attackers can step outside of their expected behaviour to bypass the security altogether. This is part one of a three part series on multi-factor authentication culminating with a critique of the FIDO authentication framework.

There is no confirmed case of anyone ever escaping from Alcatraz. Which is quite remarkable as it was open for many decades and housed thousands of desperate characters. Many, like Al Capone, had all kinds of resources available on the outside.

The problem for prisoners was that to escape, they needed to solve two difficult and disjoint problems. First, they had to get out of the prison building and then they had to somehow get across San Francisco Bay to the mainland. While solving one of these problems may have been doable, solving both of them proved insurmountable.

For the guards this made things quite easy, and inexpensive. No need to go mad on the barbed wire and permanently manned watchtowers.

The same was true of the Soviet Gulags, positioned as they were far above the Arctic Circle. Getting out of the camp was one thing. Surviving long enough at sub-zero temperatures to reach safety was definitely another thing.

I could go on. Why do you think medieval castles had both walls and moats?

The general conclusion is that in any security setting you should set your opponent at least two distinct problems to solve. The less obvious conclusion is that each individual problem does not need to be that hard, it’s the very fact that there are two of them that provides much of the security, and demoralises attackers.

Let’s now specialise a little to the setting where a client desires access to a service, provided by a server, and where the attacker wants to gain illegal access to the same service while masquerading as the legitimate client.

A classic example would be ATM cash withdrawal. For now, assume I am the client. An attacker wants to get my money out of my account. They have two distinct problems to solve; they have got to steal my ATM card and also somehow figure out my PIN number. Two problems to solve, not easy to do, and indeed not often done.

One thing to bear in mind is that an attacker can be endlessly innovative. We often assume a security environment constrained by certain expected behaviour. But an attacker can step outside of that. They can, for example, say to themselves “let’s leave ATM cards and PIN numbers, I’ll steal a mechanical digger and rip the ATM machine out of the wall, take it home and empty it”. They get the money, gloriously bypassing the two problems we thought we had forced them to solve.

The Mafia in Milan had a clever idea. They would buy up an old abandoned building in the middle of the city, and install what looked like an ATM machine in the wall. The unfortunate punter would come along, insert their card and enter their PIN. The machine would clone the card and the PIN and transmit this information to its associates. By the time the unfortunate punter retrieved their card, read the “Out of Order” message, silently cursed and walked away – their bank account would be emptied. Skimmers achieve the same thing by placing false fronts on legitimate ATMs.

We sometimes call this a back door attack. We have impressively barricaded our front door, but the thief breaks in through the back door. Duh. We should have looked at the problem more carefully and closed off as many potential back doors as possible.

Another thing to worry about is the status of our attacker. We may assume they are complete outsiders but they may not be. In fact, they may be insiders who can trivially bypass one or both of the problems we have set.

You will be familiar with those hotel room safes. The idea is that your passport is locked in the safe, protected by a PIN number. Now a thief appears to have two problems to solve, they must break into the room, and then figure out how to open the safe. Yet if we analyse the two problems more carefully, we quickly find weaknesses. First of all, access to the room is no problem at all for hotel cleaning staff. For them, there is only the problem of opening the safe. Equally, of course, hotel management have a back door way of opening safes as guests often forget their PIN number. So if your attacker is the hotel itself (or that disgruntled ex-employee), you may have no security at all.

So not all two-factor authentication is created equal. MIRACL Trust ID has been engineered from the ground up with back-door and side channel attacks in mind. MIRACL Trust ID is based on a distributed infrastructure using military grade cryptography and is the world’s only single-step multi-factor authentication without any hardware dependencies. Discover more at MIRACL


Dr Michael Scott is Chief Crypto Officer at MIRACL, one of the pioneers of Pairing-based Cryptography and the “S” in the widely used BLS and KSS families of elliptic curves. Following a distinguished career of almost 30 years at Dublin City University and an active consultant to both public and private sector, his unmatched depth in knowledge is drawn not only from his academic expertise - he’s published over 100 highly cited papers – but his genuine love of cryptography and the science behind this.

Get the MIRACL memo in your inbox

Get in touch to learn more

You can opt out at any time. See our privacy policy here.