There are many types of multi factor authentication (MFA) tokens available. Some are virtual, some are software (apps), and some are hardware. Each has their benefits and their disadvantages. This paper discusses some of the concerns with each type of authentication token type and what is recommended for secure networks.
Virtual tokens are one-time passwords, usually a short series of numbers, that are delivered to the user by way of email, SMS message, or even a phone call. The biggest problem is that with this mechanism is that with a targeted attack, using this method of authentication becomes a race condition. None of these delivery mechanisms are secure so an attacker who is in the correct location, physical or logical, can easily intercept these tokens and authenticate to the system before the user can.
The phishing tools Modilishka, CredSniper, and Evilginx can intercept username, password, and a token entered by a user to a look-alike site, gaining access to the site while passing the user onto the site as well so the user doesn’t know the difference. A hardware token is not susceptible to this type of attack.
Another threat to virtual tokens is that phone companies can be fooled into transferring a phone number to a different SIM card allowing an attacker to receive a MFA token instead of the user.
And finally, any outage to the infrastructure supporting the delivery of the token will render the user or users unable to receive the necessary information to log into their systems. That includes the cellular network, Internet connection, email server, SS7 SMS delivery network, and other components, all of which are outside of the control of the system owner.
The Federal Bureau of Investigations (FBI) released a bulletin regarding attacks to U.S. banking institutions and their customers that were using these types of tokens back in 2019. The attacks went back to 2016 and involved SIM swapping to circumvent two-factor authentication. In 2019, the Muraena and NecroBrowser phishing tools were shown intercepting network traffic that led to the recovery of enough information to gain access to secured systems. The system cannot defeat USB hardware tokens with support for the Universal 2nd Factor (U2F) standard, however. Solutions based on codes received over SMS or generated by a mobile authenticator app are vulnerable.
Soft tokens are generally software applications run on a mobile computing device that uses a cryptologic function and a clock to provide a one-time password. These applications are better than a virtual token as the codes are never transmitted over a network connection, but are susceptible to any malware that may be running on the device.
Hardware versions of the same type system, typically seen from the RSA company, also fall into this category even though they aren’t run on a mobile device. These devices, while not susceptible to a malware threat, are vulnerable to phishing attacks related to Muraena and NecroBrowser, Modilishka, CredSniper, and Evilginx because the codes have to be entered in by hand. Hardware devices, including USB and smart cards, aren’t susceptible to these threats.
Hard tokens are physical devices that connect to the device you are attempting to authenticate to and provide the extra form of identification (something you have). They are considered to be a high security factor and generally do not require any other infrastructure to work. Some hardware tokens can even provide authentication to or through mobile devices using NFC.
The downside of hard tokens is the cost.
Users of hard tokens include the U.S. government and military, Google, and Facebook.