Two Factor authentication - foolproof and supersafe?

It seems like two-factor authentication - the principle where you need a secret password (something you know), and a token or OTP (something you have) in order to log on to a system, is gaining popularity. Wich is good in my opinion, as it helps maintain the security awareness of the users.

But, too many seems to think two-factor authentication is the key to secure log on. There seems to be a high level of noise claiming that if you use two-factor systems, your users and employees will no longer fall victim to phishing attacks. And if it only where true, it would certainly be nice!

The interesting thing with security is that it is a race. An ongoing process. As soon as one party finds a hole, the other party works to close it. As soon as it is closed, the first party starts looking for new holes elsewhere. And so it goes forever.

So when it comes to two-factor authentication, it seems to be impossible for hackers to get access to your systems. Because you need your username, your secret password, and the special code or device - the latter which the hacker cannot get hands on. And in a traditional phising method, this theory holds water.

But as we close holes, new are made. And in from the side comes the famous Man-in-the-middle attack. These types of attacks comes in many flavours. The interesting part with these kinds of attacks, is that they are interfering the connection between the user and the service. The user is not able to spot it, and to the user it seems like she is working on the system as normal. However, all trafic is beeing relayed by the man-in-the-middle system, which not only gain access to the server, but also can eavesdrop all the traffic.

The man-in-the-middle attacks are used in online-banking like the Citibank attack last year, where the attackers used an email scam to make users click their way into the attackers site. The site the relayed all data in realtime, and fooled the users and the bank system. Why? The system just relayed the two-factor authentication, enabling the attacker full access to the system as soon as the user had authenticated.

Other methods include DNS-poisoning and software installed on the client (worms, trojans, bots, spyware et al). The one thing they have in common is the fact that they exploit the lack of understanding and knowledge at the everyday user. They do get increasingly more sofisticated, so at some point we may no longer be able to spot them directly. 

Thus you need to train your users to become suspicious of everything. What a dream world it will become!