current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 25 down vote favorite
1

Here's my relatively layman's view of the issue.

Many websites tout multifactor authentication (MFA) as an enormous boost to the security of users' accounts, and it can be if implemented properly.

However, it seems that some sites will only prompt the user for their MFA AFTER they enter their password correctly. I've only tested this with gmail.com and outlook.com, but given that these are two huge email providers, I imagine they're only two of many perpetrators.

The reason this is (at least on the face of things) such a huge security flaw is that it can allow crackers to guess a user's password until they're presented with the prompt for MFA, at which point they know they've got the user's password. It seems like websites will brush this off, saying, "But since the user has MFA, the cracker can't get into their account."

What they seem to forget is that the user likely has accounts on other websites, and quite possibly uses the same password for that site. So now the cracker may have access to all the user's accounts across the web, many of which probably don't have MFA implemented, leaving the user completely vulnerable to attacks.

Are there any flaws in my argument or assumptions that would make this a non-issue? If not, then why do huge companies like Google and Microsoft not fix this issue?

share|improve this question
5  
are you suggesting i get a sms even if i mistype the pw? that would be annoying and waste money... – dandavis yesterday
1  
It depends on the method of MFA you're using, I guess. I hadn't thought of that, so I apologize. But as a somewhat weak counterpoint, most MFAs allow you to use other means, such as a generator app on a smartphone (and these work even in airplane mode), to verify your identity. On a side note, I do know of at least one site that lets you just use 2 passwords: protonmail. This might be a good compromise. – Ben Sandeen yesterday
7  
@BenSandeen Two passwords is not MFA, though. It's multi-step at best. – Angew yesterday
    
@Angew Okay? I don't really care about terminology. And I said explicitly that it's a compromise between MFA and a regular one-pw system. Regardless, in most cases 2 passwords are going to be more secure than either of them are alone, as far as I know. – Ben Sandeen yesterday
5  
@BenSandeen: The baseline for comparison should be "type both passwords one after the other into the same box" (concatenation). Two separate boxes are only stronger than trivial concatenation by a factor of (N+M-1)-choose-1, equivalent to insertion of a known separator character between the two halves. – Ben Voigt yesterday
up vote 49 down vote accepted

If I'm understanding your question properly, the attack you are proposing is to brute-force passwords against a server like this, then once it shows you the MFA screen, go try that password on other websites that this user has accounts on.

You seem to be overlooking two points:

  1. This is no weaker than not having MFA, which also confirms the correct password ... by letting you in.

  2. No hacker in their right mind will try brute-forcing a password against a live server which typically rate-limits you to like 5 guesses per second. Or in the case of the big providers like GMail or Outlook, have complex fraud-detection systems that do auto IP-blocking of suspicious activity. 99.999...% of the time, password brute-forcing is done against password hashes stolen directly from the database on which you can guess (m|b)illions of passwords per second.

So while I agree with you that there is the potential for some data leakage here, I think the risk is minimal, and far outweighed by the user inconvenience of having to fumble with their OTP fob just to find out that they typo'd their password.

share|improve this answer
    
Thanks for the answer, but just to clarify, I am completely aware that MFA is incontrovertibly more secure for the accounts that have it. :P My qualm was that it still allows crackers to gain a user's password while simultaneously giving a user a (possibly false and misleading) peace of mind – Ben Sandeen yesterday
4  
@BenSandeen I think you're missing that MFA informs the legit owner someone has their password. Without MFA the attacker already knows they got the password (because they logged in) and they can successfully log in (the real damage) and the account owner doesn't know someone has their password. With MFA the attacker knows they got the password (no worse), but they're blocked from logging in (worth it) and (here's the bit I think you're missing) the account owner gets notified about the login attempt and knows someone guessed their password so they can change it (and any others). – Schwern yesterday
    
@Schwern How well the user gets notified when there's a failed MFA attempt probably varies from service to service. I don't think I've ever seen a notification like that (maybe I've never botched an MFA login), which websites offer that? Do all websites that offer MFA do a good job of notifying a user when there's a failed MFA attempt? – Mike Ounsworth yesterday
    
@MikeOunsworth Good point, I was thinking about email and text where the notification is integrated. I forgot about mobile authenticators. That would be up to the site. – Schwern yesterday
    
@Schwern Ah, you're talking about the SMS code style of MFA. Fair enough; if you get a random code texted to you that you didn't expect, it's time to change your password. Personally I'm far more concerned about the OTP token fob type. SMS 2FA is popular for end-user email and stuff, but any admin responsible for any high value data like government, corporate, banking, health data, etc will use a security fob. I wonder if those systems notify you if there's a failed OTP attempt. Great question! – Mike Ounsworth yesterday
up vote 7 down vote

So now the cracker may have access to all the user's accounts across the web, many of which probably don't have MFA implemented, leaving the user completely vulnerable to attacks.

An attacker isn't going to try guessing a password on Google that they aren't also going to try for the bank or facebook or the like. Just because it's now been given away that it is a valid password puts the attacker no closer to compromising any other accounts. The guessed password needed to be from a crib of high probability guesses, because a true brute force will never work on a live system.

If you could demonstrate that sites using 2FA have worse anti-guessing algorithms (I would bet they are at least as good if not better) compared to sites that don't offer 2FA, your point would be valid since an attacker could abuse one and pivot toward the other. In reality the opposite is likely true, sites investing in 2FA are also investing in anti-guessing systems at the same time.

share|improve this answer
up vote 4 down vote

I think this is a non-issue. Multi-factor authentication isn't about preventing someone to guess your password, but to prevent anyone to sign in on your accounts.

share|improve this answer
up vote 2 down vote

In theory, yes, this is a possibility (provided the site implementing 2FA doesn't have any rate limiting or fraud detection of any kind, as pointed out by the other answers).

In practice, there's the usability factor to think about, too. Imagine you built a login form that prompts a user for 2FA on every login attempt, only telling the user the attempt was unsuccessful after the 2FA step, and never telling them whether it was the password or 2FA token that was invalid.

2FA is already a giant pain in the neck to start with - every time I log in, I have to not only type in my username and password, but find my phone (which might be in another room), unlock it, go to my home screen, find my 2FA app, and find the right site in the list. Then, the code is inevitably five seconds from expiring, so I have to either wait for a new one to come up or try to type it in super quickly before it expires.

(2FA systems that use SMSes or push notifications are better in this regard, because they come up on my smartwatch - or, in the case of a user that doesn't own a smartwatch, their lockscreen. In the scheme we're considering, though, that would allow a user to annoy me with endless notifications/SMSes so long as they know my username, because they don't have to get my password right to trigger a 2FA attempt. I've also heard that in some countries, phone carriers charge you for receiving SMS messages, so in those places this sort of thing would be even worse on users.)

If you make your users go through all of that twice when they get their password wrong, the whole process will become much more painful, and you might even wind up with less people using 2FA as a result, making your users less secure on average.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.