What Two Factor is and what it isn't

Two Factor Authentication is becoming more common place and in many industries a requirement, such as in PCI-DSS 8.3. Two Factor Authentication, herein referred to as 2FA, consists of the following: Something the User knows, like a PIN number or password. Something user has, like a Token that displays a code, or a certificate present on the users machine/device. Or the second factor can be a fingerprint or other biometric like an iris scan, possibly voice recognition. 2FA is used with your bank card, something you have is the card, something you know is the PIN.

The most cited or expected place to find 2FA these days seems to be when using a VPN to connect into the network at your place of business. Once you have passed the 2FA and are logged onto those networks, there is no more 2FA typically. You are free to move around the network just like if you were sitting at a computer in the physical office itself. This goes for an attacker or trojan as well, once 2FA has happened, the attacker/trojan can move around as you in the network. 2FA is only making it harder to get into your network using a VPN in that case. Accessing shares or other network resources have no bearing after 2FA has happened.

There are a variety of 2FA schemes out there; some use physical tokens, software tokens, imported and signed certificates, tokens with LCD displays, One Time Pads and on and on...

2FA will not protect from tojans, phishing or man in the middle attacks. That is not it's intention or the desired effect 2FA aims to solve either. 2FA is an attempt to verify the user is who he/she says they are by knowing something and by having something, even if one of those two is compromised, you can still likely trust the authentication. If both factors are compromised then of course you can't. Knowing if both are compromised is next to impossible.

2FA is trying to avoid password reuse, key logging or replay type of attacks. Most 2FA involves tokens creating one time use codes based on time, every minute or few minutes a new code is generated. You combine that code with your pin, and the two create one hash, if that checks out as the predicted hash on the backend, you are authenticated. The attacker could try to use the same pin+code but once it's been used, even if it's in the same minute, it will be voided out of the system. Key-logging should fail in most cases when 2FA is being used.

Other 2FA rely on Certifcates or Keys to be present on the machine/device you're connecting from. These too help avoid key loggers and make it so password reuse is not a weakness in the scheme.

That is the 2FA goal for the most part, shoring up password authentications with another factor. If the attackers only know one of the factors, you can still trust the other. 2FA is only securing the authentication where it's used. You can use 2FA for a variety of authentications, but in the windows world/networks you do not have the ability to use 2FA with some network protocols. The protocols that spring to mind are WMI, SMB connections, and PowerShell. You can more readily use 2FA with OWA, Citrix, RDP/Terminal Services, and Interactive Logon.

You can *almost* do 2FA on SMB, WMI etc... you just have to start using and configuring the IPSEC filters present on windows. You can then use Certificates or another preshared key to create a "Authorization Factor". It's not a "TRUE" 2FA because you're not prompted for the something you know portion with every connection, but it can act as a form of Authorization.

Notice the difference, Authorization is being authorized to access something because of something you have (a certificate), there is no Authentication that you are you, you're not prompted for a password or pin (something you know). IPSEC is not 2FA, but it is another layer of authorization that can be used with or without taking 2FA into consideration in a Windows network.

-rich