Windows 10’s Security Reboot, Part III: FIDO and Beyond

FIDO’s Universal Two Factor (U2F) is intended to make it easy for companies to add a strong second factor to their existing crypto infrastructure. Most of us are probably not...
Michael Buckbee
3 min read
Last updated June 2, 2023

FIDO’s Universal Two Factor (U2F) is intended to make it easy for companies to add a strong second factor to their existing crypto infrastructure. Most of us are probably not ready to leap ahead to the password-less Universal Authentication Factor (UAF). So U2F is a comfortable half-way point that still leverages FIDO’s strong crypto technology but allows employees to continue with their more familiar password entry habits.

U2F is an ambitious initiative to raise the overall authentication bar for everyone. Rather than just another proprietary approach, U2F is instead an open-standard with its own ecosystem supported by browser vendors and device makers.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

It has a major advantage over current schemes in that it addresses a serious flaw with current implementations of two-factor authentication (TFA).

What’s the issue with vanilla TFA?

It’s actually vulnerable to straightforward man-in-the middle attacks. Typically an attack would be initiated through a phish mail.

Phishing for Factors

Let’s quickly review TFA. In addition to asking for the password–what the user knows–it also requires something they have: say, a cell phone. For example, when logging into a TFA-based web site, the user is asked to enter an additional one-time password (OTP) that’s then sent as an SMS. The OTP is often a short numeric string with a limited lifetime.

A clever hacker simply has to set up a fake web site that looks like the target—for argument’s sake, an overnight delivery service. A phish mail could be sent to employees in a large company asking them to, say, verify a delivered package by clicking on a link to the phantom site.

In standard man-in-the-middle fashion, the hackers now simply forward the password to the real site, triggering the OTP. When the user enters the OTP, it too is forwarded to the real site, giving complete access to the hacker.

Mission accomplished.

U2F Makes it Hard

U2F does it differently. It takes full advantage of the public key crypto that I talked about last time. Like UAF, it uses the public-private key pairs, which are initially registered for the device on which the second factor is based.

Bottom line: U2F provides a convenient way for companies to boost identity verification without having to add fancy biometric techniques.

Vendors have already introduced FIDO compliant dongles—essentially a USB drive on which has the private key is stored. Just around the corner, smart phone vendors will soon be able to support the FIDO standard through Near Field Communications (NFC) technologies.

Here’s how it all works.fido auth u2f

When users log on to a U2F-supported website or corporate portal, in addition to entering their password they’ll be asked to insert their FIDO dongle into their laptop or device. When smart phones start supporting FIDO, users will place or swipe their iPhone and Androids near the laptop’s NFC reader.

Anyway, the dongle is then asked to sign a random string that’s concatenated—and this is crucial—with the URL of the web site asking for the information (see the diagram).

When this signed credential is sent back to the website, it is decrypted. If the random string matches, then the user has proven himself. And if the decrypted URL matches what the user was expecting—i.e., the address of the website verifying the second factor—then the website is authenticated as well.

Not Perfect, But …

Sure, U2F requires support from Chrome, Firefox, and other vendors to pass URLs to the dongle. And no, it’s not a foolproof solution, but you can see how it eliminates man-in-the-middle attacks.

If a fake site passes the credential to the authenticating server of the real site, it would be rejected! The fake site’s phishy URL (www.fed3x.com), when decrypted, couldn’t possibly match the URL of the real site (www.fedex.com).

This is a very good solution!

While there are some potential weak points, U2F should close the door to low-skilled hacks and could eliminate many, many breaches.

No doubt hackers are working on malware that can get around U2F’s strong security—possibly some clever keylogger that embeds itself on the user’s device. It also wouldn’t surprise me if some presentations at this year’s Black Hat conference start suggesting possible hacks. We’ll see.

Nothing in Windows 10 Is Nailed Down

While I was hoping to end this post with a discussion of another intriguing Windows 10 security improvement, a more serious effort at addressing data loss prevention (DLP), I’ll have to punt. There’s even less information available on this than on the authentication improvements I’ve been discussing.

Of course, none of us know how any of this will be implemented because Windows 10 is about a year away from a general release and features are, as Microsoft has noted, “subject to change.”

While I am cautiously optimistic that some of the worst abuses of Windows authentication hacking will soon end, the realist in me says new hacks are in the works.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

mixed-messages:-busting-box’s-mfa-methods
Mixed Messages: Busting Box’s MFA Methods
Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification.
8-things-to-look-for-in-file-auditing-software
8 Things to Look for in File Auditing Software
Here is a list of 8 critical factors IT pros should consider when evaluating file auditing software.
office-365-migration:-enterprise-guide-and-best-practices
Office 365 Migration: Enterprise Guide and Best Practices
There are many factors to consider as you migrate your infrastructure to Office 365. Read this blog for several tip and things to think about.
security-risk-analysis-is-different-from-risk-assessment
Security Risk Analysis Is Different From Risk Assessment
At the Inside Out Security blog, we’re always preaching the importance of risk assessments. IT and the C-levels need to evaluate vulnerabilities in their corporate systems to determine risk factors....