The Security Ledger podcast

This Week In Security: Poking Holes In Two Factor Authentication

It was another busy week in the security world. There was big news on the legal front, as The U.S. Supreme Court took steps to protect the data stored on mobile devices from warrantless searches by police. (That’s good news.) But the week also plenty of concerning stories about the security of data stored on mobile phones, tablets and the like.

A flaw was discovered in Security Key, a two factor authentication service that PayPal offered to customers.
A flaw was discovered in Security Key, a two factor authentication service that PayPal offered to customers.

One of the stories that gained a lot of attention was DUO Security’s report on a flaw in PayPal’s two factor authentication feature that could expose the accounts of  security-conscious PayPal users. As The Security Ledger reported, DUO researcher Zach Lanier discovered a flaw in mobile APIs published by PayPal that would allow anyone with a valid PayPal user name and password to sidestep two-factor authentication when accessing PayPal accounts that had that option enabled.

After DUO went public with information on the flaw, PayPal disabled two factor authentication via mobile devices until the flaw could be fixed.

We had a chance to talk about DUO’s research with Mark Stanislav, the company’s security evangelist. Mark told us that companies that are looking to increase the security of passwords are increasingly turning to two-factor authentication. However, they often fail to consider all the options they give customers and business partners for accessing their services. Attackers are adept at following the path of least resistance: finding ways around technologies like 2FA rather than trying to batter their way through them.

Check out our conversation below!

Listen on Security Ledger
Listen on Soundcloud.com

Comments are closed.