Two-factor authentication: How Beagle Security handles 2FA security testing

By
Nasim Sulaiman
Published on
08 May 2022
6 min read
AI

In the age of increasing cyber-crime and incidents of information leakage, it has become crucial for organizations to implement efficient data security mechanisms.

Hence, many companies have implemented two-factor authentication on their applications to protect their users against unauthorized logins to their accounts.

What is two factor authentication?

Two-factor authentication (2FA) reinforces access security by demanding two methods to verify a user’s identity. It does not replace passwords but simply adds a second layer of security in addition to passwords.

There are many methods of two factor authentication available, all of which have a common goal: make it harder for a cybercriminal to get access to an account.

The main methods through which two factor authentication can be enabled are SMS, email, and authenticator apps.

At Beagle Security, being a DAST solution that supports user authenticated testing (security testing applications with login), we have built a system to bypass 2FA in a secure and non-threatening way for the user. We will look at some of the challenges we faced during login and sign up and how Beagle Security’s testing engine handles it.

First, let’s have a look at the types of authentication methods available.

Email authentication

Email verification can happen during the login process or during the registration process. The registration/login confirmation mechanism forces the user to respond to a “Confirm registration or login” email sent after successful registration or successful login to verify their email address and activate their account.

The user does this by clicking a unique activation link sent to them over email called magic link.

A magic link is like the setup of a one-time password, which provides the user with a way to authenticate without a password.

Another way of email verification is retrieving text or numbers received in an email and reproducing the result to the intended login page for login authentication. This is also quite a challenging task as it requires extracting the exact verification text received.

SMS Authentication

When you enable an SMS 2FA option, you will often be asked to provide a phone number. Next time you try to login with your username and password, you will be asked to enter a short code sent to the registered mobile phone number. The short code is called OTP or a one-time password.

How does Beagle Security handle authentication?

There are many APIs available in the market to send, receive and track business communication, which in turn help organizations improve their commercial applications.

Thinking of the requirement, depending on a third-party application did not seem to fit our use case at Beagle Security. That is when we decided to develop our own SMS service application.

With thorough research, we decided to develop an IoT device to send and receive messages and we successfully completed our task with a working model.

The device is designed to work in a secure way, such that we prefer to create a secure verification account for 2FA. So that only Beagle Security has access to the device for email and SMS verification. The main technologies we implemented are IoT, AWS cloud and AI.

IoT (Internet of Things)

The term Internet of Things or IoT refers to a pool of networks connected between devices which in turn ease communication between devices and the cloud, as well as between the devices themselves without requiring human to human or human to computer interaction.

Thanks to the development of inexpensive and affordable computer chips and high bandwidth telecommunication, we now have billions of devices connected to the internet. This means devices can respond intelligently to users and collect data with the help of sensors.

Since the 90s, computer engineers have been adding processors and sensors to devices to connect with the internet.

However, the initial progress was slow since the chips are bulky and big. With time, computing devices shrank in size, the chips became smaller and faster, and the cost of integrating computing power into small objects dropped considerably.

How does IoT work?

A typical IoT system works through real-time data collection and exchange of data between their environments. The collected data are sent to an IoT gateway or other edge devices where data is either analyzed locally or shared to the cloud to be analyzed.

A challenge we faced is the storage of the data received from the IoT device. After considering many options we decided to go with AWS IoT. It provides services for industrial, consumer, and commercial solutions.

What is AWS IoT?

AWS IoT is a managed cloud platform that brings AI and IoT together to improve business outcomes.

AWS IoT Core can support billions of devices and messages and can process and direct those messages to AWS endpoints and to other devices reliably and securely.

For a high volume of data, AWS IoT provides easy to use service design, and it provides services like data encryption, security, and access control to device data which makes it a suitable place for the data to be stored and processed.

Machine learning/AI

SMS received contains all kinds of messages like service messages, private messages, commercial messages, OTP messages, etc. that have been sent to the respective mobile number and we needed OTP messages to be filtered out specifically.

Data is an essential component before we can develop any meaningful algorithm.

We were able to collect the data set required for training our model. As per our requirement, we only needed two classes, one containing OTP messages and the other containing non-OTP messages.

Data preparation, data pre-processing, and selection of suitable algorithms helped us to develop a suitable model as we interpreted.

Conclusion

2 FA plays an important role in securing our data against online attacks as an extra security layer, and users should be adopting it for their applications.

As a cyber security company, our approach to handling a two-factor authenticated application’s security testing is to gain access to a user’s account with their permission and find the hidden vulnerabilities in it by combining the usage of IoT, AWS cloud and AI.


Written by
Nasim Sulaiman
Nasim Sulaiman
AI Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days