Multi-Factor Authentication in Digital Forensics

Two-factor authentication is probably the best secure thing since passwords were invented. Two-factor authentication goes a long way towards protecting one’s accounts against being hacked. A password alone, no matter how long or secure, is no longer enough to provide sufficient protection. Social engineering, linked security breaches, leaked passwords and hacked mailboxes all contribute to the insecurity of password-based protection. Once the intruder gets ahold of someone’s password, they can access the account without a fuss. Worse even, they can work further to gain access to other accounts by e.g. using the hacked email address to request password resets on other connected services. Two-factor authentication aims to address this problem.

LinkedIn. Yahoo! Mail. Dropbox. Battle.net. IEEE. Adobe Connect. PayPal. eBay. Twitter. These are just a few recent examples of big name service providers being hacked, with literally millions of passwords leaked.

The infamous celebrity photo leak was huge. It demonstrated how susceptible iCloud users are to remote hacks. Thousands of explicit images that celebrities captured with their iPhones were stolen straight from their iCloud accounts. Apparently, hackers were able to get passwords from celebrities’ Apple ID, and gained access to the linked iCloud accounts using a copy of Elcomsoft Phone Breaker. Should Apple enforce two-factor authentication on iCloud account holders, the problem would probably occur on a much lesser scale. Even though two-factor authentication is not infallible and susceptible to social engineering, it does require significantly greater effort to obtain a quickly expiring security code from the victim, and poses a much higher risk to an attacker.

As an expert in mobile forensics, you may face similar obstacles when attempting to acquire information from the suspect’s cloud account over the air.

Two-Factor Authentication: Apple, Google and Microsoft

All three major mobile service providers (Apple, Google and Microsoft) use similar approaches to two-factor authentication. The two most common approaches are online and offline.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Online authentication works by approving authentication request on a trusted device or entering a code that is pushed to the user or delivered via a text message. Offline authentication apps must be initialized with cryptographic seed once; they will generate time-sensitive authentication codes afterwards without the need for an Internet connection.

Google mostly uses offline authentication via its Google Authenticator app (or via Microsoft Authenticator on Windows Phone devices).

Apple is mostly relying on online authentication, pushing codes to trusted iOS devices or delivering server-generated single-use codes via text messages.

Finally, Microsoft users have access to both authentication methods at the same time. Windows Users verifying their Microsoft Account can choose online or offline authentication at any given time. In addition, users can set up two-step verification with an email address or phone number. Microsoft will send a security code to enter on the sign-in page when the user attempts to sign in on a new device or from a new location.

Online vs. Offline Authentication

When using online authentication, users must approve a notification on one of their trusted devices. With this type of authentication, users don’t have to enter security codes. Instead, they will be pushed a verification request to all of their trusted devices. By approving the request, they will successfully confirm their identity.

Offline authentication apps are based on a different principle. They don’t require an active Internet connection or mobile service. A new time-sensitive single-use code is generated every few seconds by the authenticator app. The codes are automatically generated even when the trusted device is offline.

While it is generally possible to de-authorize individual trusted devices with online authentication apps, de-authorizing offline authentication is only possible for all offline authentication apps at the same time. Once a new cryptographic seed is generated, codes generated by offline authentication apps using the old seed will fail to verify.

App Passwords and Two-Factor Authentication

Two-factor authentication is still relatively new. As a result, some devices and some third-party applications are unable to properly authenticate accounts if two-factor authentication is enabled. If this is the case, the user will see an incorrect password error when trying to set up an account. This happens because these older apps do not support additional security codes.

This issue was immediately recognized by developers of two-factor authentication schemes. A neat workaround was implemented. If a certain app or device does not support two-factor authentication, the user can create a unique app password allowing these apps to sign in and effectively bypass the second authentication step. Users can generate as many app passwords as needed. Microsoft, Apple and Google all support app-specific passwords. Users are recommended to create new app passwords for each app or device not supporting two-factor authentication scheme.

App passwords can be revoked by the user at any time. Apps using revoked passwords will not be able to sign in or authenticate (e.g. via a stored token). Interestingly, app-specific passwords will not work for Web sign-ins or with each company’s respective apps.

A typical app password generated by Google 2FA looks like this: “asdg skgf dsks ezck” (should be entered without spaces).
Forensically, these app passwords, once extracted, can be used for effectively bypassing two-factor authentication. However, their forensic use is limited. For example, Apple does not allow downloading iCloud backups using an app password, but does allow accessing certain types of data (such as notes and messages). Microsoft does not allow accessing their backups with app passwords either. Google, on the other hand, allows limited access to certain types of data even when using an app password. Notably, app passwords can be used as a last resort when the expert has no access to the second authentication factor.

Google Two-Factor Authentication

Google implements consistent two-factor authentication, protecting access to all interactions with any of its services that involve the use of the user’s Google Account. If two-factor authentication is enabled, users have to verify their identity as they attempt accessing any of the services provided under the Google Account umbrella if they initiate access from a new device, app or Web browser. Authenticating Gmail in Internet Explorer does not automatically grant access to the same Gmail account if the user tries to open it in Chrome, and vice versa.

Protected services include (but are not limited to) logging in to the Google Account, using Gmail, accessing files or documents in Google Drive, or setting up a new device (e.g. an Android phone) to access Google Play services. In all, Google’s implementation of two-factor authentication is the most consistent and straightforward among those reviewed in this article.

Google relies mostly on offline, non-interactive two-factor authentication. An authenticator app is readily available on Android and iOS. The app can be initialized by scanning a color code displayed while the user sets up two-factor authentication. Once initialized, the app will continuously generate and display 6-digit codes. The codes are valid for a short period of time (30 seconds).

Technically speaking, the app implements TOTP or HOTP security tokens as defined in the RFC 6238 standard. As a result, similar two-factor authentication apps based on the same standard may be compatible with Google, generating exactly the same codes that will be valid for authenticating the account. As an example, Microsoft Authenticator available in Windows Store for the Windows Phone platform is fully compatible with both Microsoft’s and Google’s two-factor authentication schemes, and can be used to authenticate both types of accounts.

Offline authentication in general is convenient because it does not require an active Internet connection. However, since it serves for authenticating account access (which is inherently an online operation), this point is moot. The drawback of this type of authentication is that the user cannot de-authorize an individual device or app that was previously authorized to generate authentication codes. Instead, if the user needs to de-authorize an app on any one of their devices, a new initialization image must be generated and used to re-initialize all authenticator apps running on all devices.

Since an initialized authentication app may not always be available, Google offers two backup options for receiving authentication codes. The user can authorize one or several phone numbers to receive single-time codes as text messages (SMS). In addition, the user can print 10 pre-generated 8-digit backup codes. These codes do not expire. These codes are disposable; each code can be used only once. If all codes are used, or if the user loses them, a different bunch of backup codes can be generated (which automatically invalidates all unused codes from the previous batch).

Elcomsoft Cloud Explorer supports Google’s two-factor authentication. If Google authentication server requests a verification code, the tool automatically requests that code from the user:

The code will be requested after you click “Sign in”:

You can request the code from a trusted device (the list of trusted devices will appear if you choose “Secure Code” as authentication type) or use a Recovery Key, if available. Enter the code and click “Verify” to proceed.

More information about Google Authenticator: https://garbagecollected.org/2014/09/14/how-google-authenticator-works/

Microsoft’s Implementation

In the world of Microsoft Windows, the company protects Microsoft Account login with several security measures. Microsoft uses the same 2FA configuration for restoring Windows 8, 8.1, Windows 10, Windows Phone 8.1 and Windows 10 Mobile. The number of systems running one of those operating systems is huge, so it’s important to understand implications of Microsoft two-factor authentication.

Why should forensic experts be concerned about two-factor authentication in Microsoft systems? At very least, two-factor authentication protects access to online backups made by all compatible systems listed above. These backups contain comprehensive information about the user including bits such as stored Internet Explorer and Edge browser passwords, application data, contacts, calls and text messages. While the amount of data available in Microsoft backups is somewhat less than that captured by Apple iOS, it is still much more than available in Android backups (even in the latest Android 6.0.1).

When setting up a new Windows 8, 8.1 or Windows 10 PC and attempting to sign in with a Microsoft Account (as opposed to using a local login), the system may prompt to complete identity verification. The user’s identity can be verified by either approving the verification request on a trusted device or by entering a code generated by the Authenticator app. The verification request can be pushed to an authorized Microsoft Account app running on a trusted PC or mobile device (the Android version of the app is available). Once the request is approved with an app, the new device is added to the list of trusted devices.

The Windows Phone 8 and 8.1 platform got an offline Microsoft Authenticator app that works similar to Google Authenticator (generating time-sensitive single-use codes). The difference between the two types of authentication is that the former requires an active Internet connection to receive authentication request, while the latter works completely offline. Both authentication methods can be active at the same time.

The different authentication types may not be available on all platforms. Microsoft has compiled a comprehensive FAQ on how to configure authentication apps on the different mobile platforms:

Did you know? Microsoft and Google offline authentication apps are compatible. One can use Microsoft Authenticator running on a Windows Phone device to authenticate Google accounts, or Google Authenticator running on iOS or Android to authenticate Microsoft accounts.

The following types of identity verification apps available on the different platforms:

  • Apple iOS: offline authenticator. Microsoft recommends using Google Authenticator, which is compatible.
  • Android: offline and online authentication apps. Microsoft Account handles online authentication requests, while Google Authenticator can be used to generate authentication codes offline.
  • Windows Phone: offline authenticator. Microsoft Authenticator can be used to verify both Microsoft and Google accounts.

Verification methods can be configured at https://account.live.com/proofs/Manage

More about Microsoft two-step verification: http://windows.microsoft.com/en-us/windows/two-step-verification-faq

Microsoft allows using two-factor authentication to either protect all interactions with Microsoft Account. However, the user can choose to only enable this type of authentication for accessing sensitive information such as establishing Microsoft Account on a Windows 10 device (which automatically enables full access to all files synced via Microsoft OneDrive, access to stored passwords, and the ability to restore backups including configuration settings and application data).

Apple’s Two-Step Verification

Up until recently, Apple used its very own approach to multi-factor authentication. Dubbed as two-step verification [https://support.apple.com/en-us/HT204152], the extra security layer was only meant to cover certain activities that could be performed with the user’s Apple ID. Namely, two-step verification covered (and still covers, if you’re dealing with iOS older than 9.0) all of the following activities:

  • Sign in to Apple ID account page
  • Sign in to iCloud on a new device or at iCloud.com
  • Sign in to iMessage, Game Center, or FaceTime
  • Make an iTunes, iBooks, or App Store purchase from a new device
  • Get Apple ID related support from Apple

According to Apple, this is how two-step verification works:

  • You enter your Apple ID and password as usual.
  • Apple sends a verification code to one of your devices.
  • You enter the code to verify your identity and finish signing in.
[Source: https://support.apple.com/kb/PH14668?locale=en_US]

Two-step verification only supported a single secondary authentication factor: a trusted iOS device. A verification code would be pushed by Apple to a trusted device, allowing users to validate requests protected with two-step verification.
Backup verification methods included SMS verification and an offline Recovery Key that could be created, printed out and stored in a safe place.

With iOS 9, Apple moved from this proprietary scheme to a different method, the more open two-factor authentication.

Apple’s Two-Factor Authentication

Since iOS 9 onwards, Apple switched from two-step verification to a different, improved security mechanism. Apple’s two-factor authentication is built directly into iOS 9, designed to protect access to all the photos, documents, and other important data stored with Apple.

Two-factor authentication is being gradually rolled out by Apple to eligible users since fall 2015 [https://support.apple.com/en-us/HT205075]. Unlike the older two-step verification, the new two-factor authentication mechanism protects iOS devices from the ground up. If two-factor authentication is enabled, users will be required to enter a unique, single-use 6-digit authentication code every time they access their Apple ID from a new device. The code is displayed automatically on the user’s other devices, or sent to a trusted (and verified) phone number. [https://support.apple.com/en-us/HT204915]

The code is only requested once per device. It remains valid until the user signs out completely, erased the device or changes the password. Web sign-ins can be remembered by offering the user an option to trust the browser.

Bypassing Apple’s Two-Factor Authentication

When it comes to digital forensics, the secondary authentication factor may or may not be available. If the secondary authentication factor is a trusted iOS device, being able to unlock the device (by entering the correct passcode) is required in order to access the pushed authentication code. Such access may or may not be available to the investigator.

When performing cloud acquisition of Apple accounts protected with either two-step verification or two-factor authentication, investigators have the ability to bypass authentication requirements by using a cached authentication token. The authentication token is a piece of cached data that helps authenticate requests to Apple servers without requiring the user entering their credentials every time.

At this time, only authentication tokens produced by Apple iTunes can be used to bypass authentication.
Comprehensive information on how to acquire and use binary authentication tokens to access the user’s iCloud and iCloud Drive data is available in ElcomSoft blog: Breaking Into iCloud: No Password Required

If no binary authentication token is available, it may still be possible to extract the correct Apple ID and password from the computer: Acquiring and Utilizing Apple ID Passwords, Mitigating the Risks and Protecting Personal Information

Conclusion

Two-factor authentication goes a long way towards securing user accounts. Even if a weak password is used, third parties may not be able to access information protected with two-factor authentication if they don’t have physical access to the secondary authentication factor.

Two-factor authentication is a roadblock to performing over-the-air acquisition. Since acquisition is normally performed on what’s considered to be a “new device”, the authentication system will require verifying user’s identity with the second factor. As such, tools such as Elcomsoft Cloud Explorer will require entering the correct authentication code.

There are exceptions. For example, Apple’s authentication tokens can be extracted from a previously authorized computer and used with a tool such as Elcomsoft Phone Breaker. This allows accessing information stored in the user’s iCloud, including accessing iOS backups and uploaded files, even without having a trusted device.

About ElcomSoft

ElcomSoft develops computer forensics tools for Windows and Mac OS X, provides computer forensics training and computer evidence consulting services. Since 1997, ElcomSoft has been providing support to businesses, law enforcement, military, and intelligence agencies. ElcomSoft tools are used by most of the Fortune 500 corporations, multiple branches of the military all over the world, foreign governments, and all major accounting firms. More information at https://www.elcomsoft.com

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 22 hours ago

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles