Increasing resilience against Heartbleed-alike bugs using Two-Factor Authentication

Frederik Mennes,

On Monday April 7th, news broke about the so-called Heartbleed bug. Heartbleed is a flaw in OpenSSL, a software library implementing the Transport Layer Security (TLS) security protocol. TLS is widely used to protect communication via websites, e-mail, instant messaging, etc. It can be recognized by the prefix “https” or by a lock in the address bar of a browser.

The Heartbleed bug

The Heartbleed bug allows an adversary to obtain part of the memory of an impacted server. This memory is used to store and process sensitive data, including TLS private keys, passwords of users, credit card details. As such an adversary can use the bug to obtain sensitive data from a company’s web application. Under certain circumstances the bug also allows obtaining sensitive data which has been exchanged in the past with a vulnerable TLS server. Additionally, using the TLS private key of an impacted web application, an adversary can also set up rogue servers impersonating the genuine server.

Heartbleed and its impact on accounts protected with static passwords

The Heartbleed bug painfully confirms once again that the times where usernames and static passwords offered an adequate level of security are definitely over.

Web applications that are affected by the Heartbleed bug need to assume that all sensitive data exchanged over TLS during the past two years could be compromised. Due to Heartbleed, an adversary that intercepted communication with an affected web application now has the power to decrypt this sensitive data. In other words such an adversary could obtain the usernames and passwords of the web application’s users and log on with them as long as they are valid.

Furthermore, web applications that are not directly affected by Heartbleed could be affected indirectly, as users tend to share passwords among multiple web applications. Passwords used with a web application not affected by Heartbleed could still be compromised when they are also used on a Heartbleed-affected web application. In other words, the owners of web applications relying on static passwords cannot control the security of their users’ passwords themselves anymore. They are subject to the (absence of) security of other web applications.

Leveraging Two-Factor Authentication to protect against Heartbleed and Heartbleed-alike bugs

Web applications using two-factor authentication (2FA) to authenticate their users did not have to worry as much about Heartbleed during the past days.

First-aid-kitTwo-factor authentication based on one-time passwords (OTPs) ensures that passwords can be used only once and remain valid for only a small amount of time. As a consequence, OTPs which have been used in the past two years and that are recovered by an adversary are of no value to that adversary. The ephemeral nature of OTPs makes them worthless for adversaries decrypting TLS-protected communication. Additionally 2FA ensures that users cannot share passwords among various accounts, so that web application owners do not have to worry about users sharing credentials with other applications, that might be affected by Heartbleed.

The Heartbleed bug caused a major stir in the online world. However it is most likely not the last bug that we will see. In order to increase resilience against Heartbleed and future Heartbleed-alike bugs, web application owners should therefore introduce 2FA.

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.