One of the most popular thing to ask about the security of a service, a portal, or really anything internet-facing is:
Is it 2FA-enabled?
If they answer in the affirmative, this usually ends the conversation in a positive way. As if there’s not much an attacker can do against it.
First, that’s not true. Lots of malware is capable of dealing with 2FA. It’s just a more manual process.
But even worse is the issue of APIs, which is basically where we build massive backdoors into our authentication system—including 2FA.
The API backdoor
The next time you are chatting with someone about 2FA access to some big-name SaaS service or product, ask them if they have an API.
They’ll probably respond with,
Now ask them what all you can do with the API.
Oh, it’s a great API. You can do pretty much everything.
Great. And how many people have access?
It’s super popular. We give access to all our developers, and any account can ask for and get a key.
So how many of those keys are out there, and how do you control them?
API keys often have full access to do anything on the platform, and guess what the access method is? It’s a string of characters for your key, and a string of characters for your secret.
Sound familiar? Maybe, like a username and password?
Oh, but this is different because it’s all code-ey and stuff. Lots of programming and things and stuff.
That’s not a defense. Good APIs also share something else—great documentation. So it’s pretty easy to do things like add users, adjust permissions, pull data, etc., using this interface.
And this is all happening on 2FA enabled accounts.
- Everyone understands that 2FA is better than username & password.
- Everyone is also trying to add an API to their new service.
- API keys are just usernames and passwords used in code.
- Few people realize this, and think it’s either safe because “programming is hard” or because “APIs are magic.”
- APIs are not magic. They’re an entry point into your application, and there are far too many keys and secrets floating around out there on services that are 2FA-enabled.
- This presents a false sense of security.
2FA is great. Enable it where you can. But it’s not the end of the conversation.
Be sure to take a look at your API as well. Know what you can do using it, know who has keys, know how often they expire, and have a story around monitoring and response.
For all intents and purposes, you should treat API access like legacy username and password access. Credentials can be stolen, and credentials can be used to do bad things.
Don’t get shot in the ankle.