134. Mobile Reconnaissance Concerns (OBJ 3.5)
In this lesson, we’re going to discuss the different reconnaissance concerns that you need to be aware of in terms of our mobile devices and wearables. This includes the type of data and information that can be accessed through physical reconnaissance of your mobile devices, including the implications of wearable devices to our privacy and the ability for attackers to conduct wireless eavesdropping using our devices. First, let’s take a quick look at the types of information you can find on mobile devices. Now, mobile devices store data on the device itself on removable memory cards and in the cloud. When you’re thinking about the privacy issues and the amount of reconnaissance that could arise from the loss or theft of a smartphone, just think about how much personal information is really stored on that device. Now, our smartphones hold a treasure trove of information, including the subscriber and equipment identifiers, our system and localization settings, our phone books and contacts, our calendar details, our text and multimedia messages, our call logs of outgoing, incoming, missed, and recent calls, our emails, our photos, our music, our videos, our instant messaging data, our web browsing history, our documents, our social media accounts, our banking information, our geolocation data, our biometric and health data, and so much more. And most of this data is stored both on the device itself and it’s also being backed up to a cloud service provider like Google Drive or Apple’s iCloud. Therefore, organizations need to be careful to ensure that the devices are set up to encrypt the data before being stored on those devices in case a thief steals it, and then they could try to access that data. Additionally, all of your cloud backups need to be encrypted and stored using at least 128-bit AES encryption.
If a device is lost or stolen, it is really important that users immediately report this loss to your organization. Most organizations use a mobile device management suite, and these have the ability to either locate the stolen device or simply remotely wipe that device to remove any data from the device before a thief can access it. Now, preparation here is truly the key to ensuring our data is secure in our mobile devices, and we should always properly configure the encryption for the data that’s being stored on our devices ahead of time. Now, beyond mobile devices, a lot of employees have now also adopted to the use of wearable technology. Wearable technology is any type of smart device that is worn on or implanted into the body. Now, these devices take all sorts of different shapes and forms, including smartwatches, cameras, fitness devices, glasses, headsets, and medical sensors. Smartwatches are watches that usually include a touchscreen interface and they have a mobile operating system, something like Android or watchOS embedded into them. These devices can perform functions like playing music, conducting fitness tracking, translate languages, provide directions, and much more. Some of these devices require a smartphone in order to operate, but others have built-in cellular data receivers and transceivers to operate independently. Now, cameras also used to be independent devices, but with the recent introduction of body cameras for military police and security officers, they are now placed into the wearable category, too.
These devices are usually going to be always on, always recording technology, and when they run out of storage, they’ll simply overwrite the oldest material stored in their memory. Now, fitness devices are used to track a person’s physical fitness metrics, and they’re another type of wearable. These can get all sorts of different metrics, like how fast a person walks, the number of steps they took that day, how fast their heartbeat is, and much more. These devices are usually worn as a bracelet or watch, but some take the form of a small square clip that can be placed in a shoe or on a shoe or tied using the shoelaces. Now, glasses are the next category of wearables. And the idea here is that a pair of smartglasses can be worn like a normal pair of sunglasses, but they have the ability to project a digital image into the lenses, and this intrigues a lot of people. These devices could support different types of inputs as well, like eye movements, voice activation, and buttons on the side of the frames. These smartglasses could be used to provide information to a user while they’re walking around a city, like direction, or allow them to see their smartphone screen while it’s still inside their pocket. Another wearable we have is headsets. Headsets have been around for decades and users use them to talk on their smartphones without having to hold the phone itself. These usually operate through Bluetooth and can send and receive audio like phone calls or even music to the user. Now, the biggest recent evolution in this technology has been their size, as they continually shrink down in size and provide better quality with additional battery life. The final type of wearable we’re going to talk about actually goes inside your body instead of on your body. These are medical sensors. These type of smart devices are now being incorporated into medical devices like pacemakers, and this gives them network connectivity as well as the ability to track your metrics from within your body.
These devices can notify a doctor when they sense that your body is having an issue, as opposed to relying on somebody noticing that issue themself. Now, wearable technology gives us some unique ways of interacting with technology in our daily lives, but it is not without its own risks and security concerns. Wearables are a really big reconnaissance concern for us because they collect so much highly sensitive data, including biometric and health data, about us. These devices can seem harmless, like using a GPS-enabled wearable while you’re running to track your distance. But even as far back as 2017, we saw that secret military bases around the world were being identified due to a social network for physical fitness that displayed the data for military members who were exercising at those bases and sharing their data with the world. Now, this becomes a reconnaissance concern, especially for the military, because these secret bases were now being identified. Now, another concern is wireless eavesdropping because these wearables often utilize unencrypted communications. Many of these devices are low-powered and don’t have enough computing power to encrypt their communications, either, even if you wanted to. Some of these devices were actually designed with no security whatsoever because it just wasn’t important in the function of that device.
Therefore, these wearables can introduce a lot of vulnerabilities into our networks or into our physical environments, because those communications could be captured and read in plain text using wireless eavesdropping techniques over cellular, Wi-Fi, or Bluetooth. When you consider if your organization should allow the use of wearables, you need to decide your risk appetite before accepting these devices into your network or into your office environment. Many of these devices, especially ones with cameras, can be remotely turned on or off. And this could be a major issue if an attacker was able to gain access to our network that way. They could turn on our cameras and then use them to conduct their own reconnaissance of our facility as we’re walking around. Or if they’re a part of a group trying to break into our facility, they could remotely disable our security cameras before breaking into the facility. With the addition of smartwatches, smartglasses, and other wearables, it has become much easier for criminals to perform reconnaissance of our organization’s buildings. As people walk around the building every day, the cameras and microphones on your devices can record everything that is going on, and hackers could analyze it once they’re off property. Again, depending on your risk appetite, you may wish to not allow any wearables inside your facility, and this is common in a lot of military organizations.
With the increased use of fitness trackers and medical sensors, we also need to concern ourself with the health privacy of the data these things are collecting. This is extremely important when dealing with these medical sensors, because HIPAA rules could apply if the device was implanted by a doctor. Fitness trackers don’t fall under HIPAA rules, though, but the data should still be protected. Finally, if our organization owns some of these wearables, we need to consider how we’re going to conduct digital forensics on them if they’re used as an infection vector into our networks. These devices often have unique cable connections and they don’t support standard disk storage technologies. Plus, most digital forensics suites aren’t set up to capture information from these devices. Therefore, if wearables become part of our organizational network, this is definitely something that has to be considered ahead of time to make sure you’re well prepared.
135. Mobile Device Insecurity (OBJ 3.5)
In this lesson, we’re going to discuss a few key concepts that can lead to mobile device insecurity, as well as some things we can do to increase the security of our mobile devices in our organization. This includes a discussion of some key things to avoid, like jailbreaking, rooting, sideloading, and unauthorized application stores, as well as some best practices to utilize. First, let’s talk about jailbreak. Now jailbreaking is a term that’s used to describe an exploit that enables a user to obtain root privileges, sideload applications, change, or add carriers, and customize the interface of an iOS device like an iPhone or an iPad. The problem with jailbreaking device is that it essentially removes all the protections that Apple has created for that device, in addition to all of the restrictions on that device.
Now, jailbroken devices are actually the largest threat vector that’s going to be exploited by an attacker when it comes to iOS devices. When you jailbreak a device, you no longer have the protections and restrictions that Apple gives you. If a phone is jailbroken, it also can’t receive proper vendor patches and upgrades, and this makes your device much more vulnerable to attack. In the old days, you could jailbreak the device and boot it up with a patched kernel each time the phone was reset. Apple continually was hard at work trying to eliminate jailbreaking, and so they’ve made it much harder to perform. Currently, most jailbreaks are known as tethered jailbreak, which means the device must be attached to a computer when it’s being booted up in order for that patched kernel to actually be loaded and give you root access. Because of this, jailbreaking iPhones and iPads is not nearly as prevalent as it once was. Android devices, on the other hand, use a technique known as rooting. Now rooting is an exploit that enables the user to obtain root privileges on an Android device, so they can perform whatever they want on that device. There are some authorized routing techniques, though, as well that are performed by some vendors if you have those type of phones. This goes to the more open nature of Android versus iOS. Now, most users though, should not have a reason or need to actually root their device. If the vendor doesn’t provide a rooting mechanism, then you’d have to root it using an exploit to a vulnerability, and that way you can gain access as root, or you could load a custom firmware into your phone instead. Now a custom firmware is a new Android OS image that can be applied to your device, and this custom firmware is also known as a custom ROM. And some people have created their own versions of Android with different settings and interfaces using these custom ROMs too. Now, these custom ROMs, though, could contain malicious code, bugs, or other vulnerabilities that you’re not aware of. And they’re usually not supported by larger security communities, or the manufacturer itself when things break. And so, therefore, you need to becareful if you’re going to use a custom ROM. Another type of root-level access that you can achieve on an Android device is known as systemless root. Now, systemless root is a method that does not modify the system partitions or files, and therefore it is less likely to be detected than a custom ROM or firmware-based routing.
Next, we have sideloading. Now sideloading is the practice of installing an application on a mobile device directly from an installation package instead of downloading it through an official store, like the Google Play Store or the Apple App Store. Now, when an application is submitted by a developer to the official store, it has to pass a number of security checks before it becomes available to users to download. But if the user simply installs an application they find online, it can actually have vulnerabilities in it, or malicious code that they’re not aware of. Now, by default, Android and iOS devices block the installation of third-party apps by using sideloading. But a user can enable the installation of third-party apps under their settings in Android devices. To prevent this organization should use mobile device managers to prevent the installation of unauthorized apps for third-party apps. Another security issue with applications is the installation of unsigned apps. Now when an application comes from the official store, it’s going to be digitally signed by the developer to ensure its code has been verified and has not changed since they signed it. If these are downloaded and installed an unsigned application, there is no way of knowing if the application has been tampered with between the time it was developed and the time the user downloaded it. To prevent the introduction of malware into our devices, we should only download and install applications through an official application store in ones that are digitally signed by those devices.
Next, let’s talk about some security best practices that you can use in your mobile devices. This includes device configuration profiles, full device encryption, VPNs, Location Services, and geofencing, and geotagging. First, we have device configuration protocols. Now device configuration protocols are used to implement different settings and restrictions for your mobile devices from your centralized mobile device management systems, and then those are going to be deployed to your mobile devices across your organization. Most device configuration protocols are written as XML files, but this does depend on your mobile device management suite. These XML files contain all the configuration details for a specific user or device depending on your MDM. These device configuration protocols are then going to be installed on a device either manually, or through an automated deployment using your MDM after the device has been enrolled into the Mobile Device Management Suite. Profiles are most commonly used for security, but they also provide a vulnerability that can be exploited by an attacker because profiles can be pushed to a device by email, text message, or as a download from a row web page. In these cases, attacker will try to trick a user into accidentally installing the profile in order to gain access to enterprise data, or the enterprise network by using that mobile device as a zombie or pivot point.
Similarly, digital certificates can also be delivered and distributed to a device like a row profile can, so you should always be careful when accepting and trusting new digital certificates that are presented over an email, text message, or raw webpage. Second, you should consider implementing full device encryption on all of your mobile devices. Every mobile device has an internal solid-state storage device that contains the operating system, application files, and data files. In addition to this, many Android devices also have an additional memory card slot for additional or expansion storage. To protect the data stored on these devices, you need to implement full disk encryption to provide data at rest protection. While many organizations may not bother to use full disk encryption on their desktops, it is extremely important to use it on your laptops and mobile devices. Many data breaches have come as a result of an employee’s laptop, tablet, or smartphone being stolen from their home, or car, and that data was easily read from the storage device because full disk encryption was not being utilized. Now iPhones and iPads use a 256-bit unique ID for each device, and you can combine that with the user’s password in order to encrypt the storage device for full device encryption on Apple devices. Android devices prior to Marshmallow, which was version 6.0. 1 use full disk encryption using 128-bit AES key protected with a password.
But starting with Android version 7, file-based encryption was also introduced to allow for the independent encrypting and decrypting of files. As of Android version 9, metadata encryption was also supported, and this allows Android to provide full device file-based and metadata encryption to provide you with additional protections and data at rest. To add in all of this encryption, a lot of these devices have an embedded microSD Hardware Security Module, also known as an HSM, which stores the different cryptographic keys securely inside that mobile device similar to the way a TPM module does in a laptop or desktop. The third security configuration you should implement is the use of virtual private networks or VPNs. Just like traditional desktops and laptops, mobile devices must rely on a VPN to access our organization’s network resources when they’re not connected directly to the organization’s network. Mobile devices have a few options that they can use to create this VPN. Most mobile operating systems natively support VPN through their settings. To configure these VPNs, they’re going to rely normally on a username and password. To create a more secure VPN solution though, some mobile device management solutions will also provide a third-party VPN client that can support digital certificates and other forms authentication, such as a fingerprint to be able to establish a secure VPN connection through the mobile device management gateway server. When implementing a VPN, our organization needs to decide which type of encryption is going to be utilized, such as secure socket layer tunnels, transport layer, security tunnels, or some other form of encryption. Remember, when you’re configuring a device to use a VPN, be sure you follow both your organization’s traditional VPN security policies, and any mobile-specific policies you may have. Now, as I said, mobile devices have extensive support for virtual private networks. And you can actually do this at three different layers, the operating system layer, the application layer, and the web-based layer.
At the operating system level of VPN provides an always-on protection capability that will capture all the device traffic, and forwarded through an encrypted tunnel to your VPN endpoint. If you’re using an application-level VPN, this will focus on providing a VPN on a per-app basis. These AP-level VPNs can then be configured to protect the traffic generated by a single application instead of tunneling all the devices network traffic through that VPN. A web-based VPN solution works within the web browser on a mobile device to protect traffic by masking, or changing the device’s true location to bypass geo-restrictions, or firewall restrictions. Now, web-based VPNs do not provide as much protection as an OS-level VPN, but they may be useful depending on your business case, and your needs. Our full security configuration we need to think about is location services. Now the location services setting refers to how a mobile device is allowed to use your cellular Wi-Fi, GPS, and bluetooth to determine your physical location. For example, if you want to determine a user’s device and where it is precisely, you can triangulate that device using GPS with a highly accurate result, or you can actually triangulate the device using the cellular modem and multiple cellular towers to get a rough, or coarse position if GPS is not working. Now, different applications on your device will ask for permission to access your course, or precise location and you can trigger their ability to read and access that information in your profile, or your MDM policies.
Now the fifth security configuration we need to discuss is also related to location services, and it’s known as geolocation, which is used by geofencing and geotagging. Now, geolocation uses the device’s ability to detect this location in order to determine if access to a particular resource should be granted. This can be accomplished by using the device’s public IP address, the GPS coordinates of the devices current location, or even the location based on the triangulation of its position to the cellular towers in its local area that it’s using for data access. As I said, geolocation is closely related to location services. Now, based on this location data, your app policy, your network policy, or your MDM policy can enable, or disable certain functionality of the device, or even prevent authentication entirely. This is done through geofencing, which is the creation of virtual boundaries are based on geographical locations and coordinates. Geofencing can also be used to track a user’s location and keep them within a certain area. For example, there’s applications out there that a parent can install on their child’s smartphone that will send a text, or alert if the child tries to leave a predefined boundary that was set by the parent, but parents aren’t the only ones using geofencing. Let’s pretend for a moment that you’re the CIO for a small company here in the United States, and you don’t have any international employees, you might enable geofencing as a way to prevent any users from outside the United States from logging into your systems.
You could do this based on the location of the source of the IP address of that user, or the GPS coordinates of the device the user is using when they’re trying to log into your systems. This is geofencing at work. Finally, a related topic is known as geotagging. Now geotagging is the addition of location metadata to files or devices. Often, this is used by our mobile device management systems and asset tracking systems to ensure the devices are located where we believe that they should be located. For example, let’s pretend you are a small chain of coffee shops. And each point of sale system is really an iPad with a credit card reader attached to it. You could implement geo-tagging of all the transactions to be able to ensure they occurred from the proper location, or you could geotag the device itself, and only allow it to operate when it’s within the local area of his designated coffee shop.
136. Multifactor Authentication (OBJ 3.5)
In this lesson, we’re going to talk about multifactor authentication, and how the integration of biometrics has been done inside of mobile devices. Before a user gains rights to use a particular resource, they should have to prove their identity. Now in access control, we use identification and authentication to share resources from unknown users. When a user first requests to act us a resource, they must provide their identity. This process is known as identification. Next, their identity must be verified. This process of validating the identity of the user, using a unique identifier and approved credentials, is known as authentication. Often, students get these two terms confused. Just remember, identification is provided by the user as a claim to who they are. And they may be provided through a username, an account number, or even a social security number. Authentication, on the other hand, occurs on the access control side. This occurs once the identification, such as a username, is checked against a validated credential, such as your password. Now as the security of our networks becomes a primary concern to our organizations, security professionals need to continue to seek better ways to increase that security. Some have been attempting to simply create more difficult and more challenging password schemes to create a more secure network. These schemes now require users to remember passwords that have uppercase and lowercase, numbers and symbols, and use passwords over 14 characters in length. However, many studies have shown, that this doesn’t truly increase the security of the network, because the users will simply write down these complex passwords, or reuse those passwords across multiple accounts. To better increase the security of your network, you should instead rely on multifactor authentication.
This is because it is exponentially more secure than a long, complex, and hard to remember password. So, what exactly is multifactor authentication? Well, multifactor authentication, also known as MFA, is simply the use of two or more means, or factors, to prove a user’s identity. There are five factors of authentication that can be considered when you’re validating a user’s identity. These are knowledge, ownership, characteristic, location, and action. The knowledge factor involves the user providing a piece of memorized information, something like a username, a password, a PIN, a combination to a lock. Or their mother’s maiden name, their social security number, their place of birth, or anything else that could be memorized and recited when asked by that authentication system. The ownership factor involves the user proving they have something in their possession that uniquely identifies them. This ownership or possession factor is commonly achieved using token devices, like a key fob that displays a random code every 60 seconds, that the user enters into the system, or a smart card that’s inserted into a reader on the computer. Or a USB dongle with an encryption key that’s connected to the computer. Or maybe it’s an authentication mechanism that sends a unique and random number to your smartphone as a text message.
And that way, you enter that number to log in to the machine. All of these are ways to prove you have some kind of physical thing in your possession that serves as a token. The characteristic factor relies on something that is defined by the person’s being. This is most commonly done using their fingerprints, by scanning the retina inside their eye, or by measuring the distance between different parts of their face. When we talk about biometrics, whatever it is, that something is innately part of their body and they always have it with them. For a long time, fingerprints were the de facto standard for most biometrically controlled access systems. Most smartphones and tablets, as well as many laptops, started to include fingerprint readers that could be used to authenticate a user for access to a given terminal. For example, if you ever had an iPhone in the 5S to 8 model range years, that actually had a fingerprint login feature called Touch ID. Whenever the user pressed their index finger or thumb to the scanner, it would log them into their smartphone. Now, modern iPhones have actually done away with touch ID in favor of face ID. So if you have an iPhone X or newer, then you’re going to have a front facing camera that scans your face, and measures the distance between different areas of your face to uniquely identify you.
This allows the user to simply hold up their phone in front of their face, and get automatically identified and logged in. Another form of a characteristic factor could be a vocal pattern recognition, which is currently being used by some banks to identify their unique customers over the phone. These type of devices are now being integrated into door locks and physical access control systems too, like access control vestibules. For example, I once worked at a high-security facility, where I had to use a retina scanner to access my workspace every day. I’ve also worked in other places that used a fingerprint and a PIN number that allowed you to get through the access control vestibule. Now, if you come across a biometric system, you can bypass it by focusing on the system’s ability to properly identify a user. This comes down to the acceptance and rejection rates of that system. Now, the false acceptance rate, or FAR, is the rate that the system authenticates a user as valid, even though that person should not have been granted access to the system. For example, if you walked up to the fingerprint reader, placed your finger on it, and it accepts you, because the system thought you were me, that would be considered a false acceptance.
As a penetration tester, we love a high false acceptance rate, because it means their biometric scanners are not well tuned, and we may be able to get past it pretty easily. The organization, though, ideally wants to get that false acceptance rate down to zero, by increasing the sensitivity of those scanners, and preventing an attacker from getting authenticated when they shouldn’t be. Now on the other side of the spectrum, we have false rate rejection rate, or FRR. Now, many organizations don’t think that a false rejection rate is really a problem, but it actually is just as big of a problem as a false acceptance rate being high. Let’s go back to our last example talking about the fingerprint scanner. If the organization increases the sensitivity of that fingerprint scanner, to try and eliminate all those false acceptances, that system can inadvertently increase its false rejection rate too. Now a false rejection rate occurs anytime the biometric system denies a user who should’ve been allowed access to the system. So let’s pretend you wanted to log in as me using a fingerprint scanner. Let’s assume during your first attempt, you were able to log in as me using your fingerprint. So, that means we had a false acceptance. Now I increase the sensitivity up to its highest level.
Now there’s no more false acceptances occurring. But, about half the time, when I use my finger and try to log in, I’m being rejected, even though I’m an authorized user. This is the problem we have with false rejections, and it creates other problems for the organization, too. Because now, if the system is failing to allow me to authenticate half of the time, that means half the time I can’t get on my computer and do my job. Eventually, the organization is going to become frustrated with that and they’re going to decrease the sensitivity. And again, this makes it more vulnerable to attack. So what we have to do is try and find that sweet spot as a defender. Trying to figure out where we can have not too many false acceptances, and not too many false rejections. Now as a system administrator, our job is to try to find the point where those two things are equal. This is known as the equal error rate, or ERR. More commonly though, you’ll hear this referred to as the CER, or crossover error rate. The crossover error rate uses a measure of effectiveness of a given biometric system. As a penetration tester, you should understand the concept of a crossover error rate if you have to make recommendations on how an organization can improve their biometric security systems after your engagement. The next factor we have is known as the location factor. The location factor refers to where a person is when they’re trying to log in to an account. For example, I travel a lot for my work, and when I attempt to log in to my Gmail account when I’m traveling, the system will often flag me as something unusual and ask me for a second piece of information to verify my identity, to validate it really is me who’s attempting to log in from this new location. I’ve also worked at some organizations that require a user to be within a certain city, a certain state, or a certain country, before they can log in to the network, based on their device’s GPS location, or the IP address from which they’re attempting access. The action factor is our last factor. And this refers to something a user does. To be honest, this is not a commonly-used factor in most networks, but I have come across it a few times. For example, the action factor might rely on how something is performed, such as how you sign your name, or draw a certain picture, or the way you walk in front of a visual sensor before a door unlocks.
All these are action factors. Now, if you use only one of these five factors, it’s going to be considered single-factor authentication. For example, if you log in using a username and password, this is considered a single-factor authentication, because both of those pieces of information are considered knowledge factors. You memorize a username and you memorize a password. In order to increase security, it’s really important that you use at least two factors of authentication. This is commonly known as 2FA. Now, for example, I used to work for an organization that required me to insert my my employee ID badge into a smart card reader on the computer. And then I would enter a PIN number to log in to my computer each day. This is considered two-factor authentication, because I have an ownership factor, my identification card, and a knowledge factor, the PIN number I memorize, to prove my identity. Even if you had my identification card, you can’t log in without my pin. Similarly, if you have my pin but you don’t have my identification card you can’t log in to the computer either. That is the power of two-factor authentication. Now, in addition to two-factor authentication, you’ll also hear the term multifactor authentication.
Now multifactor authentication, or MFA, occurs if you have two or more factors of authentication required. For example, you may need your smart card, your PIN number, and your location must be within the same country as the network you’re logging into. That would be three different factors. And because we have these three distinct factors, this is considered multifactor authentication, that we’re going to be using during that login. Now, high-security systems often use multifactor authentication. Instead of relying on only one or two factors of authentication, there may be a mixture of three, four, or even five factors, depending on the security of the system. Security is constantly evolving. And so, additional mechanisms of authentication have to be developed. One of the most secure of these is the use of one-time use passwords. These are implemented using either a time-based or hash-based mechanism. With the time-based one-time password algorithm, or TOTP, a password is going to be computed from a shared secret and the current time. This is often used to create seemingly random integers, displayed on an ownership factor, like a physical token. Now, since these passwords are constantly changing every 30 to 60 seconds, they can only be used one time before they change again. This time-based approach is actually a variation of the hash-based approach known as HMAC-based, one-time password algorithms. Or HOTP. This algorithm computes the password from a shared secret, and is synchronized across the client, and the server. Each time the password is used to log in, a new password is created using the hash-based algorithm, and synchronized again across the client and the server. Another consideration with your multifactor authentication, is whether the authentication factors will occur in band or out of band. Now an in-band authentication factor relies on an identity signal from the same system that’s requesting the user authentication. For example, if you’re using your smartphone to log in to your banking app, and the bank sends you a text message, with a one time password or PIN, to that same smartphone, this is considered an in-band authentication. Similarly, if you’re logging into a website or your computer, and the website sends you a one-time use password or PIN to your email, you’re going to be accessing that on the same computer.
And again, this is considered in-band authentication. Now in-band authentication factors are generally considered to be less secure than using an out-of-band factor. An out-of-band authentication factor is a type of two-factor or multifactor authentication that uses a separate communication channel to send the one-time use password or PIN. For example, if you have an RSA key fob, that receives a new one-time PIN every 30 to 60 seconds, this is considered an out-of-band authentication mechanism, because you’re going to enter that PIN into your smartphone or your computer to complete your authentication. The reason an out-of-band authentication is considered more secure, is that the attackers would have to simultaneously compromise two different communication channels to take over your authentication, instead of just one. Now if your enterprise network requires a higher level of security, you should definitely opt for implementing two-factor or multifactor authentication systems, that rely on an out-of-band authentication system, because they are considered more secure.