Two-Factor Authentication Isn't as Secure as You Think
“Protect your accounts by using two-factor authentication.”
You've more than likely heard this security advice, or been required by your bank or work email account to set it up. As a matter of fact, we’ve offered this advice ourselves in previous blog posts - like this one about Cybersecurity Resolutions, and this one defining Multi-Factor Authentication.
That’s because two-factor authentication (2FA) is far better than using passwords alone, and - unless you’re a high-profile public figure like Twitter Chief Executive, Jack Dorsey - this extra security step can often be enough to stop a hacker in their tracks.
What is Two-Factor Authentication?
Two-Factor Authentication, also known as 2FA, is a security system that verifies a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, 2FA requires additional credentials to verify it’s really you trying to access sensitive data.
Examples of Two-Factor Authentication include:
Codes generated by smartphone apps
Codes sent to an email address or phone number
Badges, USB devices, or other physical devices
Answers to personal security questions
Biometrics (Fingerprints, facial recognition, etc.)
What’s the problem with Two-Factor Authentication?
While 2FA raises the barrier to account access by requiring a secondary proof of identity, it still has a number of weaknesses that can be exploited by cybercriminals. Many times hackers are deterred by accounts that utilize 2FA because it’s too much work to intercept the secondary credentials, However, many others are willing to deal with the additional hassle if they believe that the information within the account is worth the effort.
There are a number of 2FA methods available, so it’s important to know that some types of 2FA are more secure than others. Those who utilize 2FA often use the most insecure options, such as email and SMS-based codes. Because of this, hackers have developed methods to easily acquire the secondary credentials.
Here are the top three most common 2FA methods and their vulnerabilities, listed from least to most secure.
3. Email, SMS, and call-based codes (Least Secure)
Email, SMS and call-based codes are the most common 2FA method. Unfortunately, they are also the least secure. These methods work by sending the user a 5-10 digit alphanumeric code via their email, text message, or phone number on file after logging in with their username and password. The user then inputs that code to gain access to their account.
The problem is that these codes can be easily intercepted by cybercriminals. These are the most common methods of interception:
Hackers can call or text users posing as banks or trusted agents and ask to confirm the passcode that was sent to them.
They can direct the user to a spoofed login page that forwards the 2FA code to the hacker. These spoofed login pages are especially effective on mobile phones because the screens are small, making details on the webpage that indicate an impersonation less noticeable.
If your email account has already been compromised, hackers can then attempt to gain access to your social media, banking, and other personal accounts, by receiving the 2FA codes on your compromised account.
Additionally, there's the SIM swap attack. Using information many of us make available on social media, a hacker can impersonate you and convince an employee at a carrier to transfer your SIM card or phone number to their device. The hacker can then read your messages, including all your authentication codes sent by SMS. A hacker will typically only go through with this method if the target is a public figure and/or has a large sum of money to be stolen.
2. Authenticator apps (Secure)
Authenticator apps have grown in popularity over the last several years. These phone-based apps, such as Google Authenticator and LastPass Authenticator, continually generate one-time passwords that expire at frequent intervals. If a user has indicated they would like to use this 2FA method, the account provider will ask for the code currently displayed on the app to complete the login attempt.
The main concern with this method is that the codes generated in the app are tied to the device itself, and typically do not require a password to access. While unlikely, it is possible for a hacker to take possession of a cell phone with a weak password (like 1234) and use their authenticator app to gain access to online accounts.
1. Security keys (Most secure)
Hardware-based RSA keys and YubiKeys are a physical security method that are independent of your phone or online accounts. These keys are the most secure 2FA method currently available to the mass public. However, they are also the least convenient and, therefore, rarely utilized.
Users carry these keys with them or keep them in a secure place and plug them into computers like USBs when they need to access their accounts. They then press a button on the device to authenticate the application they’re trying to access.
The biggest issue with this 2FA method is that many account providers offer backup methods of authentication in the event that the user is having trouble with their key or does not have it with them. Security keys are only the most secure 2FA method if the user configures their account so that other account recovery options are not available at login. Additionally, there is the possibility that the key could fall into the wrong hands. However, similar to a lost phone, they can be deactivated in the event of loss or theft.
What’s the solution?
Though it isn't perfect, two-factor authentication is still vastly better than a password alone, and more resistant to large-scale hack attempts. So, it’s important to make use of it.
The first line of defense is still a strong password. Make use of password managers to generate strong, complicated passwords. Additionally, you won’t have to remember all of your various passwords; just one. This will reduce the urge to reuse simple passwords, or storing them somewhere that is not secure.
Secondly, ensure that you are using the most secure form of 2FA that is realistic for your lifestyle and relevant to your security needs. You may not need to go all the way with a physical security key, but you should at least be using authenticator apps whenever possible.
The Future of 2FA
The problem with 2FA, as it currently stands, is that it’s not a true identity authentication. Rather, these methods authenticate devices under the assumption that the owner of a particular device will be the only individual with access to it - which we’ve seen to be incorrect. In this way, 2FA is an ‘identity approximation’ system that grants access to individuals based on known devices. The problem is cybercriminals have become good at hacking this system.
Many cybersecurity experts now believe biometric authentication to be the future of 2FA. Biometric authentication utilizes sensors and body measurements to compare the physical characteristics of requesting parties with the verified characteristics of known users. Think FaceID on your iPhone or the fingerprint reader used to clock in at work.
Currently, there is no widespread implementation of biometric-based 2FA on commercially-available devices or services, but it’s likely forthcoming since most smartphones and many computers can now capture biometrics.
While 2FA isn't the all-encompassing security solution many have made it out to be, we do know that it is here to stay and will likely continue to become more secure as the technology becomes available.
Kotman Technology has been delivering comprehensive technology solutions to clients in California and Michigan for nearly two decades. With a customer retention of over 98%, we pride ourselves on being the last technology partner you'll ever need. Contact us today to experience the Kotman Difference.