Data breaches can have devastating consequences for both a user and the website. Several platforms turned to magic link or OTP (besides using a password) to counter these events and protect users’ online accounts.
Presently, many companies are using two-factor authentication (2FA) to ensure no unauthorized party has access. For example, recently, Google announced that they are planning to make two-factor authentication default for users, so more businesses are obligated to implement it. However, despite this widespread popularity, experts question how secure 2FA is!
2FA is a less-complex version of multi-factor authentication (MFA), which uses more factors to validate the authenticity of the login. These factors can be categorized into 3 different sets.
- Something You Know: Username & Password combination
- Something You Have: Receiving a verification code over SMS or App-based auth codes
- Something You Are: This is still under development like biometric, retina scan, facial identification, etc.
The problem with SMS-based 2FA
For a long time, voice calls and text messages have remained the most popular means to deliver secondary authentication factors in MFA systems. Many 2FA tools prefer SMS verification because it is user-friendly and relatively easy to implement.
However, SMS verification is not as secure as it’s made out to be. In 2016, NIST recommended a ban on SMS and voice authentication tools over serious security concerns. And over recent years, leading tech vendors, including Google and Microsoft, have partially or entirely phased out SMS authentication in favour of app or device-based 2FA.
The problem with SMS authentication is that SMS is not encrypted and is highly susceptible to social engineering scams and MiTM attacks. Attackers can even clone or swap user SIM cards to access OTPs. They can also trick phone services providers and users into disclosing secret authentication codes.
Is 2FA Verification Safe?
The answer is a sure yes. But it’s not FOOLPROOF!
Despite the best of intentions—to protect people’s data by making it much harder to access for criminals—two-factor (and multi-factor) authentication can still be made vulnerable. How? Criminals bypass it by already being in possession of a factor of authentication, or they brute force their way in, or they use that one evil tool that no technology can protect against. Few common ways 2FA is being abused includes Phishing, Password Reset, Brute Force, Third-Party Apps / Logins, etc.
There should be additional measures to further prevent hackers from infiltrating the user’s accounts. Most of the places where you enable 2FA offers a set of backup codes that you need to keep in a safe place. These backup codes can also be used instead of app generated 2FA codes. These sets of code are generally provided so that you can login when you lose access to your 2FA, biometric or USB keys. But if someone gets access to these keys, they still gain access to your account. Hence, storing it in a secure place is the thing that can save your account!
How can we protect ourselves?
With more and more massive data breaches of hugely popular companies recorded each month, 2FA authentication is fast becoming standard procedure. And even though there are ways to get around 2FA, it is still safer than just using the old-fashioned username and password combo. To bypass 2FA, the attacker would still have to break two authentication cycles vs just one for usernames and passwords.
- Pay attention to emails that says your account was used from a new or unknown device, and check if that was really you. Also, pay attention to other obvious red flags like emails notifying you of failed login attempts or password reset requests that didn’t come from you.
- If you have a Facebook account, check under Settings > Apps and Websites whether everything listed there was used by you and whether it should be there.
- If you have a choice in authentication procedures, do some research into known vulnerabilities and apply those lessons.
Last updated:
0 Comments