Is two-factor authentication (2FA) as secure as it seems?
Two-factor authentication (2FA) was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of entering a username and password.
One of the most well-known examples of 2FA is when you try to log into a familiar website from a different machine or from a different location, which results in a different IP. With 2FA-enabled login procedures, you will first enter your username and password on the computer and then receive a text message to your phone providing you with a verification code. You must enter that verification code on the computer to complete the login procedure.
Explaining the different factors
Two-factor authentication is a less-complex version of multi-factor authentication (MFA), which simply uses more factors to determine the authenticity of a login. So what are these factors? There are three main categories of possible factors in a multi-factor authentication setup. Let’s have a look at the possibilities.
Something you know
The “something you know” category is the factor we are most familiar with. It requires a person to enter information that they know in order to gain access to their account. The combination of a username and a password is the prime example, but things like security questions used by your bank fall in this category.
Something you have
Receiving a verification code like the one we mentioned earlier means that the procedure you are using is the “something you have” factor of two- or multi-factor authentication. Something you have can be a separate email account or phone to which a verification code can be sent, but there are also specialized hardware solutions like the YubiKey that fall into this category.
Something you are
The “something you are” category is still in development, but it centers on certain physical markers that can be analyzed by technology, or biometrics, to prove your identity. These biometrics include:
- Retina scan
- Voice recognition
- Face identification
Most of these methods still need to be made trustworthy enough for everyday use, though industries for which security is imperative have started adopting them, including healthcare institutions, banks, and mobile phones.
Many of these methods, once fully realized, would make it quite difficult for cybercriminals to crack. However, most of these are still too expensive to implement or simply too big to use on our phones.
How is 2FA vulnerable to attack?
Despite the best of intentions—to protect people’s data by making it much harder to access for criminals—two-factor (and multi-factor) authentication can still be made vulnerable. How? Criminals bypass it by already being in possession of a factor of authentication, or they brute force their way in, or they use that one evil tool that no technology can protect against: social engineering.
Here are the most common ways 2FA is being abused:
Phishing can be used to lure victims to a fake login page. When the victim enters his credentials, the attacker forwards these to the real login page, thus triggering the 2FA procedure that prompts the victim for the numerical code that was texted or mailed to him, or in some cases produced by an authenticator app. The attacker catches this code again on the fake login page the victim is still using and now has a complete authentication set. Obviously, due to the limited usefulness of the numerical, the attacker will have to be fast. But once he does successfully log in, there is nothing stopping him from changing the phone number the next code will be sent to—or anything else in the account he wants.
Some authentication procedures can be bypassed by performing a “lost password” procedure if the attacker is in possession of the “something you have” item. For example, let’s say the attacker gained access to the victim’s email account, and a verification link for a certain login was sent to that account. In such a case, the attacker could use the “forgot password” link on the website and use the following email interaction to change the password to something he knows.
Some 2FA tokens are so short and limited in characters that they are easily obtainable by brute force. Unless there are fail-safes in place, a four-digit token is quite useless if the attacker has the time to apply brute force. Tokens that have a limited validity in time (TOTP) offer better protection against this type of attack.
On some login processes, the user is offered the option to log in using a third-party account and using this option bypasses the 2FA procedure. The best-known example is the “login with your Facebook account” that is used for certain sites and applications. In such a case, an attacker can take over other accounts once they know your Facebook credentials. (Which is why we recommend you don’t sign on using third parties unless absolutely necessary.)
How can we protect ourselves?
With more and more massive data breaches of hugely-popular companies recorded each month, 2FA authentication is fast becoming standard procedure. And even though there are ways to get around 2FA, it is still safer than just using the old-fashioned username and password combo. To bypass 2FA, the attacker would still have to break two authentication cycles, vs. just one for usernames and passwords.
So how can do our part to keep criminals away from 2FA? Follow these steps to keep your personal information secure:
- Pay attention to emails telling you that an account was used from a new or unknown device, and check if that was really you. Also, pay attention to other obvious red flags like emails notifying you of failed login attempts or password reset requests that didn’t come from you.
- If you have a Facebook account, check under Settings > Apps and Websites whether everything listed there was used by you and whether it should be there. Also, keep in mind that a “disabled” Facebook account can be resurrected when you use the “login with your Facebook account” option somewhere.
- If you have a choice in authentication procedures, do some research into known vulnerabilities and apply those lessons. For example, weak token algorithms can be used by an attacker to predict the next token if they can see the previous ones. Or using short tokens without a limited validity can leave you open to attack. [LESSON: Use strong token algos.]
- Train yourself and your staff on recognizing phishing attempts.
If 2FA is still vulnerable, you might be asking, “Then why not use multi-factor authentication?” The sad truth is that even multi-factor authentication has its workarounds. The methods for “something you are” authentication being used on our devices right now are still pretty easy to get around—it doesn’t take a genius hacker to trip up voice recognition.
But the industry is learning rapidly as it moves forward. For example, the use of two high-definition cameras spaced apart made the iPhoneX a lot better at face recognition than some of the older iPhone models. As more secure and robust versions of multi-factor authentication are made available, the hope remains that someday, it’s pretty near impossible to dupe.