A few weeks ago, we talked about the necessary evil that are passwords; today we will tackle two-factor authentication. More and more websites, especially those run by large banks, are requiring two-factor authentication (2FA). Other websites such as Twitter and Google are also offering an opt-in 2FA in case the user would like to opt for increased security.
With 2FA, you simply enter a username and password, and before you access your account there is an extra step where you either input the answer to a personal question, a number sent to your phone or maybe scan your fingerprint.
This is a very effective way to increase peace of mind, and should be de rigueur for all data sensitive websites, even in corporate and business networks. Let’s face it, there are myriad ways hackers can get your password. Social engineering, brute force attacks, or finding it stored in a file on your company’s network, are just a few ways you can be breached.
The best thing about 2FA is that it is actually easy. Complex passwords can be hard to remember but how hard is it to remember your childhood dog’s name or a 6-digit number you received, there and then, on your phone? With biometric capabilities on mobile phones, 2FA is also increasingly relying on things like fingerprint recognition, the ultimate security method
2FA good but not perfect
You may have come across 2FA when setting up an iPhone, Facebook account or even posting a Craigslist ad where you confirm your identity by responding to an SMS message. Many seem to think the extra step makes it hard to use but personally, I haven’t found this to be a problem at all, and welcome the second step which I usually find to be pretty simple.
As good as 2FA sounds however, there is still a chance that it can be hacked. So how is TFA compromised? The hacker has to gain access to your private information, such as researching your mother’s maiden name, or take over the tokens used to drive the second level of authentication. Malware and phishing are two techniques that are adept at cracking passwords, but can also compromise the second layer of defense.
Many systems can be compromised by resetting the password, and if the hacker has access to your primary or secondary email (in case they are trying to crack your primary email) your account can be breached if your email isn’t as well protected. When you forget your password, a new one is sent to your email address. If a hacker gets that recovery email, there is only one layer of authentication they need to go through – if that.
The phone/SMS form of authentication can also be turned off by a clever hacker. They can call the phone company, pretending to be you and asking for any calls to be forwarded to them, they can even get access to your voicemail while you’re sleeping and crack the 2FA that way.
This form of 2FA can be vulnerable because it is so easy to lose passwords and passcodes, and service providers want to restore your access fast – even if it means removing the second factor. Once again it is social engineering that comes into play by tricking a customer service person into giving up the code based on a few bits of personal data.
We need more and better 2FA
Two-factor authentication should be far more common. And stronger. And easier to use. But we also need to take these measures more seriously. Choosing passwords carefully, and adding a bit of complexity is still very important. Don’t choose “things you know” which can be easily guessed by others. Be on guard against social engineering, and never disclose passwords or second authentication to anyone – even if they sound like they are calling or emailing from IT.
Phishing is another danger. Don’t respond to queries that seem like they are from your bank of PayPal. If you have a concern, call or go directly to their website rather than following a link. So turn on that 2FA if it is available and most importantly, use common sense and caution.