When it was first introduced two factor authenticationrevolutionized device security and helped make identity theft much more difficult, at a slight cost of small inconveniences added to logins.
But it’s not perfect, nor has it solved all of our hacking and data theft problems. Some recent news has provided more context on how hackers have been bypassing two-factor authentication and eroding some of our trust in it.
Two-factor authentication adds an extra layer of security to the sign-in process for devices and services. Previously, logins had a single factor for authentication, typically a password or a biometric login such as a fingerprint scan or Face ID, occasionally with the addition of security questions. That provided some security, but it was far from perfect, especially with weak passwords or autofill passwords (or if login databases get hacked and that information starts showing up on the dark web).
Two-factor authentication addresses these issues by adding a second factor, another thing a person has to do to ensure that it really is them and that they have the authority to gain access. Usually that means a code is sent to you through another channel, such as receiving a text or email from the service, which you then have to enter.
Some use time-sensitive codes (TOTP, Time-Based One Time Password), and others use unique codes associated with a specific device (HOTP, HMAC-based One Time Password). Certain commercial versions may even use additional physical keys that you need to have on hand.
The security feature has become so common that you’re probably used to seeing messages like “We’ve sent you an email with a secure code to enter, please check your spam filter if you haven’t received it.” It’s more common for newer devices, and while it takes a bit of time, it’s a huge leap in security compared to single-factor methods. But there are some flaws.
A report recently came out from cybersecurity company Sophos detailing a surprising new way hackers bypass two-factor authentication: cookies. Bad actors have been “cookie stealers,” giving them access to virtually any type of browser, web service, email account, or even file.
How do these cybercriminals obtain these cookies? Well, Sophos points out that the Emotet botnet is one such piece of cookie-stealing malware that targets data in Google Chrome browsers. People can also buy stolen cookies through underground marketplaces, made famous in the recent EA case where login details ended up in a marketplace called Genesis. The result was 780 gigabytes of stolen data that was used to try to extort money from the company.
While that’s a high-profile case, the underlying method is out there, and it shows that two-factor authentication is far from a silver bullet. Beyond cookie theft, there are a number of other issues that have been identified over the years:
- If a hacker has gotten hold of your username or password for a service, they may have access to your email (especially if you use the same password) or phone number. This is especially problematic for SMS/text-based two-factor authentication, because phone numbers are easy to find and can be used to copy your phone (among other tricks) and receive the text code. More work is needed, but a determined hacker still has a clear path forward.
- Separate apps for two-factor authentication, like Google Auth or Duo, are much more secure, but adoption rates are very low. People tend not to want to download another app just for security reasons for a single service, and organizations find it much easier to just ask “Email or text?” instead of requiring customers to download a third-party app. In other words, the best types of two-factor authentication aren’t really being used.
- Sometimes passwords are too easy to reset. Identity thieves may collect enough information about an account to call customer service or find other ways to request a new password. This often bypasses any two-factor authentication involved and, when it works, allows thieves direct account access.
- The weakest forms of two-factor authentication offer little protection against nation-states. Governments have tools that can easily counter two-factor authentication, including monitoring SMS messages, coercing wireless carriers, or intercepting authentication codes in other ways. That’s not good news for those who want ways to keep their data private from more totalitarian regimes.
- Many data theft schemes bypass two-factor authentication altogether by focusing on tricking humans. Just look at all the phishing attempts pretending to be from banks, government agencies, Internet providers, etc., asking for important account information. These phishing messages may seem very real and may involve something like: “We need your authentication code from us so we can also confirm that you are the account holder” or other tricks to get codes.
Absolutely. In fact, you should review your services and devices and enable two-factor authentication where it’s available. It offers significantly better security against issues like identity theft than a simple username and password.
Even SMS-based two-factor authentication is much better than none at all. In fact, the National Institute of Standards and Technology once recommended against using SMS in two-factor authentication, but then reversed it the following year because, despite the flaws, it was still worth having.
When possible, choose an authentication method that isn’t connected to text messaging and you’ll have a better form of security. Also, keep your passwords safe and use a password manager to generate them to login if you can.
Moving away from SMS-based authentication is the current big project. Two-factor authentication may transition to a handful of third-party apps like Duo, which eliminate many of the weaknesses associated with the process. And more high-risk fields will move to MFA, or multi-factor authentication, which adds a third requirement, like a fingerprint or additional security questions.
But the best way to eliminate problems with two-factor authentication is to introduce a physical hardware-based aspect. Businesses and government agencies are already starting to require that for certain levels of access. In the near future, there’s a good chance we’ll all have personalized authentication cards in our wallets, ready to swipe our devices when logging into services. It may sound strange now, but with the sharp rise in cybersecurity attacks, it might end up being the most elegant solution.