March 1, 2023
Let’s get this out of the way first: two factor authentication is an effective mode of account verification and far, far better than a simple username and password (single factor) authentication method. But it isn’t a magic bullet and can be overcome, especially with clever social engineering (unsurprisingly, the weakest link in security remains people rather than technology). Ultimately, 2FA is only as secure as the method and technology or product used to secure it.
Here’s how 2FA can be overcome by determined hackers and how you can best maintain account integrity across your organization or personal accounts.
Two factor authentication, or 2FA, requires an additional step when logging in or changing account configuration in an application or service. Usually this is a combination of something you know (PIN number, password, pattern, username), something you have in your possession (ATM card, phone, fob, verification code), or something you are (biometrics).
The most common (and potentally most problematic) form of this is an SMS text message sent to the account owner’s mobile device, which is registered during account setup.
That text message will contain a unique code that is then entered on the service login or confirmation page to confirm it is the account owner making the request, and not just some hacker who got ahold of the password.
Even simpler 2FA might send a confirmation email to the account owner address, asking if the change is legitimate. This is probably the last secure method as it only requires access to the email account in order to gain unauthorized access to associated accounts or applications.
The most secure methods of 2FA use a separate hardware device to provide the authentication key, like RSA SecureID or Google’s USB key, which generate unique keys on a regular basis or must be plugged into the device that is attempting to login in order to pass verification.
In between these two methods (text/email and hardware) are third party applications that you can install on your smartphone, allowing confirmation that you are the account owner as you should be the only one in possession of that device. Two examples are Duo and Google Auth. Keys can also be contained within the user browser and verified according to location, behavior, and device.
Implementing 2FA can be tricky. Which method do you use? The most secure modes can be cost-prohibitive, as a hardware key can run $20 or more per user; with a subscription fee of $1 - $5 per user per month.
Suddenly requiring 2FA can lead to problems with a public-facing service, as users are likely to shun your security in lieu of simpler options (the public doesn’t always know what’s best for them, but more frequently defers to ease of use). In a private system, your help queues are likely to get bogged down for the first few weeks of 2FA requirements as users adjust. And if you only offer 2FA as an option, users are highly likely to choose the less secure single factor, once again due to ease of use.
Authentication methods should also be very obvious and apparent, lest a user inadvertently approve a change request or transaction without realizing it has come from an unauthorized third party.
SMS is especially troublesome as it can be physically intercepted over the network (yes, this really happens, even though it is likely to be a fringe situation) or taken advantage of via social engineering. In one highly publicized example, a hacker got AT&T to generate a new SIM card for a customer, which the hacker then used to reset a Paypal password via SMS and withdraw funds from the victim’s account. This happens across all carriers with some regularity, as attackers call in to request access and the carrier customer support provides it without properly verifying identity.
In 2016, Russian hackers are believed to have used relatively simple spoofed emails and credential harvesting websites in a spear phishing campaign targeting voting machine companies, bypassing 2FA by passing on the password to a legitimate Google verification site, and then sending them back to re-enter their phone number AND the verification code sent to their phone on the fake harvesting website. It was shockingly effective.
Finally, hardware solutions can be misplaced or stolen. If a hacker has your USB security key or access to your mobile device, gaining access to your 2FA secured accounts becomes simple.
.png){kind=logo}
We're here to help you tackle what's next in your digital journey.
