2FA Isn’t a Magic Bullet

Let’s get this out of the way first: two factor authentication is an effective mode of account verification and far, far better than a simple username and password (single factor) authentication method. But it isn’t a magic bullet and can be overcome, especially with clever social engineering (unsurprisingly, the weakest link in security remains people rather than technology). Ultimately, 2FA is only as secure as the method and technology or product used to secure it.

Here’s how 2FA can be overcome by determined hackers and how you can best maintain account integrity across your organization or personal accounts.

What is two factor authentication?

Two factor authentication, or 2FA, requires an additional step when logging in or changing account configuration in an application or service. Usually this is a combination of something you know (PIN number, password, pattern, username), something you have in your possession (ATM card, phone, fob, verification code), or something you are (biometrics).

The most common (and potentally most problematic) form of this is an SMS text message sent to the account owner’s mobile device, which is registered during account setup.

That text message will contain a unique code that is then entered on the service login or confirmation page to confirm it is the account owner making the request, and not just some hacker who got ahold of the password.

Even simpler 2FA might send a confirmation email to the account owner address, asking if the change is legitimate. This is probably the last secure method as it only requires access to the email account in order to gain unauthorized access to associated accounts or applications.

The most secure methods of 2FA use a separate hardware device to provide the authentication key, like RSA SecureID or Google’s USB key, which generate unique keys on a regular basis or must be plugged into the device that is attempting to login in order to pass verification.

In between these two methods (text/email and hardware) are third party applications that you can install on your smartphone, allowing confirmation that you are the account owner as you should be the only one in possession of that device. Two examples are Duo and Google Auth. Keys can also be contained within the user browser and verified according to location, behavior, and device.

2FA Difficulties

Implementing 2FA can be tricky. Which method do you use? The most secure modes can be cost-prohibitive, as a hardware key can run $20 or more per user; with a subscription fee of $1 - $5 per user per month.

Suddenly requiring 2FA can lead to problems with a public-facing service, as users are likely to shun your security in lieu of simpler options (the public doesn’t always know what’s best for them, but more frequently defers to ease of use). In a private system, your help queues are likely to get bogged down for the first few weeks of 2FA requirements as users adjust. And if you only offer 2FA as an option, users are highly likely to choose the less secure single factor, once again due to ease of use.

Authentication methods should also be very obvious and apparent, lest a user inadvertently approve a change request or transaction without realizing it has come from an unauthorized third party.

SMS is especially troublesome as it can be physically intercepted over the network (yes, this really happens, even though it is likely to be a fringe situation) or taken advantage of via social engineering. In one highly publicized example, a hacker got AT&T to generate a new SIM card for a customer, which the hacker then used to reset a Paypal password via SMS and withdraw funds from the victim’s account. This happens across all carriers with some regularity, as attackers call in to request access and the carrier customer support provides it without properly verifying identity.

In 2016, Russian hackers are believed to have used relatively simple spoofed emails and credential harvesting websites in a spear phishing campaign targeting voting machine companies, bypassing 2FA by passing on the password to a legitimate Google verification site, and then sending them back to re-enter their phone number AND the verification code sent to their phone on the fake harvesting website. It was shockingly effective.

Finally, hardware solutions can be misplaced or stolen. If a hacker has your USB security key or access to your mobile device, gaining access to your 2FA secured accounts becomes simple.

What’s to be done?

A realistic approach to security is one that assumes even the most secure system can and will be hacked, given a high enough value and a long enough timeline. However with user training and smart deployment of the most secure methods of 2FA, you can minimize risk and encourage user adoption.

The best solution is hardware-based. USB security keys can be configured to only work on the owner computer, so even if they are lost or stolen, the FIDO specification used will not allow it to bypass credentials. RSA SecureID changes the token often and the individual token access can be revoked if reported missing or stolen

Dedicated applications on mobile devices or browsers are a good middle ground, but only if strong password protocol is used and users are trained to lock their devices (both digitally and physically, when applicable). Users should also be trained about and aware of phishing tactics.

The best solution for an enterprise is to offer flexibility, with simple 1FA for low-risk operations and systems used for daily tasks and 2FA required for high-risk, sensitive data and systems. Any IT staff should be using 2FA, as should users with access to financial data or compliance-mandated information like health data or personal identifying information. This can help reduce fraud while still minimizing the impact on daily user activity.

As for what can replace 2FA, the answer isn’t so clear. Artificial Intelligence and threat detection methods are being developed that can examine a wide range of signals to determine if account activity is suspicious, automatically freezing an account or requiring a user to contact customer service. For example, a login from a foreign country, combined with a previously unrecognized device or different user behavior on-site, could cause a system to deny authentication.

Some apps are also using heuristics to examine the background of verification pages in order to confirm authenticity. In the 2016 hacking example above, the spoofed emails or fake web pages would have potentially been identified due to small differences in their back-end, like a different header configuration than the legitimate website.

One thing has become apparent: 2FA is not the be-all end-all for security. Social engineering in particular offers a roundabout way for hackers to bypass authentication methods, making user training and strict adherence to protocol essential when verifying PINs, security questions, and avoiding suspicious websites and emails.