Cybercrime trends are continually rising – one study by LexisNexis Risk Solutions reveals a 20% annual increase in the global digital attack rate, driven by an uptick in the e-commerce and financial services industries.
Therefore, digital security is paramount, and there are now several advanced forms of protection available for businesses to leverage, including two-factor authentication. But what if such measures aren’t failsafe and actually have some vulnerabilities, leaving critical company and customer data exposed to certain threats?
This article answers some important questions about the strengths and weaknesses of two-factor authentication (2FA) and what you can do to ensure this method of digital security is as effective as possible.
What is two-factor authentication (2FA)?
2FA is a form of multi-factor authentication. As the name suggests, two layers of security are required to verify a user’s identity as they attempt the login process online. Here’s how the process works:
- Layer one: a customer enters their username and password to log into their account online.
- Layer two: the customer then uses a second authentication factor, such as a unique PIN code, to complete the login process.
2FA offers many benefits for businesses and customers, the main one being that it helps to prevent fraud. Hackers and other cybercriminals find it difficult to bypass two-factor authentication because they need two distinct forms of ID to gain access to sensitive data.
Other benefits include reduced helpdesk and support costs (for example, customers can recover forgotten passwords via the second layer of security rather than calling support), increased internal security and more.
Popular types of multi-factor authentication
So, what factors can be used in an effective 2FA system? Combined with a strong password for layer one, any of the following six options work well for layer two…
One-time passwords or codes
One-time passwords (OTPs) can only be used once and usually expire quickly. One of the most common methods of issuing OTPs is via SMS verification. An OTP is sent to the user’s mobile via text message, making this one of the most user-friendly 2FA methods – it’s very straightforward, quick and convenient for both businesses and customers.
Alternatively, OTPs can be sent via email. Or, in the rare event that SMS and email fail to deliver or aren’t accessible at the time of login, the user can request an online service to call them and dictate the verification code over the phone.
Authenticator apps are third-party apps which provide a time-sensitive code to enable the user to complete the login process. Examples include Google Authenticator and LastPass Authenticator.
In this case, the user must download the third-party app to their mobile phone and connect it with the services they want to use. They then open the app when prompted to receive their unique code during login.
Biometric authentication uses different types of biometric data to verify a person’s identity. Biometric data relies on very specific, individual characteristics, so this option is deemed very secure. Examples include facial recognition, fingerprint ID, retina scanning and voice recognition.
Biometric authentication involves a scanning device, technology to convert and compare the data, and a storage facility.
Hardware tokens are physical security keys that users can obtain and carry with them for 2FA. Some of the simplest ones look like USB flash drives and have a display for OTPs. Banks sometimes issue a hardware token to customers to use when making online transactions.
Push notifications work similarly to SMS messages in that a notification pops up on the user’s mobile device. However, they can also be sent to desktop devices as they are ‘pushed’ through a third-party app that the user has downloaded.
For 2FA, the push notification is sent to the user’s mobile device, where they can approve or reject the login request. Wise, the online international money transfer app, uses this method.
Certificate-based authentication is a cryptographic technique. It uses digital certificates to verify a user or device before granting access to a system or network. This method is useful in the workplace to identify when a specific employee logs on with a particular laptop.
Another example is the SSL protocol on websites. When a user clicks on an SSL website via their browser, the SSL certificate will be checked and presented if the website is secure.
Can 2FA be bypassed by hackers?
The short answer to this question is yes. But before we get into the potential weaknesses of 2FA, it’s worth noting that even the biggest cybersecurity companies aren’t immune from digital attacks.
Case in point: the top cybersecurity company FireEye, whose clients include tech giants like Sony and Red Hat, had its own systems pierced by hackers in 2020. Ironically, they made off with some of FireEye’s own sophisticated hacking tools, which could be used to mount new attacks around the world.
Another recent example is the infamous LastPass breach, where a hacker accessed an employee’s home computer to steal a decrypted vault that was only available to a smattering of company developers.
With such high-level security systems being vulnerable to attacks, it should be no surprise that 2FA isn’t 100% foolproof.
Seven ways attackers bypass two-factor authentication
Here are some ways 2FA systems can be breached, and most importantly, some tips to help you prevent these types of hacks.
1. Social engineering
This is where an attacker uses psychological manipulation to trick the customer or user into revealing sensitive authentication credentials. Phishing is one type of social engineering scam, but there are others.
Social engineering attacks can affect any 2FA system that relies on human interaction, such as entering an OTP.
To prevent this hack, educate yourself and your team on the most common social engineering tactics so you all know what to look out for. Also, educate customers and remind them to be wary of requests for sensitive information. They should always verify the authenticity of the request through a separate communication channel.
As mentioned, phishing is a type of social engineering; however, how it’s carried out is more subtle. Consent phishing is prevalent when social media logins are used as a 2FA measure. In this case, an attacker poses as the social platform and requests credentials, which the user inputs into a fake website built purely to collect the login details.
Again, this attack can affect all 2FA methods where users need to submit authentication codes online.
3. SIM jacking
Also known as SIM spoofing, this attack directly breaches the SIM card and targets a user’s telephone number. Once a cybercriminal gains access, they can use the SIM card to make calls, send SMS messages and use data.
SIM jacking directly affects SMS-based 2FA systems. Users can prevent and reduce the implications of being hacked this way by using a different phone number for 2FA than the one used for general communications. Good mobile device security can also deter hackers.
4. Credential stuffing
Credential stuffing is where attackers try to breach a system using lists of compromised usernames and passwords. Bots are often used to automate the process and maximise the chances of getting a successful hit.
Any 2FA system can be affected if it relies on passwords or other authentication mechanisms in addition to 2FA. (Because attackers can use stolen credentials to bypass the 2FA.)
The best prevention measure here is to use solid passwords made up of random letters, numbers and special characters – and don’t use the same password for more than one online service. Be sure to set up account alerts online and monitor closely for any suspicious activity.
Malware is a blanket term that refers to malicious software designed to harm or exploit a device, system, service or network. It can be easily downloaded onto your machine simply by clicking a malicious link or visiting a spoof website. Once installed, malware can invade and damage computers, systems and networks to steal data, alter core computer functions or spy on computer activities.
Malware can affect 2FA systems by stealing PIN codes, not just from SMS but also from authenticator apps. Reduce the risk of malware by never opening suspicious files or installing unverified software. Use a good antivirus on all your devices and keep it up-to-date.
6. Man-in-the-middle attacks
A man-in-the-middle attack is where an attacker intercepts conversations (or data transfers) between the user and the online service or authentication system being used. Once in the ‘middle’ of the transfer, the attacker can capture any information from either party, including login credentials and authentication codes.
Man-in-the-middle attacks can affect any 2FA method linked to a network, such as an online service or database. To mitigate the risk, always use secure communication channels, such as end-to-end encrypted messaging apps and think twice before submitting sensitive information online.
7. Physical theft
This type of attack can happen to anyone, anywhere, at any time. It’s where physical hardware, like mobile devices, laptops and hardware tokens, are stolen. So this can affect 2FA methods such as mobile phone security and a physical security key.
To prevent physical theft, keep devices secured at all times – on your person, under lock and key, hidden from plain sight and password protected.
2FA: not 100% safe – but still a solid security measure
Strong cybersecurity is vital in the online space, particularly as cybercrime is continually rising. Many businesses needing mid to high-level security rely heavily on 2FA to protect their systems and customer data from digital attacks.
Is 2FA hard to hack? It depends on several factors, such as the type of 2FA method used, the strength of device protection, the complexity of passwords, user awareness and online behaviour, and the attacker’s determination.
2FA has its pros and cons; however, it’s important to remember that two layers of security are way better than one. And there are additional measures, as described above, that can be implemented to protect your 2FA mechanism from succumbing to threats and attacks.