Achieving information security is a never-ending challenge as bad actors find ways to get around every new protective layer. Like all other information security technologies, two-factor authentication can be bested by a determined intruder.
Two-Factor Authentication Means Users Need More Than a Password
The idea behind two-factor authentication (2FA) is that passwords by themselves are relatively weak security. Instead of users needing just a password, they need to prove their identity in two different ways. These ways include:
- Something you know, like a password.
- Something you have, like a cellphone that can receive a single-use token.
- Something you are, like your fingerprints or retinal scan.
It’s important to note that a password plus security questions is not an implementation of 2FA; the security questions and the password are both “something you know.” In effect, the security questions are simply secondary passwords.
Two-Factor Authentication Is Vulnerable to Attacks
Although 2FA adds an extra layer to security, that doesn’t make it invulnerable. There are several approaches a hacker can use to get past it:
- SIM hacking. In this approach, the bad actor effectively takes over the phone number of the mobile device used as part of the 2FA. This enables them to receive the single-use tokens and login.
- Phishing. Phishing can direct users to malicious sites where single-use passwords are captured. A hacker watching the site in real-time can use the token to access the targeted site before the token expires.
Making Two-Factor Authentication Effective
These vulnerabilities don’t mean that you shouldn’t use 2FA to increase the security of your systems, but it does mean you need to be smart about how you implement it.
In particular, there’s an implementation of 2FA that is not vulnerable to SIM hacking or phishing. Instead of a user providing a token that was sent to them, this implementation requires a hardware key to be plugged into the user’s device. Because of the extra cost and potential inconvenience, this may be most appropriate when you have highly sensitive data to protect. It’s also important to note that at least one version of a hardware key was itself found to be improperly implemented and vulnerable to attacks.
Two-factor authentication should also be integrated into an effective overall information security strategy. Employees need to be trained to detect and avoid phishing emails. Your infrastructure should include firewalls, blacklists, filters, and other controls that help protect employees and their credentials from dangerous sites.