Is Two-Factor Authentication Secure?

Two-factor authentication (2FA) is the current security best practice for protecting sensitive accounts. For both business and personal accounts, requiring a code delivered via phone or email adds an extra layer of protection against cybercriminals.

What is two-factor authentication and why is it used?

Two-factor authentication (2FA), also known as two-step verification or dual-factor authentication, is a security process in which users provide two distinct authentication factors in order to prove their identity.

Two-factor authentication is implemented to protect both a user’s credentials and the resources to which they have access. Two-factor authentication provides a higher level of security than single-factor authentication (SFA) methods, in which the user provides only one factor — typically a password or passcode. The first factor in two-factor authentication is a password, and the second factor is typically a security token or a biometric factor, such as a fingerprint or a facial scan.

Two-factor authentication adds an additional layer of security to the authentication process by making it more difficult for attackers to gain access to a person’s devices or online accounts, as a password alone is not sufficient to pass the authentication check, even if the victim’s password is compromised.

There are numerous varieties of 2FA

SMS based 2FA
2FA via Voice Call
Email based
Authenticator App TOTP
2FA via Key Fob Hardware

How hackers circumvent 2FA

Social engineering to circumvent 2FA – Social engineering is a non-technical attack in which the attacker manipulates the victim into unwittingly divulging sensitive passcode information. In these instances, the attacker already possesses the user’s login credentials. The attacker calls or sends a message to the victim, urging the user to provide the 2FA code.
Bypassing 2FA using brute force – When the length of the two-factor authentication code is between four and six characters (often just numbers), brute-force attacks against the account can circumvent 2FA.
Bypassing 2FA with Previously-issued Tokens – Some platforms allow users to generate tokens, such as a document containing a certain number of codes, that can be used later to bypass 2FA. If an attacker gains access to the document, they can easily circumvent 2FA if they also possess the user’s password.
Bypassing Two-Factor Authentication with a Session Cookie or Man-in-the-Middle – Cookie theft, also known as session hijacking, is the act of stealing a user’s session cookie. Users do not need to enter their password each time they log in. A cookie contains information about the user, maintains the user’s authentication, and tracks the user’s session activity. The session cookie remains in the browser until the user logs out, and closing the window has no effect on the user’s session. Therefore, an attacker can benefit from the cookie. Once the hacker obtains the session cookie, he is able to circumvent the two-factor authentication. Numerous hijacking techniques are known to attackers, including session sniffing, session fixation, cross-site scripting, and malware attacks.
SIM-Jacking for 2FA Bypass – The main Simjacker attack involves sending an SMS containing a specific type of spyware-like code to a mobile phone, which then instructs the SIM Card within the phone to ‘take over the phone in order to retrieve and execute sensitive commands. Because the hacker has control over the phone number, he or she can intercept the OTP sent via SMS. The attacker achieves this through phishing or social engineering. In either case, they dupe the victim into installing malware that gathers the necessary information from the SIM card.

How to Improve 2FA Security

Despite the flaws discussed above, two-factor authentication is still an excellent way to protect your accounts. Here are some precautions to take when using two-factor authentication:

Instead of text message codes, always use authenticator apps such as Microsoft or Google Authenticator.
Never give out your security codes.
Use longer codes with more than six characters whenever possible.
If you are unsure about your security, consult with a professional to determine what you should do.
Using a password generator and a password manager, create complex passwords.
Passwords should never be reused.
As an alternative to 2FA authentication, use a security key.
Educate yourself and your employees on common social engineering techniques.