Even if it’s hackable.
This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:
- An exploit kit was published allowing a phishing attack to hijack a two-factor secured login.
- Various media declared, “Two-factor has been hacked!”
Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader: “This makes 2SV quite useless in many cases.”
No. Just… no. That’s a seriously mistaken conclusion.
I’m re-visiting this topic because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.
Become a Patron of Ask Leo! and go ad-free!
Common approaches to two-factor
Two-factor authentication combines something you know — your account id and password — with something you have — referred to as the second factor. To complete authentication, you somehow prove you are in possession of that second factor.
There are several common forms of two-factor authentication.
SMS text messaging
When using text messaging for two-factor authentication, you’re texted a code you must enter to complete the log-in process. It’s quick, it’s convenient, and it doesn’t require data connectivity or even a smartphone; any device capable of receiving a text message can be used. This technique transfers to your new phone automatically when you transfer your mobile number to the new device, though as we’ll see below, that can also be viewed as an inherent weakness.
SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number.
Google Authenticator
This smartphone application generates a code that changes every 30 seconds. When configured, you establish a cryptographically secure pairing between an online service and the app. When requested, you simply enter the code currently displayed on your phone. The application runs independently on your device; no connectivity required. As long as the time is set correctly, it just works.
Google Authenticator and other compatible apps such as Authy are a form of time-based one-time password, or TOTP.
A TOTP confirms you are in possession of your configured second factor: the device on which the application is running.
Email can be used as a second factor. When you log in, the service sends an email message to the email address of record. It contains a link you click to complete the log-in process or a code to be entered. I’ve seen some services use this technique to bypass the password requirement completely, relying only on your email address being correct, your email account being secure, and your ability to click the link or enter the code sent to it to verify you are who you say you are.
Email-based two-factor confirms you are in possession of your second factor: your ability to access the configured email account.
Hardware key
Often considered the ultimate second factor, a hardware key is a small USB device, often something you can add to your key ring. Much like Google Authenticator, you establish a cryptographically secure pairing between an online service and the key. When requested, you insert your key into a USB slot and press a button on the key. (Not all keys need a button press, and some even use radio signals and merely need to be swiped over your NFC-compatible mobile phone.)
Being able to insert the USB key proves you are in possession of your second factor: the USB key.
Exploiting two-factor
Assuming you’ve not physically lost your second factor, there are three basic approaches to exploiting or bypassing two-factor authentication.
Hijack your phone number. Typically this is done using social engineering. Posing as you, the hacker convinces your mobile phone customer service representative you’ve lost your phone and have a replacement, and they should re-assign your number to a new device in the hacker’s possession. Once done, the hacker gets your SMS messages. This is often referred to as SIM swapping.
Hijack your phone company. Seriously. Hackers were caught purchasing access to a rogue phone company and then exploiting that access to redirect a victim’s phone number to a device in the hacker’s hands. Once again, the hacker gets any SMS messages sent to that number. Purchasing access to a rogue phone company? Clearly possible, but not a common scenario, and nothing I’d consider ever worrying about.
Catch you phishing. This has been around for a long time, but gained additional exposure when a toolkit was made available to make it easier for hackers to implement. While there are several technical aspects that may differ, the idea is simply to trick you with a fake link that then acts as a “man in the middle” to either capture your credentials — including the two-factor code you might enter — or hijack your successfully logged-in session.
SMS: the weakest link?
Given the exploit approaches I listed above, two of three categories are SMS-based, though only one is what I’d call a practical or potential risk: SIM swapping.
Other approaches are somewhat more secure. For Google Authenticator to be compromised, the hacker needs access to the device running the app — in other words, access to your second factor. For email two-factor to be compromised, your email account would need to have been compromised. Once again, this effectively gives the hacker access to your second factor.
It’s worth noting that in almost all cases, either of two things must be true for your two-factor protection to be compromised.
- You need to be targeted specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises.
- You need to fall for it. At this point, all of the non-SMS-based compromises rely on a successful phishing attempt. You need to have dropped your guard.
And even if your two-factor were compromised, the hacker still has nothing without the first factor: your account ID and password.
The weakest link is no 2FA at all
Let’s say you’ve decided that two-factor isn’t secure (because, as we’ve seen, it isn’t completely, absolutely, 100% secure — nothing is). Perhaps you believe it’s a wasted effort, or, like the reader I mentioned earlier, decide it’s useless.
So you elect not to use it at all.
Here’s the requirement for your account to be hacked:
- The attacker needs to know your username and password.
That’s it.
By not adding any form of two-factor authentication, you’ve elected to make it easier for hackers to access your account.
Do this
With two-factor authentication, hackers can’t access your account even if they know your password.
Even though it’s not perfect, adding any reasonably implemented form of two-factor authentication places an additional barrier that the hacker must be motivated and able to cross in order to access your account.
Most aren’t motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords.
I strongly recommend using two-factor authentication, be it Google Authenticator, email, SMS, or something else. It remains a critical way to keep your accounts secure.
Podcast audio
Related Video
Footnotes & References
- Naked Security Blog — Bank accounts raided after crooks exploit huge flaw in mobile networks.
- KnowBe4 Blog — [Heads-up] New Exploit Hacks LinkedIn 2-factor Auth. See This Kevin Mitnick VIDEO
- CSO — 11 ways to hack 2FA
That image you used for the article illustrates if perfectly. I’ve always looked at 2nd Factor Authentication as a second lock. If one is weak, taking it away doesn’t make you any safer. And the tools needed to break that second lock have to be powerful, unless of course, you let your guard down and fall for exploit #3. But if you fall for phishing attempts, you’ll be vulnerable to all kinds of malware and hacks not just a 2FA hack.
SMS is vulnerable to SIM swapping BUT in order to use SIM swapping to hack an account: First of all, they would need to know who you are, your phone number, and your account emial and password, the target you specifically. I don’t see that as significantly more vulnerable than losing a Yubikey. In other words nearly zero for the average person. Only a friend, enemy, relative, or co-worker would be capable of this kind of hack. If you are a public figure, boss, or log in to those accounts at work or on public computer (danger of keylogging), SMS can be a risk.
Leo,
You put a footnote indicator and the end of the phrase: “the device on which the application is running.” But there are no footnotes. Did you get hacked?
Not sure why so many people jump to “have you been hacked” whenever anything seems amiss. In this case it was simple operator error (where operator is me
).
Ah, yes, we are all susceptible to that, aren’t we? And I understand about the “operator error” issue. In my question to you, I used the wrong word: “and” instead of the preferred word: “at”. It happens to the best of us, doesn’t it? Keep up the good work, Leo. Even though you are human, you still present us a lot of good, worthwhile material. ; )
Or maybe you can promote the Danish NemID 2-factor system.
It looks very professional, and shows no obvious way it is built.
It is a government supported system, used to access both bank accounts, and communication with government.
As I understand this article, and from what I’ve read elsewhere, an authenticator’s security is pretty much absolute – provided you a) use a passcode for your phone and b) don’t lose your phone.
If that’s right, why would anyone use the other methods of 2FA? And by the same logic, why would anyone offer them?
Authenticators are free and couldn’t be easier to use.
Not all services support the authenticator. Some only support, for example, SMS based 2FA.
Thank you Leo.
That was a point I hadn’t considered! All those (few) I use do support an authenticator.
Another method for 2FA is using a Yubikey or something similar. While not inexpensive, they work by plugging into a USB port or by holding near a smartphone that uses NFC. My understanding is that a code is stored onto the key for the account (Lastpass, Google or Microsoft). With key installed, pressing it enters the store code to access the account.
My biggest issue with 2FA is that not enough sites are using it, especially financial sites.
Hardware-based 2FA is the only method that prevents the phishing risk. You need at least 2 keys, though, in case you loose one.
I wouldn’t call Yubikeys and such really expensive. They start from around $ 20. That’s expensive relative to free. You would pay at least as much for a spare key to a high-security door lock, never mind the lock itself.
I use a YubiKey on one of my accounts, and I do like it. Problem is, like any 2FA, not all sites support it.
Unfortunately the term 2FA has been convoluted and diluted to mean any two pieces of information. The original intent of 2FA was to include two types of factors: “something you know” (information) and “something you have” (a physical item). None of the methods outlined by Leo are strictly 2FA, but rather a 2-step authentication. Not that it’s bad, but not as secure as it was intended. Consider how use your ATM card (you have the pin – information, and the card – physical object). The reason that your cell phone doesn’t really qualify as something you have is because access to it is via software and information. It’s not the physical phone or your ownership of it that provides the security, it’s the information you put into it. If one type of authentication (i.e. information) can be hacked, then another item of the same type can also be hacked with the same or similar mechanism. So, as indicated by Clairvaux, a true 2FA should use an independent hardware-based device.
Actually the 2FA app on your phone acts as a true second factor. Your ability to enter that code “proves” you are in possession of the second factor: your phone. Same, actually, for SMS. The idea is that your ability to receive the code proves you are in possession of that physical device — something you have.
That both of these mechanisms can be subverted (albeit with great difficult) doesn’t really invalidate their two-factor-ness.
To be fair, a hardware device can also be subverted (again, with great difficulty).
Is the free USB Raptor app that converts a USB flash drive to a key a secure app? I just made another comment to you and incorrectly used the word, “predator” for that app. Sorry about that. I’m getting old.
I’m not familiar with Raptor either, I’m afraid.
Leo,
When you say :
“Either of two things must be true for your two-factor protection to be compromised : you need to be targeted, specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises”,
do I understand correctly it does not mean one needs to know your phone number ; it means one needs to own your phone number, and be able to send or receive SMS through it as if they were you ?
I’m not really understanding the scenario you describe. Basically they need access to receive or intercept SMS based messages sent to your number. That requires that they know your number.
Clairvaux is saying knowing your phone number alone is NOT sufficient. It is pretty easy to know someone’s phone number. You need to have access to the phone itself (barring the unusual situations with transferring a phone number, etc.)
Sorry for not answering this before. I came back to the article thanks to a RSS alert, because it was updated.
I Indeed meant that knowing the phone number of the target is not enough. You need to control it. That’s the hard part. I believe we agree on this with Leo.
I use Mozilla Thunderbird to gather emails from several sources. Will the use of 2 factor verification slow the sign on to the extent that Thunderbird’s attempts to download will fail? Can Thunderbird even handle an email account with 2 factor ID?
I doesn’t slow anything down, other than perhaps the initial connection. Once you’re authenticated you’re authenticated and everything works as before. Yes, Thunderbird can work — I do it myself — but what’s MORE important is that email service you’re using offer the kind of support that’s required. Typically that means either OAUTH (Thunderbird actually hands off the authentication to the service where they deal with 2FA), or the service allows you to create “application passwords” which are passwords that, when used, bypass 2FA for applications that don’t support 2FA natively.
My broker calls my home phone and speaks the code to enter.
I have somehow gathered from reading elsewhere that, as you state, SMS-based 2FA can be hacked (using flaws in SS7), but this specific risk does not apply to voice phone calls. When a sensitive web site (banking, shopping, medical, government, etc.) allows it, I ask for a code provided via voice call rather than an SMS message. Voice calls have the advantage of working with landlines (POTS or plain old telephone system), which some folks still have.
Is a voice call to a cell phone less subject to hacking than an SMS message?
(I am not talking about SIM-swapping, which would affect both SMS and voice.)
Thanks!
I’m actually not sure. I would assume that the “hack the telephone company” scenario would apply to anything – POTS or cellular, voice, SMS or data. At a practical level, though, it’s SIM swapping that’s probably the larger of the risks.
I really like the idea of email authentication as part of 2fa however not many services or websites support email as part of 2fa according to the website https://twofactorauth.org/. The reason I like email is because I am retired and on a fixed income. My wife and I do have cell phones however they are voice only – no internet and no texting. A case in point even Gmail does not support email as part of 2fa according to https://twofactorauth.org/. I wish more services and websites would offer email as part of 2fa. BTW that is a very good website that tells you exactly what forms of 2fa are offered by various services and websites!
The only account I’ve come across that offers email as a second factor is outlook.com email. (Obviously the second factor email account has to be with another provider.)
The reason I turn down two-factor … any service I use rely solely on the user having a cellphone to send a text message to. I don’t have a cellphone and I don’t need a cellphone. The option of email you mentioned, intrigued me, but no service that I know of has moved in that direction.
In Europe, all bank accounts use 2FA. What I find shocking is that most US banks don’t.
My German bank has 3 factor authentication. Password login, an installed smartphone authenticator app, and a fingerprint or another password to open the app.
Not using two-factor authentication is analogous to refusing to turn on a car alarm or home security system just because the doors can be locked. Would anybody with half a brain actually say, “I don’t set my alarm because alarms aren’t 100% foolproof so I just lock the doors…”?
The problem with trying to make anything foolproof is that the fools always seem to think they’re not foolish. ;-)
This is all great when you are in your own country.
How do you receive texts or sms or any other message when you are using a different SIM (i.e phone number) when traveling outside your country?
You don’t. If your account is going to require an additional layer of validation make sure you have something OTHER than SMS enabled in addition. Like an alternate email address or two, a 2-factor app like Google Authenticator, or a one-time recovery code depending on what your account provider supports.
I have a Magic Jack. I use the app on my phone and use that number as my second factor. It receives text messages as if it were a cell phone. I live in Europe, and just yesterday, I was asked to verify my PayPal account via text to my phone and got the verification code via my Magic Jack number which I have on record with PayPal as my mobile number..
When I travel from Europe to the US, I have a dual SIM phone and can receive texts sent to my European phone free in the US. More and more European banks are switching to an app to verify customers’ identities. You don’t need a dual SIM card phone. Until I got that, I’d put my European SIM card in an older phone.
I just started activating 2FA wherever possible, with Kee Pass and its plugin Kee OTP. It’s the password manager which generates the TOTP, instead of a phone app.
Although that’s theoretically less secure than using a phone, especially if you put passwords and 2FA secrets in the same database, as I do, there are some tremendous advantages to it :
1. You don’t need to own a mobile phone at all !
2. If you have one, you don’t need to have it charged and powered on all the time. My phone default state is off, so if I used phone app-based 2FA, I would have to wait a long time to launch it, everytime I wanted to log into a site.
Plus, I would have to type two passwords on the phone before even accessing the app.
3. You don’t need to type the TOTP code manually ! Not only you can copy and paste it from Kee Pass, but you can use Kee Pass basic script language to automate the whole login sequence : open the login page of the website you want to connect to, select the relevant entry in Kee Pass, click Auto-Type, and see the password manager do all the job of typing username, password and TOTP, with all the intermediate, custom validation key presses (or mouse-clicks) in-between.
If you enable global auto-type, a single, identical key combination starts login whatever the site.
4. Now, backup of your 2FA secrets is suddenly much easier. In fact, you don’t need to do anything. Since, presumably, you already have in place a thoroughly redundant procedure for the backup of your password database, the 2FA secrets get backed up at the same time.
You thus avoid two of the most annoying drawbacks of 2FA by TOTP phone app : either you don’t back up your secrets, and lose access to your accounts when you lose your phone, break it or suffer a bad update, as many, many people have discovered once it was too late, unfortunately.
Or, you need to enforce separate and specific backup routines for your 2FA app. Kee Pass get rids of all that. Even the 2FA recovery codes that many sites give you can go into Kee Pass, where they are encrypted and backed up effortlessly.
Other password managers allow that, such as Kee Pass XC (desktop program, just as Kee Pass proper) or Bitwarden (online service).
I’m still using LastPass for password management (That may change soon). I’ve commented about the steps I’ve taken to make my vault as secure as possible, so I won’t go over all that again. I use the LastPass Authenticator app for 2FA access to my LastPass account. I use the Microsoft Authenticator app for all other 2FA authentication (where supported). I avoid SMS 2FA where possible, but as Leo says, SMS 2FA is better than no 2FA at all, so I’ll use it when better options are unavailable. My bank auto-dials my home phone, then I enter a code from their website in my phone to authenticate when I’m using a new/different web browser, I’ve re-installed Windows or built a new computer. I wish they’d support any of the popular Authenticator apps (from Google, Microsoft, etc.), but they don’t yet.
Unless I’m mistaken, the majority of phishing expeditions are undertaken using email, so I’m very skeptical/suspicious of any unexpected email message I receive. If I know the purported sender, I contact them another way to confirm that they sent the message (usually by phone or Facebook DM). If they sent the message, I ask why they didn’t call or DM me :). For the most part, I use email to get news letters, software update notifications, and forum content synopsis from a few forums I frequent. I prefer to see, hear, or DM the people I really care about, so unexpected email messages are an uncommon event here. If for any reason I’m unable to confirm that an unexpected message came from the purported sender, I send it to the spam folder. When working with email messages I expect, I carefully check the destination URL of any link before clicking it, either by viewing the URL in a pop-up dialog as I hover my mouse pointer over the link, or by ALT-clicking the link to copy the URL to my clipboard so I can paste it into a Notepad window for examination. I check any links I intend to click on web pages the same way, ALWAYS BEFORE CLICKING! My rule of thumb here is “NEVER implicitly trust ANYTHING that comes from the Internet”. The Internet is full of strangers, and we all know about Stranger Danger, don’t we?
I hope what I do to remain safe helps others,
Ernie