Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Think 2FA Is Bulletproof? Here’s Why You’re Still Vulnerable

Don’t let your guard down.

Two-factor authentication is one of the most important ways you can secure your online accounts. But that doesn't mean you're done.
Two Factor Authentication
(Image: depositphotos.com)

I encourage you to use two-factor authentication (2FA) for any account that supports it. It’s one of the most important ways you can protect accounts from being hacked. As I’ve said many times, even if a hacker knows your password, with 2FA in place, they can’t get in.

I’ve also said there’s no such thing as perfect security. That means 2FA is not an excuse to ignore or deprioritize security.

Let’s look at what 2FA is and what risks you’re still exposed to even with it in place.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Two-factor authentication

Two-factor authentication (2FA) significantly enhances online security, but risks remain. Those include phishing attacks, SIM swapping, malware, and insecure backup code storage. 2FA is valuable but not foolproof. Vigilance is essential. Always treat 2FA as an added layer, not a complete security solution.

Two-factor refresher

Traditional authentication relies on something you know: your password. That’s a single factor.

Two-factor adds something you have. When you sign in and 2FA kicks in, it asks you to prove you are in possession of your second factor. That can take several forms depending on what you have and what the service you’re signing into supports.

  • A smartphone in your possession (typically using an authenticator app)
  • An SMS-capable phone in your possession
  • An email account you have access to
  • Another device on which you can respond to a confirmation message
  • A landline phone you can answer

There are two common threads:

  • All of these need to be set up prior to use, much like recovery information.
  • Typically, they only need to be used once, the first time you sign into a device you haven’t signed into before.1

Regardless of the risks I’m about to list, please remember that any two-factor authentication is more secure than no two-factor authentication.

Risk #1: Phishing

You get an email from your service with urgent information about your account. You’re asked to sign in by clicking a link in that email. You sign in normally, providing your username and password. A two-factor prompt comes up, and you dutifully type in the code.

You’ve just handed your account over to a hacker.

What’s really happened is that the account sign-in page was a fake made to look exactly like what you expected. When you signed in, a hacker at the other end captured your username, your password, and your two-factor code in real time. Next, they will immediately sign in to your actual account as you, change the password, and remove two-factor authentication. They now have control.

The solution is the same as for any phishing: be skeptical. Don’t click on links in email you aren’t 100% certain of. In the scenario above, rather than clicking on the link in the email, go to your browser and visit the site in question by typing in the URL you know is correct or using a bookmark you’ve set up previously. Once there, chances are the urgent issue will be nowhere to be found… because it was never real.

Risk #2: SIM Swapping

This applies only to two-factor authentication techniques that rely on SMS text messaging and automated voice messaging on your mobile device.

A hacker contacts your mobile carrier with enough information to successfully impersonate you. They claim you’ve gotten a new phone and need your phone number switched to the new device. It’s not your new phone, of course, but the hacker’s. If successful, the hacker will now get any two-factor codes sent to your phone number.

Mobile providers are increasingly aware of this scam and taking steps to minimize the possibility. The problem, of course, is they can’t know when you’ve honestly gotten a new phone and need to change your number. They do their best to prove that the person asking for the change is you through various authentication methods, but sometimes hackers have enough of your personal information to successfully fool the customer service agent.

As you can see, you almost have to be targeted for this technique to work. Someone will have had to accumulate information about you that they could then use.

The best defense is twofold.

  • Pay close attention to any notification you get via any channel from your mobile provider. If you get a “your number’s been changed” notification, call them immediately.
  • Many mobile providers allow you to set up an additional authentication PIN unique to your account. Do this.

Risk #3: Malware

Malware can do anything.

If you have malware on your machine and you use that machine to sign into an account, the malware could monitor the entire conversation2. If a two-factor code is involved, the malware could report this to the hacker in real time. Much like the phishing scenario above, that hacker could immediately sign in as you, entering the two-factor code the malware captured.

It sounds trite, but the best defense here is not to allow malware on your machine.

That means keeping your security software running and up to date. Keep all your software as current as possible, including the operating system. Since email attachments are one of the most common ways to deliver malware these days, don’t open any attachment you aren’t 100% certain is legit.

Risk #4: Backup codes

Most services that implement two-factor authentication have you create a set of backup codes that you can use in place of the second factor to get into your account should you ever lose it.

You should keep those codes somewhere safe, of course, in case you ever need them. That could mean an encrypted file somewhere or printed out and stored in a safe place, including, perhaps, an actual safe.

The risk is these codes falling into the wrong hands.

Those hands would need to be connected to someone with more information about your account, like your user ID and password, but with the backup codes, they can bypass two-factor authentication completely.

The solution is to keep those codes somewhere secure.

Risk #5: My method of saving QR codes

Here’s a method I use to back up my two-factor authentication devices.

When I set up Google-authenticator compatible two-factor authentication on a new account, I:

  • Screen-shot the QR code used to set up my device.
  • For those that can’s scan a QR code, a text representation of the code is usually available. Save that as well.

I do this because if I ever want to add a two-factor device, all I need to do is scan or enter the code I saved, and the new device displays the same codes as my original.

And, yes, a hacker could do that too, if they got their hands on what I’ve saved. They could set up their own two-factor device to be a kind of clone of mine.

The solution: keep those codes secure. In fact, keep them just as secure as the backup codes from the previous point. I use my password manager.

Do this

Use two-factor authentication. Any two-factor authentication is more secure than no two-factor authentication.

But remember that perfect security doesn’t exist and that you can never let your guard down.

I talk about issues like this often. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: Depending on the method, clearing browser cookies can make it appear as if you haven’t signed into a device before.

2: I’m reluctant to call this “keylogging”, though of course malware can log keystrokes. The problem is that malware can do much, much more to the same effect.

9 comments on “Think 2FA Is Bulletproof? Here’s Why You’re Still Vulnerable”

  1. My German bank’s authenticator has a third factor. In addition to the logging password and the device, it requires a fingerprint or the authenticator password each time, not just the first. And to set up the app, you have to get a QR code by snailmail. Banks need to be extra careful, but there’s no reason for all websites to take similar precautions.

    Reply
  2. For an elderly person, 2FA and tokens don’t work well. I think a password manager is the best solution for most people. I print out my master password and store it in a safe deposit box. Then if something happens to me, my wife or daughter could access it by the same legal means they’d access my account.

    My father did something similar: when he was diagnosed with cancer, he typed a one-pager with instructions. The last instruction was to listen to a cassette recording.

    All of your suggestions – except the PM one – add complexity. Same for the securityinfive podcast. Do you have one focused on other ways to simplify, or to prepare for end of life (or just disability, like blindness or tremor)?

    Reply
  3. The Bitwarden password manager has the capability of providing TOTP codes. All the passcards in my vault for sites that use 2FA and that can use an authenticator app have been set up to do so.
    Some sites still use SMS and/or email for 2FA purposes.
    I’ve also setup emergency access to my Bitwarden account for when I’m not around and my heirs won’t be at a complete loss as what to do and how to do it. Using the authenticator feature means they don’t need to worry about whether my phone is still available.
    As for phishing threats, I’m in the habit of not using the links in any email messages, rather I just log into sender’s website. SIM swaps are unlikely as I use Xfinity for both internet service and cellphone service and they are already difficult to deal with when getting service done (multiple methods for account verification before they will even do anything, at least in my experience.) Backup codes and QR codes are saved in an encrypted file and backed up in different locations, along with account recovery codes. As for malware, I’m the only user of my computer. I keep Windows updated, have Windows Security run regular scans and backup the computer daily. So far I’ve been fortunate not to have had any problems.

    Reply
  4. The second factor>
    A smartphone in your possession (typically using an authenticator app)
    An SMS-capable phone in your possession

    While I use this second factor for banking it concerns me a lot that, should I loose my mobile phone, I shall loose acces to my bank accounts

    Reply
    • If you lose your phone, you can get a new phone with the same number and get SMS texts on it. That’s also the danger of SMS second factor. A hacker can also claim to have lost your phone and get s phone with your number. I like the way my German bank does seconf factor The have an app that can only be set up with a QR code or a long activation code sent by snail mail.

      Reply
    • When you set up 2FA there’s always a way to recover should it be lost. It could be existing recovery information with the account, or it could a set of recovery keys you save somewhere safe for just this situation.

      Reply
  5. Any time I set up an Internet account on any website, I check for 2FA. If the site doesn’t offer it, I don’t set up the account – instead, I find another service provider that supports 2FA. I don’t enforce this for any site where I subscribe for a newsletter, AskLeo, for example, I simply wait to set up a site account until I’m certain that I can trust the site. I trust Leo.

    As for my computers, I check for system updates (Windows Update) and software updates (Patch my PC) weekly, and on Patch Tuesday. This keeps my computer as up to date as possible.

    Finally, when on the Internet, I employ what I call Cognitive Security. This means that I never blindly trust anyone/anything on the Internet because everyone/everything there is a stranger, until their identity’s confirmed, or is provided/created by strangers.

    As my Mother taught me, never trust a stranger, and as I taught my children, always remember Stranger Danger! If I encounter someone on the Internet who represents themselves as someone I know, I confirm that they are who they say they are by asking them something that only the two of us would know. More importantly, I never click any hyperlink on the Internet, or in email messages without checking that the URL the link will take me to matches up with its label, and that the URL is authentic. For examole, if a hyperlink purports to take me to Best Buy, the URL should begin with “https://bestbuy.com/”. If not, I don’t trust/click the hyperlink. Put simply, I start by trusting nothing on the Internet, until I learn what/who’s absolutely trustworthy. I suggest you do the same.

    Ernie

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.