Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why ANY Two-Factor Is Better than No Two-Factor

Even if it’s hackable.

Headlines are proclaiming that two-factor authentication has been hacked. That in no way means you shouldn't use it. Your account is still much safer with two-factor enabled.
Two Factor Authentication
(Image: askleo.com)

This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:

  • An exploit kit was published allowing a phishing attack to hijack a two-factor secured login.
  • Various media declared, “Two-factor has been hacked!”

Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader:  “This makes 2SV quite useless in many cases.”

No. Just… no. That’s a seriously mistaken conclusion.

I’m re-visiting this topic because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.

Become a Patron of Ask Leo! and go ad-free!

Common approaches to two-factor

Two-factor authentication combines something you know — your account id and password — with something you have — referred to as the second factor. To complete authentication, you somehow prove you are in possession of that second factor.

There are several common forms of two-factor authentication.

SMS text messaging

When using text messaging for two-factor authentication, you’re texted a code you must enter to complete the log-in process. It’s quick, it’s convenient, and it doesn’t require data connectivity or even a smartphone; any device capable of receiving a text message can be used. This technique transfers to your new phone automatically when you transfer your mobile number to the new device, though as we’ll see below, that can also be viewed as an inherent weakness.

SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number.

Google Authenticator

This smartphone application generates a code that changes every 30 seconds. When configured, you establish a cryptographically secure pairing between an online service and the app. When requested, you simply enter the code currently displayed on your phone. The application runs independently on your device; no connectivity required. As long as the time is set correctly, it just works.

Google Authenticator and other compatible apps such as Authy are a form of time-based one-time password, or TOTP.

A TOTP confirms you are in possession of your configured second factor: the device on which the application is running.

Email

Email can be used as a second factor. When you log in, the service sends an email message to the email address of record. It contains a link you click to complete the log-in process or a code to be entered.  I’ve seen some services use this technique to bypass the password requirement completely, relying only on your email address being correct, your email account being secure, and your ability to click the link or enter the code sent to it to verify you are who you say you are.

Email-based two-factor confirms you are in possession of your second factor: your ability to access the configured email account.

Hardware key

Often considered the ultimate second factor, a hardware key is a small USB device, often something you can add to your key ring. Much like Google Authenticator, you establish a cryptographically secure pairing between an online service and the key. When requested, you insert your key into a USB slot and press a button on the key. (Not all keys need a button press, and some even use radio signals and merely need to be swiped over your NFC-compatible mobile phone.)

Being able to insert the USB key proves you are in possession of your second factor: the USB key.

Exploiting two-factor

Assuming you’ve not physically lost your second factor, there are three basic approaches to exploiting or bypassing two-factor authentication.

Hijack your phone number. Typically this is done using social engineering. Posing as you, the hacker convinces your mobile phone customer service representative you’ve lost your phone and have a replacement, and they should re-assign your number to a new device in the hacker’s possession. Once done, the hacker gets your SMS messages. This is often referred to as SIM swapping.

Hijack your phone company. Seriously. Hackers were caught purchasing access to a rogue phone company and then exploiting that access to redirect a victim’s phone number to a device in the hacker’s hands. Once again, the hacker gets any SMS messages sent to that number. Purchasing access to a rogue phone company? Clearly possible, but not a common scenario, and nothing I’d consider ever worrying about.

Catch you phishing. This has been around for a long time, but gained additional exposure when a toolkit was made available to make it easier for hackers to implement. While there are several technical aspects that may differ, the idea is simply to trick you with a fake link that then acts as a “man in the middle” to either capture your credentials — including the two-factor code you might enter — or hijack your successfully logged-in session.

SMS: the weakest link?

Given the exploit approaches I listed above, two of three categories are SMS-based, though only one is what I’d call a practical or potential risk: SIM swapping.

Other approaches are somewhat more secure. For Google Authenticator to be compromised, the hacker needs access to the device running the app — in other words, access to your second factor. For email two-factor to be compromised, your email account would need to have been compromised. Once again, this effectively gives the hacker access to your second factor.

It’s worth noting that in almost all cases, either of two things must be true for your two-factor protection to be compromised.

  • You need to be targeted specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises.
  • You need to fall for it. At this point, all of the non-SMS-based compromises rely on a successful phishing attempt. You need to have dropped your guard.

And even if your two-factor were compromised, the hacker still has nothing without the first factor: your account ID and password.

The weakest link is no 2FA at all

Let’s say you’ve decided that two-factor isn’t secure (because, as we’ve seen, it isn’t completely, absolutely, 100% secure — nothing is). Perhaps you believe it’s a wasted effort, or, like the reader I mentioned earlier, decide it’s useless.

So you elect not to use it at all.

Here’s the requirement for your account to be hacked:

  • The attacker needs to know your username and password.

That’s it.

By not adding any form of two-factor authentication, you’ve elected to make it easier for hackers to access your account.

Do this

With two-factor authentication, hackers can’t access your account even if they know your password.

Even though it’s not perfect, adding any reasonably implemented form of two-factor authentication places an additional barrier that the hacker must be motivated and able to cross in order to access your account.

Most aren’t motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords.

I strongly recommend using two-factor authentication, be it Google Authenticator, email, SMS, or something else. It remains a critical way to keep your accounts secure.

Podcast audio

Play

35 comments on “Why ANY Two-Factor Is Better than No Two-Factor”

  1. That image you used for the article illustrates if perfectly. I’ve always looked at 2nd Factor Authentication as a second lock. If one is weak, taking it away doesn’t make you any safer. And the tools needed to break that second lock have to be powerful, unless of course, you let your guard down and fall for exploit #3. But if you fall for phishing attempts, you’ll be vulnerable to all kinds of malware and hacks not just a 2FA hack.

    Reply
    • SMS is vulnerable to SIM swapping BUT in order to use SIM swapping to hack an account: First of all, they would need to know who you are, your phone number, and your account emial and password, the target you specifically. I don’t see that as significantly more vulnerable than losing a Yubikey. In other words nearly zero for the average person. Only a friend, enemy, relative, or co-worker would be capable of this kind of hack. If you are a public figure, boss, or log in to those accounts at work or on public computer (danger of keylogging), SMS can be a risk.

      Reply
  2. Leo,
    You put a footnote indicator and the end of the phrase: “the device on which the application is running.” But there are no footnotes. Did you get hacked?

    Reply
    • Not sure why so many people jump to “have you been hacked” whenever anything seems amiss. In this case it was simple operator error (where operator is me Smile).

      Reply
      • Ah, yes, we are all susceptible to that, aren’t we? And I understand about the “operator error” issue. In my question to you, I used the wrong word: “and” instead of the preferred word: “at”. It happens to the best of us, doesn’t it? Keep up the good work, Leo. Even though you are human, you still present us a lot of good, worthwhile material. ; )

        Reply
  3. Or maybe you can promote the Danish NemID 2-factor system.
    It looks very professional, and shows no obvious way it is built.
    It is a government supported system, used to access both bank accounts, and communication with government.

    Reply
  4. As I understand this article, and from what I’ve read elsewhere, an authenticator’s security is pretty much absolute – provided you a) use a passcode for your phone and b) don’t lose your phone.

    If that’s right, why would anyone use the other methods of 2FA? And by the same logic, why would anyone offer them?

    Authenticators are free and couldn’t be easier to use.

    Reply
  5. Another method for 2FA is using a Yubikey or something similar. While not inexpensive, they work by plugging into a USB port or by holding near a smartphone that uses NFC. My understanding is that a code is stored onto the key for the account (Lastpass, Google or Microsoft). With key installed, pressing it enters the store code to access the account.
    My biggest issue with 2FA is that not enough sites are using it, especially financial sites.

    Reply
    • Hardware-based 2FA is the only method that prevents the phishing risk. You need at least 2 keys, though, in case you loose one.

      I wouldn’t call Yubikeys and such really expensive. They start from around $ 20. That’s expensive relative to free. You would pay at least as much for a spare key to a high-security door lock, never mind the lock itself.

      Reply
    • Unfortunately the term 2FA has been convoluted and diluted to mean any two pieces of information. The original intent of 2FA was to include two types of factors: “something you know” (information) and “something you have” (a physical item). None of the methods outlined by Leo are strictly 2FA, but rather a 2-step authentication. Not that it’s bad, but not as secure as it was intended. Consider how use your ATM card (you have the pin – information, and the card – physical object). The reason that your cell phone doesn’t really qualify as something you have is because access to it is via software and information. It’s not the physical phone or your ownership of it that provides the security, it’s the information you put into it. If one type of authentication (i.e. information) can be hacked, then another item of the same type can also be hacked with the same or similar mechanism. So, as indicated by Clairvaux, a true 2FA should use an independent hardware-based device.

      Reply
      • Actually the 2FA app on your phone acts as a true second factor. Your ability to enter that code “proves” you are in possession of the second factor: your phone. Same, actually, for SMS. The idea is that your ability to receive the code proves you are in possession of that physical device — something you have.

        That both of these mechanisms can be subverted (albeit with great difficult) doesn’t really invalidate their two-factor-ness. Smile To be fair, a hardware device can also be subverted (again, with great difficulty).

        Reply
        • Is the free USB Raptor app that converts a USB flash drive to a key a secure app? I just made another comment to you and incorrectly used the word, “predator” for that app. Sorry about that. I’m getting old.

          Reply
  6. Leo,

    When you say :

    “Either of two things must be true for your two-factor protection to be compromised : you need to be targeted, specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises”,

    do I understand correctly it does not mean one needs to know your phone number ; it means one needs to own your phone number, and be able to send or receive SMS through it as if they were you ?

    Reply
    • I’m not really understanding the scenario you describe. Basically they need access to receive or intercept SMS based messages sent to your number. That requires that they know your number.

      Reply
      • Clairvaux is saying knowing your phone number alone is NOT sufficient. It is pretty easy to know someone’s phone number. You need to have access to the phone itself (barring the unusual situations with transferring a phone number, etc.)

        Reply
        • Sorry for not answering this before. I came back to the article thanks to a RSS alert, because it was updated.

          I Indeed meant that knowing the phone number of the target is not enough. You need to control it. That’s the hard part. I believe we agree on this with Leo.

          Reply
  7. I use Mozilla Thunderbird to gather emails from several sources. Will the use of 2 factor verification slow the sign on to the extent that Thunderbird’s attempts to download will fail? Can Thunderbird even handle an email account with 2 factor ID?

    Reply
    • I doesn’t slow anything down, other than perhaps the initial connection. Once you’re authenticated you’re authenticated and everything works as before. Yes, Thunderbird can work — I do it myself — but what’s MORE important is that email service you’re using offer the kind of support that’s required. Typically that means either OAUTH (Thunderbird actually hands off the authentication to the service where they deal with 2FA), or the service allows you to create “application passwords” which are passwords that, when used, bypass 2FA for applications that don’t support 2FA natively.

      Reply
  8. I have somehow gathered from reading elsewhere that, as you state, SMS-based 2FA can be hacked (using flaws in SS7), but this specific risk does not apply to voice phone calls. When a sensitive web site (banking, shopping, medical, government, etc.) allows it, I ask for a code provided via voice call rather than an SMS message. Voice calls have the advantage of working with landlines (POTS or plain old telephone system), which some folks still have.

    Is a voice call to a cell phone less subject to hacking than an SMS message?

    (I am not talking about SIM-swapping, which would affect both SMS and voice.)

    Thanks!

    Reply
    • I’m actually not sure. I would assume that the “hack the telephone company” scenario would apply to anything – POTS or cellular, voice, SMS or data. At a practical level, though, it’s SIM swapping that’s probably the larger of the risks.

      Reply
  9. I really like the idea of email authentication as part of 2fa however not many services or websites support email as part of 2fa according to the website https://twofactorauth.org/. The reason I like email is because I am retired and on a fixed income. My wife and I do have cell phones however they are voice only – no internet and no texting. A case in point even Gmail does not support email as part of 2fa according to https://twofactorauth.org/. I wish more services and websites would offer email as part of 2fa. BTW that is a very good website that tells you exactly what forms of 2fa are offered by various services and websites!

    Reply
    • The only account I’ve come across that offers email as a second factor is outlook.com email. (Obviously the second factor email account has to be with another provider.)

      Reply
  10. The reason I turn down two-factor … any service I use rely solely on the user having a cellphone to send a text message to. I don’t have a cellphone and I don’t need a cellphone. The option of email you mentioned, intrigued me, but no service that I know of has moved in that direction.

    Reply
  11. In Europe, all bank accounts use 2FA. What I find shocking is that most US banks don’t.
    My German bank has 3 factor authentication. Password login, an installed smartphone authenticator app, and a fingerprint or another password to open the app.

    Reply
  12. Not using two-factor authentication is analogous to refusing to turn on a car alarm or home security system just because the doors can be locked. Would anybody with half a brain actually say, “I don’t set my alarm because alarms aren’t 100% foolproof so I just lock the doors…”?

    The problem with trying to make anything foolproof is that the fools always seem to think they’re not foolish. ;-)

    Reply
  13. This is all great when you are in your own country.
    How do you receive texts or sms or any other message when you are using a different SIM (i.e phone number) when traveling outside your country?

    Reply
    • You don’t. If your account is going to require an additional layer of validation make sure you have something OTHER than SMS enabled in addition. Like an alternate email address or two, a 2-factor app like Google Authenticator, or a one-time recovery code depending on what your account provider supports.

      Reply
    • I have a Magic Jack. I use the app on my phone and use that number as my second factor. It receives text messages as if it were a cell phone. I live in Europe, and just yesterday, I was asked to verify my PayPal account via text to my phone and got the verification code via my Magic Jack number which I have on record with PayPal as my mobile number..

      When I travel from Europe to the US, I have a dual SIM phone and can receive texts sent to my European phone free in the US. More and more European banks are switching to an app to verify customers’ identities. You don’t need a dual SIM card phone. Until I got that, I’d put my European SIM card in an older phone.

      Reply
  14. I just started activating 2FA wherever possible, with Kee Pass and its plugin Kee OTP. It’s the password manager which generates the TOTP, instead of a phone app.

    Although that’s theoretically less secure than using a phone, especially if you put passwords and 2FA secrets in the same database, as I do, there are some tremendous advantages to it :

    1. You don’t need to own a mobile phone at all !

    2. If you have one, you don’t need to have it charged and powered on all the time. My phone default state is off, so if I used phone app-based 2FA, I would have to wait a long time to launch it, everytime I wanted to log into a site.

    Plus, I would have to type two passwords on the phone before even accessing the app.

    3. You don’t need to type the TOTP code manually ! Not only you can copy and paste it from Kee Pass, but you can use Kee Pass basic script language to automate the whole login sequence : open the login page of the website you want to connect to, select the relevant entry in Kee Pass, click Auto-Type, and see the password manager do all the job of typing username, password and TOTP, with all the intermediate, custom validation key presses (or mouse-clicks) in-between.

    If you enable global auto-type, a single, identical key combination starts login whatever the site.

    4. Now, backup of your 2FA secrets is suddenly much easier. In fact, you don’t need to do anything. Since, presumably, you already have in place a thoroughly redundant procedure for the backup of your password database, the 2FA secrets get backed up at the same time.

    You thus avoid two of the most annoying drawbacks of 2FA by TOTP phone app : either you don’t back up your secrets, and lose access to your accounts when you lose your phone, break it or suffer a bad update, as many, many people have discovered once it was too late, unfortunately.

    Or, you need to enforce separate and specific backup routines for your 2FA app. Kee Pass get rids of all that. Even the 2FA recovery codes that many sites give you can go into Kee Pass, where they are encrypted and backed up effortlessly.

    Other password managers allow that, such as Kee Pass XC (desktop program, just as Kee Pass proper) or Bitwarden (online service).

    Reply
  15. I’m still using LastPass for password management (That may change soon). I’ve commented about the steps I’ve taken to make my vault as secure as possible, so I won’t go over all that again. I use the LastPass Authenticator app for 2FA access to my LastPass account. I use the Microsoft Authenticator app for all other 2FA authentication (where supported). I avoid SMS 2FA where possible, but as Leo says, SMS 2FA is better than no 2FA at all, so I’ll use it when better options are unavailable. My bank auto-dials my home phone, then I enter a code from their website in my phone to authenticate when I’m using a new/different web browser, I’ve re-installed Windows or built a new computer. I wish they’d support any of the popular Authenticator apps (from Google, Microsoft, etc.), but they don’t yet.

    Unless I’m mistaken, the majority of phishing expeditions are undertaken using email, so I’m very skeptical/suspicious of any unexpected email message I receive. If I know the purported sender, I contact them another way to confirm that they sent the message (usually by phone or Facebook DM). If they sent the message, I ask why they didn’t call or DM me :). For the most part, I use email to get news letters, software update notifications, and forum content synopsis from a few forums I frequent. I prefer to see, hear, or DM the people I really care about, so unexpected email messages are an uncommon event here. If for any reason I’m unable to confirm that an unexpected message came from the purported sender, I send it to the spam folder. When working with email messages I expect, I carefully check the destination URL of any link before clicking it, either by viewing the URL in a pop-up dialog as I hover my mouse pointer over the link, or by ALT-clicking the link to copy the URL to my clipboard so I can paste it into a Notepad window for examination. I check any links I intend to click on web pages the same way, ALWAYS BEFORE CLICKING! My rule of thumb here is “NEVER implicitly trust ANYTHING that comes from the Internet”. The Internet is full of strangers, and we all know about Stranger Danger, don’t we?

    I hope what I do to remain safe helps others,

    Ernie

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.