Even if it’s “hackable”.
This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:
- An exploit kit was published allowing a phishing attack to hijack a two-factor secured login.
- Various media declared, “Two-factor has been hacked!”
Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader: “This makes 2SV quite useless in many cases.”
No. Just … no. That’s a seriously mistaken conclusion.
I’m re-visiting this topic yet again because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.
Become a Patron of Ask Leo! and go ad-free!
Common approaches to two-factor
Two-factor authentication combines something you know — your account id and password — with something you have. To complete authentication, you must somehow prove that you are in possession of that second factor.
There are three common forms of two-factor authentication.
SMS text messaging
When using text messaging for two-factor authentication, you’re texted a code you must enter to complete the log-in process. It’s quick, it’s convenient, and it doesn’t require data connectivity or even a smartphone; any device capable of receiving a text message can be used. This technique transfers to your new phone automatically when you transfer your mobile number to the new device, though as we’ll see below, that can also be viewed as an inherent weakness.
SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number.
A second form of authentication, this smartphone application generates a code that changes every 30 seconds. When set up, you establish a cryptographically secure pairing between an online service and the app on your phone. When two-factor is used, you simply enter the code currently displayed on your phone when asked. The application runs independently on your device; no connectivity required. As long as the time is set correctly, it just works.
Google Authenticator is a form of time-based one-time password. It confirms you are in possession of your configured second factor: the device on which the application is running.
Authentication option #3 is based on email. When you log in, they send an email message to the email address of record containing a link you click to complete the log-in process. I’ve seen some services use this technique to bypass the password requirement completely, relying on your email address being correct, your email account being secure, and your ability to click the link sent to it to verify you are who you say you are.
Email-based two-factor confirms you are in possession of your second factor: your access to the configured email account.
There are three basic approaches to exploiting or bypassing two-factor authentication.
Hijack your phone number. Typically this is done using social engineering: posing as you, the hacker convinces your mobile phone customer service representative that you’ve lost your phone, have a replacement, and simply need them to re-assign the number to the new device. Once that is done, the hacker gets your SMS messages. This is often referred to as “SIM swapping”.
Hijack your phone company. Seriously. Hackers were caught purchasing access to a rogue phone company and then exploiting that access to redirect a victim’s phone number to a device in the hacker’s hands. Once again, the hacker gets any SMS messages sent to that number. Purchasing access to a rogue phone company? Clearly possible, but not the most common scenario around, by far.
Catch you phishing. This has actually been around for a long time, but gained additional exposure last year when a toolkit was made available to make it easier for hackers to implement. While there are several technical aspects that may differ, the idea is simply to trick you with a fake link that then acts as a “man in the middle” to either capture your credentials or your successfully logged-in session.
SMS: the weakest link?
Given the exploit approaches I listed above, two of three categories are SMS-based, though only one is what I’d call a practical or potential risk: SIM swapping.
Other approaches are somewhat more secure. For Google Authenticator to be compromised, the hacker needs access to the device running the app — in other words, access to your second factor. For email two-factor to be compromised, your email account would need to have been compromised. Once again, this effectively gives the hacker access to your second factor.
It’s worth noting that in almost all cases, either of two things must be true for your two-factor protection to be compromised:
- You need to be targeted, specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises.
- You need to fall for it. At this point, all of the non-SMS-based compromises rely on a successful phishing attempt. You need to have dropped your guard.
The weakest link is no 2FA at all
Let’s say you’ve decided that two-factor isn’t secure (because, as we’ve seen, it isn’t completely, absolutely, 100% secure). Or perhaps you believe it’s a wasted effort, or, like the reader I mentioned earlier, decide it’s “useless”.
So you elect not to use it at all.
Here’s the requirement for your account to be hacked:
- The attacker needs to know your username and password.
You’ve just made it easier for hackers to access your account.
Two-factor provides an additional barrier
With two-factor authentication, hackers can’t access your account even if they know your password.
Even though it’s not perfect, adding any reasonably implemented form of two-factor authentication places an additional barrier that the hacker must be motivated and able to cross in order to access your account.
Most simply aren’t motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords.
I strongly recommend using two-factor authentication, be it Google Authenticator, email, SMS, or something else. It remains a critical way to keep your accounts secure.
- Naked Security Blog — Bank accounts raided after crooks exploit huge flaw in mobile networks.
- KnowBe4 Blog — [Heads-up] New Exploit Hacks LinkedIn 2-factor Auth. See This Kevin Mitnick VIDEO
- CSO — 11 ways to hack 2FA
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!