Why ANY Two-Factor Is Better than No Two-Factor at All

This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:

  • An exploit kit was published allowing a phishing attack to hijack a two-factor secured login.
  • Various media declared, “Two-factor has been hacked!”

Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader:  “This makes 2SV quite useless in many cases.”

No. Just … no. That’s a seriously mistaken conclusion.

I’m re-visiting this topic yet again because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.

Become a Patron of Ask Leo! and go ad-free!

Common approaches to two-factor

Two-factor authentication combines something you know — your account id and password — with something you have. To complete authentication, you must somehow prove that you are in possession of that second factor.

There are three common forms of two-factor authentication.

SMS text messaging

When using text messaging for two-factor authentication, you’re texted a code you must enter to complete the log-in process. It’s quick, it’s convenient, and it doesn’t require data connectivity or even a smartphone; any device capable of receiving a text message can be used. This technique transfers to your new phone automatically when you transfer your mobile number to the new device, though as we’ll see below, that can also be viewed as an inherent weakness.

SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number.

Google Authenticator

Two-factor AuthenticationA second form of authentication, this smartphone application generates a code that changes every 30 seconds. When set up, you establish a cryptographically secure pairing between an online service and the app on your phone. When two-factor is used, you simply enter the code currently displayed on your phone when asked. The application runs independently on your device; no connectivity required. As long as the time is set correctly, it just works.

Google Authenticator is a form of time-based one-time password. It confirms you are in possession of your configured second factor: the device on which the application is running.

Email

Authentication option #3 is based on email. When you log in, they send an email message to the email address of record containing a link you click to complete the log-in process.  I’ve seen some services use this technique to bypass the password requirement completely, relying on your email address being correct, your email account being secure, and your ability to click the link sent to it to verify you are who you say you are.

Email-based two-factor confirms you are in possession of your second factor: your access to the configured email account.

Exploiting two-factor

There are three basic approaches to exploiting or bypassing two-factor authentication.

Hijack your phone number. Typically this is done using social engineering: posing as you, the hacker convinces your mobile phone customer service representative that you’ve lost your phone, have a replacement, and simply need them to re-assign the number to the new device. Once that is done, the hacker gets your SMS messages. This is often referred to as “SIM swapping”.

Hijack your phone company. Seriously. Hackers were caught purchasing access to a rogue phone company and then exploiting that access to redirect a victim’s phone number to a device in the hacker’s hands. Once again, the hacker gets any SMS messages sent to that number. Purchasing access to a rogue phone company? Clearly possible, but not the most common scenario around, by far.

Catch you phishing. This has actually been around for a long time, but gained additional exposure last year when a toolkit was made available to make it easier for hackers to implement. While there are several technical aspects that may differ, the idea is simply to trick you with a fake link that then acts as a “man in the middle” to either capture your credentials or your successfully logged-in session.

SMS: the weakest link?

Given the exploit approaches I listed above, two of three categories are SMS-based, though only one is what I’d call a practical or potential risk: SIM swapping.

Other approaches are somewhat more secure. For Google Authenticator to be compromised, the hacker needs access to the device running the app — in other words, access to your second factor. For email two-factor to be compromised, your email account would need to have been compromised. Once again, this effectively gives the hacker access to your second factor.

It’s worth noting that in almost all cases, either of two things must be true for your two-factor protection to be compromised:

  • You need to be targeted, specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises.
  • You need to fall for it. At this point, all of the non-SMS-based compromises rely on a successful phishing attempt. You need to have dropped your guard.

The weakest link is no 2FA at all

Let’s say you’ve decided that two-factor isn’t secure (because, as we’ve seen, it isn’t completely, absolutely, 100% secure). Or perhaps you believe it’s a wasted effort, or, like the reader I mentioned earlier, decide it’s “useless”.

So you elect not to use it at all.

Here’s the requirement for your account to be hacked:

  • The attacker needs to know your username and password.

That’s all.

You’ve just made it easier for hackers to access your account.

Two-factor provides an additional barrier

With two-factor authentication, hackers can’t access your account even if they know your password.

Even though it’s not perfect, adding any reasonably implemented form of two-factor authentication places an additional barrier that the hacker must be motivated and able to cross in order to access your account.

Most simply aren’t motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords.

I strongly recommend using two-factor authentication, be it Google Authenticator, email, SMS, or something else. It remains a critical way to keep your accounts secure.

References

Podcast audio

Play

Video Narration

24 comments on “Why ANY Two-Factor Is Better than No Two-Factor at All”

  1. That image you used for the article illustrates if perfectly. I’ve always looked at 2nd Factor Authentication as a second lock. If one is weak, taking it away doesn’t make you any safer. And the tools needed to break that second lock have to be powerful, unless of course, you let your guard down and fall for exploit #3. But if you fall for phishing attempts, you’ll be vulnerable to all kinds of malware and hacks not just a 2FA hack.

  2. Leo,
    You put a footnote indicator and the end of the phrase: “the device on which the application is running.” But there are no footnotes. Did you get hacked?

    • Not sure why so many people jump to “have you been hacked” whenever anything seems amiss. In this case it was simple operator error (where operator is me Smile).

      • Ah, yes, we are all susceptible to that, aren’t we? And I understand about the “operator error” issue. In my question to you, I used the wrong word: “and” instead of the preferred word: “at”. It happens to the best of us, doesn’t it? Keep up the good work, Leo. Even though you are human, you still present us a lot of good, worthwhile material. ; )

  3. Or maybe you can promote the Danish NemID 2-factor system.
    It looks very professional, and shows no obvious way it is built.
    It is a government supported system, used to access both bank accounts, and communication with government.

  4. As I understand this article, and from what I’ve read elsewhere, an authenticator’s security is pretty much absolute – provided you a) use a passcode for your phone and b) don’t lose your phone.

    If that’s right, why would anyone use the other methods of 2FA? And by the same logic, why would anyone offer them?

    Authenticators are free and couldn’t be easier to use.

  5. Another method for 2FA is using a Yubikey or something similar. While not inexpensive, they work by plugging into a USB port or by holding near a smartphone that uses NFC. My understanding is that a code is stored onto the key for the account (Lastpass, Google or Microsoft). With key installed, pressing it enters the store code to access the account.
    My biggest issue with 2FA is that not enough sites are using it, especially financial sites.

    • Hardware-based 2FA is the only method that prevents the phishing risk. You need at least 2 keys, though, in case you loose one.

      I wouldn’t call Yubikeys and such really expensive. They start from around $ 20. That’s expensive relative to free. You would pay at least as much for a spare key to a high-security door lock, never mind the lock itself.

    • Unfortunately the term 2FA has been convoluted and diluted to mean any two pieces of information. The original intent of 2FA was to include two types of factors: “something you know” (information) and “something you have” (a physical item). None of the methods outlined by Leo are strictly 2FA, but rather a 2-step authentication. Not that it’s bad, but not as secure as it was intended. Consider how use your ATM card (you have the pin – information, and the card – physical object). The reason that your cell phone doesn’t really qualify as something you have is because access to it is via software and information. It’s not the physical phone or your ownership of it that provides the security, it’s the information you put into it. If one type of authentication (i.e. information) can be hacked, then another item of the same type can also be hacked with the same or similar mechanism. So, as indicated by Clairvaux, a true 2FA should use an independent hardware-based device.

      • Actually the 2FA app on your phone acts as a true second factor. Your ability to enter that code “proves” you are in possession of the second factor: your phone. Same, actually, for SMS. The idea is that your ability to receive the code proves you are in possession of that physical device — something you have.

        That both of these mechanisms can be subverted (albeit with great difficult) doesn’t really invalidate their two-factor-ness. Smile To be fair, a hardware device can also be subverted (again, with great difficulty).

  6. Leo,

    When you say :

    “Either of two things must be true for your two-factor protection to be compromised : you need to be targeted, specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises”,

    do I understand correctly it does not mean one needs to know your phone number ; it means one needs to own your phone number, and be able to send or receive SMS through it as if they were you ?

    • I’m not really understanding the scenario you describe. Basically they need access to receive or intercept SMS based messages sent to your number. That requires that they know your number.

      • Clairvaux is saying knowing your phone number alone is NOT sufficient. It is pretty easy to know someone’s phone number. You need to have access to the phone itself (barring the unusual situations with transferring a phone number, etc.)

  7. I use Mozilla Thunderbird to gather emails from several sources. Will the use of 2 factor verification slow the sign on to the extent that Thunderbird’s attempts to download will fail? Can Thunderbird even handle an email account with 2 factor ID?

    • I doesn’t slow anything down, other than perhaps the initial connection. Once you’re authenticated you’re authenticated and everything works as before. Yes, Thunderbird can work — I do it myself — but what’s MORE important is that email service you’re using offer the kind of support that’s required. Typically that means either OAUTH (Thunderbird actually hands off the authentication to the service where they deal with 2FA), or the service allows you to create “application passwords” which are passwords that, when used, bypass 2FA for applications that don’t support 2FA natively.

  8. I have somehow gathered from reading elsewhere that, as you state, SMS-based 2FA can be hacked (using flaws in SS7), but this specific risk does not apply to voice phone calls. When a sensitive web site (banking, shopping, medical, government, etc.) allows it, I ask for a code provided via voice call rather than an SMS message. Voice calls have the advantage of working with landlines (POTS or plain old telephone system), which some folks still have.

    Is a voice call to a cell phone less subject to hacking than an SMS message?

    (I am not talking about SIM-swapping, which would affect both SMS and voice.)

    Thanks!

    • I’m actually not sure. I would assume that the “hack the telephone company” scenario would apply to anything – POTS or cellular, voice, SMS or data. At a practical level, though, it’s SIM swapping that’s probably the larger of the risks.

  9. I really like the idea of email authentication as part of 2fa however not many services or websites support email as part of 2fa according to the website https://twofactorauth.org/. The reason I like email is because I am retired and on a fixed income. My wife and I do have cell phones however they are voice only – no internet and no texting. A case in point even Gmail does not support email as part of 2fa according to https://twofactorauth.org/. I wish more services and websites would offer email as part of 2fa. BTW that is a very good website that tells you exactly what forms of 2fa are offered by various services and websites!

    • The only account I’ve come across that offers email as a second factor is outlook.com email. (Obviously the second factor email account has to be with another provider.)

  10. The reason I turn down two-factor … any service I use rely solely on the user having a cellphone to send a text message to. I don’t have a cellphone and I don’t need a cellphone. The option of email you mentioned, intrigued me, but no service that I know of has moved in that direction.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.