Even if it’s hackable.
This is an update to an article that originally discussed only SMS two-factor authentication. Since then, two things have happened:
- An exploit kit was published allowing a phishing attack to hijack a two-factor secured login.
- Various media declared, “Two-factor has been hacked!”
Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader: “This makes 2SV quite useless in many cases.”
No. Just… no. That’s a seriously mistaken conclusion.
I’m re-visiting this topic because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.
Become a Patron of Ask Leo! and go ad-free!
Common approaches to two-factor
Two-factor authentication combines something you know — your account id and password — with something you have — referred to as the second factor. To complete authentication, you somehow prove you are in possession of that second factor.
There are several common forms of two-factor authentication.
SMS text messaging
When using text messaging for two-factor authentication, you’re texted a code you must enter to complete the log-in process. It’s quick, it’s convenient, and it doesn’t require data connectivity or even a smartphone; any device capable of receiving a text message can be used. This technique transfers to your new phone automatically when you transfer your mobile number to the new device, though as we’ll see below, that can also be viewed as an inherent weakness.
SMS two-factor authentication confirms you are in possession of your configured second factor: the device associated with your mobile number.
This smartphone application generates a code that changes every 30 seconds. When configured, you establish a cryptographically secure pairing between an online service and the app. When requested, you simply enter the code currently displayed on your phone. The application runs independently on your device; no connectivity required. As long as the time is set correctly, it just works.
A TOTP confirms you are in possession of your configured second factor: the device on which the application is running.
Email can be used as a second factor. When you log in, the service sends an email message to the email address of record. It contains a link you click to complete the log-in process or a code to be entered. I’ve seen some services use this technique to bypass the password requirement completely, relying only on your email address being correct, your email account being secure, and your ability to click the link or enter the code sent to it to verify you are who you say you are.
Email-based two-factor confirms you are in possession of your second factor: your ability to access the configured email account.
Often considered the ultimate second factor, a hardware key is a small USB device, often something you can add to your key ring. Much like Google Authenticator, you establish a cryptographically secure pairing between an online service and the key. When requested, you insert your key into a USB slot and press a button on the key. (Not all keys need a button press, and some even use radio signals and merely need to be swiped over your NFC-compatible mobile phone.)
Being able to insert the USB key proves you are in possession of your second factor: the USB key.
Assuming you’ve not physically lost your second factor, there are three basic approaches to exploiting or bypassing two-factor authentication.
Hijack your phone number. Typically this is done using social engineering. Posing as you, the hacker convinces your mobile phone customer service representative you’ve lost your phone and have a replacement, and they should re-assign your number to a new device in the hacker’s possession. Once done, the hacker gets your SMS messages. This is often referred to as SIM swapping.
Hijack your phone company. Seriously. Hackers were caught purchasing access to a rogue phone company and then exploiting that access to redirect a victim’s phone number to a device in the hacker’s hands. Once again, the hacker gets any SMS messages sent to that number. Purchasing access to a rogue phone company? Clearly possible, but not a common scenario, and nothing I’d consider ever worrying about.
Catch you phishing. This has been around for a long time, but gained additional exposure when a toolkit was made available to make it easier for hackers to implement. While there are several technical aspects that may differ, the idea is simply to trick you with a fake link that then acts as a “man in the middle” to either capture your credentials — including the two-factor code you might enter — or hijack your successfully logged-in session.
SMS: the weakest link?
Given the exploit approaches I listed above, two of three categories are SMS-based, though only one is what I’d call a practical or potential risk: SIM swapping.
Other approaches are somewhat more secure. For Google Authenticator to be compromised, the hacker needs access to the device running the app — in other words, access to your second factor. For email two-factor to be compromised, your email account would need to have been compromised. Once again, this effectively gives the hacker access to your second factor.
It’s worth noting that in almost all cases, either of two things must be true for your two-factor protection to be compromised.
- You need to be targeted specifically. For example, someone has your phone number and the means to carry out one of the SMS-based compromises.
- You need to fall for it. At this point, all of the non-SMS-based compromises rely on a successful phishing attempt. You need to have dropped your guard.
And even if your two-factor were compromised, the hacker still has nothing without the first factor: your account ID and password.
The weakest link is no 2FA at all
Let’s say you’ve decided that two-factor isn’t secure (because, as we’ve seen, it isn’t completely, absolutely, 100% secure — nothing is). Perhaps you believe it’s a wasted effort, or, like the reader I mentioned earlier, decide it’s useless.
So you elect not to use it at all.
Here’s the requirement for your account to be hacked:
- The attacker needs to know your username and password.
By not adding any form of two-factor authentication, you’ve elected to make it easier for hackers to access your account.
With two-factor authentication, hackers can’t access your account even if they know your password.
Even though it’s not perfect, adding any reasonably implemented form of two-factor authentication places an additional barrier that the hacker must be motivated and able to cross in order to access your account.
Most aren’t motivated, opting instead for the low-hanging fruit of other accounts with compromised passwords.
I strongly recommend using two-factor authentication, be it Google Authenticator, email, SMS, or something else. It remains a critical way to keep your accounts secure.
Footnotes & References
- Naked Security Blog — Bank accounts raided after crooks exploit huge flaw in mobile networks.
- KnowBe4 Blog — [Heads-up] New Exploit Hacks LinkedIn 2-factor Auth. See This Kevin Mitnick VIDEO
- CSO — 11 ways to hack 2FA