Two-factor authentication (2FA) is becoming mandatory on many websites, and it’s easy to see why. On the face of it, requiring you to confirm your login via text or app provides a strong second layer of security. But how strong is he?
With security threats on the rise and people having more to lose online than ever, it’s only natural to want to protect yourself as much as possible. While hacking into a social media account can be annoying, there are far more serious consequences to having lax cybersecurity. Hackers could access your bank accounts and drain your savings, sensitive files and photos could be stolen, and you could even have a business account hacked and land in hot water with your boss.
The term “two-factor authentication” refers to a second step to confirm who you are. An additional layer of protection will, by default, provide more security than a simple barrier. However, there is more than one method of 2FA; all methods offer different levels of security, and some are more popular than others. So can 2FA make your sensitive accounts invulnerable to hackers? Or is it just a huge waste of effort? Let’s find out.
Texting is not as safe as it seems
The most common form of 2FA is SMS-based. Your bank, social media account, or email provider sends you an SMS with a code, which you enter within a set time. This gives you access to the account and protects your connection from anyone who doesn’t have your phone. At first glance, this is the safest method. Someone would need to steal your cell phone or devise an elaborate, James Bond-like way to clone your SIM card to get around this one, right? Bad.
Last year, Vice claimed a hacker could use a flaw in the SMS system to hijack your number and redirect your SMS messages for just $16. There are also more or less sophisticated methods that an individual can use to access your messages. The easiest is to just call your phone company pretending to be you, saying your phone is missing, and asking the company to change your number to another SIM card. The most complex involve attacking the company directly and intercepting messages.
As for how they get personal information and your phone number? They might do shady deals and buy personal information about you and your various online activities on the dark web. Or they might check your Facebook for details like your date of birth, phone number, schools you attended, and your mother’s maiden name. You may know precisely what information you’re posting, but many people don’t.
At the very least, it is possible to protect against sim-swapping attacks or be alerted when they occur. But you should consider adopting a different 2FA method if possible.
Email-based 2FA might be useless
Two-factor authentication should add an extra layer of security between your account and a potential threat. However, if you’re lazy, all you’re doing is adding an extra step and potentially giving an internet miscreant a good laugh. If you’re the type of person who uses the same password for everything and their email account is used to secure their target account, you could be in a lot of trouble. A hacker can log into this email address using the same information they have already stolen and authenticate their actions.
If you insist on using 2FA over email, you should create a separate email account just for authentication purposes with its unique, hard-to-crack password. You can also use another method as they are all more secure.
Push-Based Might Let You Down
Push-based authentication can be fast, simple, and secure. A device, which can be your smartphone, is linked to your account and registered as a 2FA method of your choice. From then on, whenever you want to log in, you will receive a push notification on this device. Unlock your phone, confirm it’s you, and you’re connected. Sounds perfect, right?
Unfortunately, there is a catch or two. The main problem with the push-based method is that your device must be online for you to use it. If you need to access an account and your phone is having trouble getting a signal, you’re out of luck. It’s worth pointing out that this hasn’t been an issue for me in the few years I’ve used it. If I need to get online, I’m usually somewhere with WiFi, which my phone can use. I’m more likely to be somewhere where I can’t receive text messages than somewhere I’m trying to connect and can’t get a push notification on my phone.
Hardware-based 2FA takes a lot of effort
Physical authentication keys are as close to being hack-proof as possible. It’s basically a USB stick filled with protocols and security codes that you plug into a device that you connect to. You can keep it on your keychain and take it with you, or keep it in a safe and only take it out when you need to connect to something that needs that extra layer of security. The main danger with a physical key is losing or breaking it, something you may have done with USB drives in the past.
It is also possible to physically write down a long and complex authentication password. It is a string of numbers and characters and a popular method for securing cryptocurrency wallets. As these are difficult to decipher, the FBI broke into a house to find a piece of paper containing a 27-character password, which was easier than finding it. You can’t hack into something written on a piece of paper and stored in a desk drawer, and supercomputers can take years to go through the possible combinations involved in high-level encryption.
Of course, if it’s in your desk drawer, it’s not with you. If you take it with you, you can lose it as easily as you can lose a 2FA USB key. And when it is gone, you will at best have to go through an account recovery process or at worst lose access to your account. The physical method is the best thing you can do in terms of security, but the worst in terms of convenience. You can use it as a foolproof account recovery method, but it’s probably best avoided for things you access on the fly.
App-Based 2FA Worth Checking Out
Downloading an app like Google Authenticator has a few advantages. It is more secure than methods such as email and SMS authentication; it is free in most cases and still works if the device does not have an internet connection. This is due to the synchronization-based algorithm, which produces different keys at different points in time. A key is only valid for a set period and must match the device and site the user is connecting to.
There are still some vulnerabilities. With Google Authenticator, there’s no lock on the app itself, so anyone who can access your phone can open it and use it. Some malicious programs could also take advantage of the lack of a passkey. You should therefore consider alternatives such as the Microsoft Authenticator app, which adds an extra layer of security to the authentication process with features like biometric unlocking. It’s also vulnerable to phishing attacks, where you enter the key into a fake website and allow a fast-acting hacker or bot to use it. They are also open to interception.
You should always use 2FA
(I know it’s cheesy and the pictures aren’t my strong suit, but it doesn’t look right without maintaining the “all pirates wear hoodies in dark rooms” trope.)
I have identified flaws with each method mentioned, and more will likely appear over time. But the more security you have, the better. You must 100% use 2FA and other methods like a password manager to secure your online accounts.
There’s a balance between security and convenience, so find what works for you. Maybe the hardware-based method is overkill or something you’re sure to lose. Texting might not be as secure as it looks, but it still takes a bit of effort to crack it. If you’re just an average Joe, you probably won’t be worth being individually targeted, and SMS authentication is something that will dramatically increase your online security.
Examine your life, assess what you have to lose, and determine how much effort you want to put into it. But at least choose a 2FA method (which is not email-based) and make sure you have a different password for each account you care about.