Two-factor authentication (2FA) is becoming mandatory on many websites, and it’s easy to see why. At first glance, asking you to confirm your login via SMS or an app provides a strong second layer of security. But how strong is it?
With security threats on the rise and people having more to lose online than ever before, it’s natural to want to protect yourself as much as possible. While having a hacked social media account can be annoying, having lax cyber security has much more serious consequences. Hackers could access your bank accounts and deplete your savings, they could steal sensitive files and pictures, and you could even hack into a work account and end up in trouble with your boss.
The term “two-factor authentication” refers to a second step to confirm who you are. An additional layer of protection will, by default, provide more security than a single barrier. However, there is more than one method of 2FA; all methods offer different levels of security and some are more popular than others. So can 2FA make your sensitive accounts invulnerable to hackers? Or is it just a huge waste of effort? Let’s find out.
SMS is not as secure as it seems
The most common form of 2FA is based on SMS. Your bank, social media account, or email provider sends you a text message with a code, which you enter within a set period of time. This gives you account access and keeps your login safe from anyone who doesn’t have your phone. At first glance, this is the safest method. Someone would have to steal your cell phone or come up with an elaborate, James Bond-esque way of cloning your SIM card to get around this, right? Wrong.
Last year, Vice claimed that a hacker could use a flaw in the SMS system to hijack your number and redirect your SMS messages for as little as $16. There are also more and less sophisticated methods an individual can use to access your messages. The simplest involves simply calling your phone company saying it’s you, saying your phone is missing, and asking the company to change your number to another SIM card. The most complex involve directly attacking the company and intercepting messages.
As for how do you get personal data and your phone number? They could make some shady deals and buy personal information about you and your various online activities through the dark web. Or they could check your Facebook for details like your date of birth, phone number, schools you attended, and your mother’s maiden name. You may know precisely what information you put online, but many people don’t.
At the very least, it is possible to protect yourself from sim swapping attacks or be alerted when they occur. But you should consider adopting a different 2FA method if possible.
Email-based 2FA might not make sense
Two-factor authentication should add an extra layer of security between your account and a potential threat. However, if you’re lazy, all you’re doing is adding an extra step and potentially making an internet scoundrel laugh. If you are the kind of person who uses the same password for everything and your email account is used to protect your target account, you could be in a lot of trouble. A hacker can log in to that email address using the same details he already stole and authenticate his actions.
If you insist on using email-based 2FA, you should create a separate email account for authentication purposes only with your unique, hard-to-crack password. Alternatively, use another method because they are all safer.
Push technology could disappoint you
Push-based authentication can be fast, easy, and secure. A device, which can be your smartphone, is linked to your account and registered as your 2FA method of choice. From now on, every time you want to sign in, you will receive a push notification on that device. Unlock your phone, confirm it’s you and you’re in. Sounds perfect, right?
Unfortunately, there’s a catch or two. The main problem with the push-based method is that your device must be online for you to use it. If you need to access an account and your phone is having trouble getting a signal, you’re out of luck. It’s worth noting that this hasn’t been a problem for me in the few years I’ve used it. If I need to log in, I’m usually somewhere with WiFi, which my phone can use. I’m more likely to be in a place where I can’t get an SMS than a place where I’m trying to log in and I can’t get a push notification on my phone.
Hardware-based 2FA requires a lot of effort
Physical authentication keys are as close to unhackable as you can get. It’s essentially a USB stick full of protocols and security codes that you plug into a device you’re logging into. You can keep it on your keychain and carry it with you, or keep it in a safe and only take it out when you need to log into something that needs that extra layer of security. The main danger with a physical key is losing or breaking it, which you may have done with USB sticks in the past.
There is also the option of having a long and complex authentication password physically written down. This is a string of numbers and characters and a popular method of securing cryptocurrency wallets. Since these are difficult to crack, the FBI broke into a house to find a piece of paper containing a 27-character password, which was easier than cracking it. You can’t hack something written on a piece of paper and stored in a desk drawer, and supercomputers can take years to go through the possible combinations involved in high-level encryption.
Of course, if it’s in your desk drawer, it’s not with you. If you carry it with you, you can lose it just as easily as you can lose a 2FA USB. And when it goes away, you’ll need to go through an account recovery process at best, or at worst, you’ll lose access to your account. The physical method is the best you can do in terms of security, but the worst in terms of convenience. You can use it as a rock-solid account recovery method, but it’s probably best avoided for things you access on the go.
App-based 2FA pays off
There are some benefits to downloading an app like Google Authenticator. It is more secure than methods such as email and SMS authentication; it’s free in most cases and still works if the device doesn’t have an internet connection. This is due to the time-based algorithm, which produces different keys at different times. A key is only valid for a certain period and must match the device and site the user is signing in to.
There are still some vulnerabilities. With Google Authenticator, there’s no lock on the app itself, so anyone who can access your phone can open and use it. Some malware could also take advantage of the lack of a passkey, so consider alternatives like the Microsoft Authenticator app, which adds an extra layer of security to the authentication process with features like biometric unlocking. It is also vulnerable to phishing attacks, where you will enter the key on a fake website and allow a hacker or fast-acting bot to use it. They are also open to interception.
You must still use 2FA
(I know this is corny, and visuals aren’t my strong point, but this doesn’t feel right without keeping the “all hackers wear hoodies in dark rooms” trope.)
I have identified flaws with each method mentioned, and more will likely surface as time goes on. But the more security you have, the better. You should use 100% 2FA and other methods like a password manager to protect your online accounts.
There is a balance between safety and convenience, so find what works for you. Maybe the hardware-based method is overkill or something you’re sure to lose. SMS may not be as secure as it seems, but it still takes some effort to crack. If you’re just your average Joe, it’s probably not worth targeting individually, and SMS authentication is something that will greatly increase your online security.
Look at your life, assess what you have to lose, and calculate how much effort you want to put in. But choose at least one 2FA method (not email-based) and make sure you have a different password for each account you’re interested in.