The Many Factors of Two-Factor Authentication

By Michael A. Shapiro, Esq., CIPP/US/E, attorney with XPAN Law Group

Conventional cybersecurity wisdom says that adding a two-factor authentication to your online accounts is the single and simplest most important cybersecurity measure you can take.  There are different two-factor authentication mechanisms and not all are created equal in terms of security and convenience. Which one should you or your company choose?

Two-factor (or a multi-factor) authentication is the use of two (or more) independent mechanisms for account authentication. Typically, it is a combination of factors of something you know, something you have, or something you are.  “Something you know” is usually a password. “Something you have” might be your phone or a security key. “Something you are” is a biometric identification such as your fingerprint or face.  This additional factor adds an extra layer of security because knowing a password is no longer enough for a hacker to gain access to your online account or device.  

Cybersecurity experts note that to be implemented properly, multi-purpose authentication should be a mix of different factor types.  Simply adding security questions to a password, as some companies still do, does not afford the same level of protection. 

The most common second authentication method is SMS.  When you log into an online account, you receive a single-use code via SMS text message to your mobile device.  It is very simple and convenient, but SMS has proved to be the least secure authentication method. SMS messages can be intercepted and are typically not encrypted.   Hackers also can trick mobile carriers into temporarily porting a mobile number on their device in a scheme known as a SIM swap.  This is how Twitter CEO Jack Dorsey’s Twitter account was recently hacked. To carry out the swap, a scammer who has obtained a victim’s phone number and other personally identifiable information (that is likely easily obtainable via the Internet and social media), calls a mobile carrier and requests that number be transferred to a new SIM card.  Once the swap is complete, the attacker will be able to receive messages with one-time authentication codes, thus negating the effectiveness of two-factor authentication.

Another common second authentication method is an authenticator application.  There is a number of authenticator apps currently available on the market, such as Google and Microsoft Authenticators, Authy, and Duo.  An authenticator app generates a time-based, one-time password algorithm (TOTP) code that you must enter along with your password to access the account. Although more secure than SMS, this authentication method is not immune to phishing.  For example, a phishing attack directs a victim to a fake clone of a legitimate website where the victim enters all login credentials along with the app-generated authentication code, thereby granting hacker access to the victim’s account. In December, Amnesty International reported that advanced state-sponsored actors have already started using phishing systems that can bypass two-factor authentication.  

Furthermore, Polish security researcher Piotr Duszynski recently published a penetration testing tool called “Modlishka” which can easily automate phishing attacks and access accounts protected by two-factor authentication.  Whereas a phishing victim connects to a Modlishka server, all his requests are made to a legitimate website that he is trying to access. Although the victim receives authentic content from the legitimate website, all his interactions with the site, including authentication credentials, pass through and are recorded on the Modlishka server.

One of the most secure authentication methods is a physical security key.  When your account requests a second factor authentication, you will need to plug in the key into your device or tap it to the back of the phone.  (For a useful breakdown of security keys, check out Episode #001 of the AllThingsAuth Podcast). According to research recently published by Google, a physical key offers 100% account takeover prevention rate from automated bots, bulk phishing attacks, and targeted attacks. This method, however, might not be convenient for an average consumer as it requires investment into hardware (that can add up quickly when compared to a free SMS text) as well as a hassle of carrying the security key around.

The bottom line is that a second factor authentication, however vulnerable, always offers more security than a single password. This is especially true since we, as humans, are inherently *bad* at creating secure and strong passwords. Further, any time a hacker must go through an extra hoop, the chances of an unauthorized access significantly decrease.  Given that authentication apps do not require monetary investment, are easy to use, and are compatible with the most popular applications, they might be the best choice for a consumer. However, companies seeking to protect high-value assets should consider investing into more secure authentication technology such as security keys or biometrics. Companies should also regularly train its employees to decrease the risk of phishing and social engineering attacks which might make any security technology vulnerable. Because in cybersecurity, luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.