Two-factor authentication (2FA) is becoming mandatory on many websites, and it’s easy to see why. At first glance, asking you to confirm your login via SMS or app offers a solid second layer of security. But how strong is it?
With security threats on the rise and people with more to lose online than ever, it’s only natural to want to protect yourself as best you can. While hacking into a social media account can be annoying, lax cybersecurity has far more serious consequences. Hackers could access your bank accounts and drain your savings, confidential files and pictures could be stolen, and you could even hack a work account and get into hot water with your boss.
The term “two-factor authentication” refers to a second step to confirm who you are. An additional layer of protection provides more security than a single barrier by default. However, there is more than one 2FA method; All methods offer different levels of security, and some are more popular than others. So, can 2FA make your sensitive accounts invulnerable to hackers? Or is it just a huge waste of time? let’s find out
Table of Contents
Texting is not as secure as it seems
The most common form of 2FA is SMS-based. Your bank, social media account, or email provider will text you a code that you enter within a set period of time. This will give you access to the account and protect your login from anyone who doesn’t have your phone. At first glance, this is the safest method. Someone would have to steal your phone or devise an elaborate James Bond-esque method of cloning your SIM card to get around this problem, right? Not correct.
Last year, Vice claimed a hacker could exploit a flaw in the SMS system to hijack your number and redirect your SMS messages for as little as $16. There are also more and less sophisticated methods that a person can use to access your messages. The easiest way is to just call your phone company and pretend to be you, missing your phone, and ask the company to switch your number to a different SIM card. More complex ones include attacking the company directly and intercepting messages.
How do they get personal information and your phone number? They could do shady deals and buy personal information about you and your various online activities through dark web. Or they could search your Facebook for details like your date of birth, your phone number, the schools you attended, and your mother’s maiden name. You may know exactly what information you put online, but many people don’t.
At the very least, it’s possible to protect yourself from sim-swapping attacks, or be warned when they occur. However, you should use a different 2FA method if possible.
Email-based 2FA might be pointless
Two-factor authentication should add an extra layer of security between your account and a potential threat. However, if you’re lazy, you’re just adding an extra step and you might make an internet villain laugh. If you’re the kind of person who uses the same password for everything and their email account is used to secure their target account, you could be in big trouble. A hacker can log into that email address and authenticate their actions using the same credentials they already stole.
If you insist on using email-based 2FA, you should create a separate email account solely for authentication purposes with its unique and difficult-to-crack password. Alternatively, use a different method as they are all more secure.
Push-based might let you down
Push-based authentication can be fast, easy, and secure. A device, which can be your smartphone, is linked to your account and registered as the 2FA method of your choice. From that point on, whenever you want to log in, you’ll receive a push notification on that device. Unlock your phone, verify your identity and you’re good to go. Sounds perfect right?
Unfortunately, there are a catch or two. The main problem with the push-based method is that your device needs to be online for you to use it. If you need to access an account and your phone is having trouble picking up a signal, you’re out of luck. It’s worth noting that this hasn’t been a problem for me in the few years that I’ve used it. When I need to log in, I’m usually somewhere with WiFi that my phone can use. I’m more likely to be in a place where I can’t receive text messages than in a place where I’m trying to log in and not getting a push notification sent to my phone.
Hardware-based 2FA is a lot of hassle
Physical authentication keys are as good as unhackable as it gets. It’s essentially a USB stick full of security protocols and codes that you plug into a device that you log into. You can keep it on your keychain and carry it around, or you can keep it in a safe and only take it out when you need to log into something that needs that extra layer of security. The main danger with a physical key is losing or damaging it, which you may have done with USB sticks in the past.
There is also an option to have a long, complex authentication password physically written down. This is a series of numbers and characters and is a popular method of securing cryptocurrency wallets. Since these are difficult to crack, the FBI broke into a house to find a piece of paper with a 27-digit password on it, which was easier than figuring it out. You can’t hack something written on a piece of paper and kept in a desk drawer, and it can take supercomputers years to go through the possible combinations of high-level encryption.
Of course, if it’s in your desk drawer, it’s not with you. If you take it with you, you can lose it just as easily as a 2FA USB. And once it’s gone, you’ll have to go through an account recovery process at best, or lose access to your account at worst. The physical method is the best you can do in terms of security, but the worst in terms of convenience. You can use it as a solid account recovery method, but it’s probably best avoided for things you access on the fly.
App-based 2FA is worth the effort
Downloading an app like Google Authenticator has some advantages. It is more secure than methods like email and SMS authentication; It’s free in most cases and works even if the device doesn’t have an internet connection. This is due to the timing-based algorithm that generates different keys at different times. A key is only valid for a set period of time and should match the device and website the user is logging into.
There are still some weaknesses. With Google Authenticator, there’s no lock on the app itself, so anyone with access to your phone can open and use it. Some malware could also exploit the lack of an access key, so you should consider alternatives like the Microsoft Authenticator app, which adds an extra layer of security to the authentication process with features like biometric unlocking. It is also prone to phishing attacks where you enter the key on a fake website and allow a fast-acting hacker or robot to use it. They are also open to wiretapping.
You should still be using 2FA
(I know this is cheesy and images aren’t my forte, but this doesn’t feel right without keeping the “All hackers wear hoodies in dark rooms” trope.)
I’ve identified weaknesses in each of these methods, and more will likely emerge over time. But the more security you have, the better. You should use 100% 2FA and other methods like a password manager to secure your online accounts.
There’s a balance between security and convenience, so find what works for you. Perhaps the hardware based method is overkill or something you are guaranteed to lose. SMS might not be as secure as it seems, but it still takes a little effort to crack. If you’re just your average Joe, it’s probably not worth targeting you individually, and SMS authentication is something that will massively increase your online security.
Look at your life, assess what you have to lose and calculate how much effort you are willing to put into it. However, choose at least one 2FA method (which is not email-based) and make sure you have a different password for each account that is important to you.
This article was previously published on Source link
