The Potential Risks of 2-Factor Authentication

2 Factor Authentication (2FA): confirming one's identity via more than one method
Gigabit Systems
January 9, 2019
20 min read
Share this post

Many cybersecurity experts recommend 2-Factor Authentication (2FA) as an up-and-coming, innovative tactic to combat incoming hackers. Traditionally, a user only needs to provide both their username and a password to access data. 2FA instead requires an additional code that only the user should have access to, via another device and/or application. There are still, however, ways for hackers to bypass the barriers to entry that 2FA attempts to create. Before your business brings 2FA into their cybersecurity strategy, here are some worst-case scenarios to be on the lookout for.

The Dangerous Side of 2-Factor Authentication

As told by Kevin Mitnick, a tool that allows hackers to pull off attacks against firms that employ 2-Factor Authentication can be easily downloaded online. Kevin, who is the chief hacking officer at KnowBe4 (a cybersecurity company which trains people to spot phishing attempts), explained to CNBC that these attacks start with a fraudulent email. The email will usually ask the receiver to click on a link that directs them to log into a website with a code sent to their cell phone. While this is happening, the log in goes to the hacker’s server; the hacker is then able to get the session cookie, allowing them to take on their role without any username, password, or two-factor necessary.

This type of attack falls under the umbrella of social engineering. Social engineering entails when hackers manipulate human behavior in a manner that encourages a certain decision, such as clicking on a link or sending a message. To prevent yourself and your business from tactics such as these, it should be encouraged to pay close attention to any message you receive. IT departments should also be looped into the conversation if uncertainty looms.

How to Secure Your 2-Factor Authentication

To protect yourself from attacks such as these, consider a tool called security keys. A security key resembles a keychain, but contains a hardware chip. The key then uses Bluetooth or USB as the second factor needed to log in. Mark Risher, Google’s director of product management for security and privacy, recently spoke on behalf of his company’s own security key - the Titan Security Key. Their security key stores their own password and requires the site to prove its legitimacy before sign-in.

Yet even when all elements are in tact with two-factor authentication, your account information may still be compromised. An example of this came in 2014, when hackers broke through two-factor protection to gain access to user accounts for Google, Instagram, Amazon, Apple, and etcetera. This case study supports the idea for organizations to move towards modern authentication. Modern authentication would entail adaptive access control solutions that reposition themselves by using metadata captured via an authentication workflow that prevents hackers from carrying out successful attacks. This model improves security posture, but not as a detriment to user experience.

Nothing is Perfect

While 2-Factor Authentication does provide an extra layer of screening before a user can access their account, it is not bulletproof. Intelligence exists online for hackers to train themselves on how to carry out a malware that bypasses 2FA, raising a real cause for concern. In light of this, businesses using 2FA should consider evolving their cybersecurity strategy. While this may include security keys and/or a modern authentication technique, this case study stresses the importance of keeping a cybersecurity strategy up-to-date with modern trends and crises in the technology realm.

Learn more about the latest in cyber security by subscribing to our blog; 

Share this post
See some more of our most recent posts...