Two-factor authentication (2FA) is becoming mandatory on many websites, and it’s easy to see why. At first glance, requiring you to confirm your login via SMS or app provides a solid second layer of security. But how strong is it?
With security threats on the rise and with more people at risk online than ever, it’s natural to want to protect yourself as much as possible. While having a social media account hacked can be annoying, lax cybersecurity has far more serious consequences. Hackers could get into your bank accounts and drain your savings, sensitive files and pictures could be stolen, and you could even have your work account hacked and get into hot water with your boss.
The term “two-factor authentication” refers to the second step to verify who you are. An additional layer of protection will by default provide more security than a single barrier. However, there is more than one 2FA method; all methods offer different levels of security and some are more popular than others. So can 2FA make your sensitive accounts invulnerable to hackers? Or is it just a huge waste of effort? Let’s find out.
SMS is not as secure as it seems
The most common form of 2FA is SMS. Your bank, social media account or email provider will send you a text message with a code that you enter within a set time period. This will give you access to your account and keep your login safe from anyone who doesn’t have your phone. At first glance, this is the safest method. Someone would have to steal your cell phone or come up with some elaborate James Bond-esque method of cloning your SIM card to get around that, right? Poorly.
Last year, Vice claimed that a hacker could use a flaw in the SMS system to steal your number and redirect your text messages for just $16. There are also more and less sophisticated methods that an individual can use to access your messages. The easiest way is to simply call your phone company and claim that it’s you, that your phone is missing, and ask the company to transfer your number to another SIM card. More complex ones include direct attacks on the company and interception of messages.
And how do they get personal data and your phone number? They could be doing some shady business and buying personal information about you and your various online activities through the dark web. Or they could check your Facebook for details like your date of birth, phone number, schools you attended, and your mother’s maiden name. You may know exactly what information you’re putting online, but many people don’t.
At least it’s possible to protect against sim swapping attacks or be notified when they occur. However, you should consider adopting another 2FA method if possible.
Email-based 2FA may be unnecessary
Two-factor authentication should add another layer of security between your account and a potential threat. However, if you’re lazy, all you’re doing is adding an extra step and potentially giving an internet villain a laugh. If you’re the type of person who uses the same password for everything and their email account is used to secure their target account, you might have a big problem. A hacker can log into that email address using the same credentials they’ve already stolen and verify their actions.
If you insist on using email-based 2FA, you should create a separate email account purely for authentication purposes with its own unique and hard-to-crack password. Alternatively, use another method as they are all safer.
Push-Based might disappoint you
Push-based authentication can be fast, easy and secure. The device, which can be your smartphone, is linked to your account and registered with the 2FA method you choose. From now on, you will receive a push notification on that device every time you want to log in. Unlock your phone, confirm it’s you, and you’re in. Sounds perfect, right?
Unfortunately, it has a catch or two. The main problem with the push method is that your device must be online to use it. If you need to access your account and your phone is struggling to get a signal, you’re out of luck. It’s worth noting that this hasn’t been a problem for me in the few years I’ve been using it. If I need to log in, I’m usually somewhere with WiFi that my phone can handle. I’m more likely to be somewhere I can’t receive texts than somewhere I’m trying to log in and can’t get push notifications sent to my phone.
Hardware-Based 2FA is a lot of effort
Physical authentication keys are as close to unhackable as you can get. It’s basically a USB stick full of security protocols and codes that you plug into the device you’re logging into. You can keep it on a keychain and carry it with you, or store it in a safe and only take it out when you need to sign in to something that requires an extra layer of security. The main danger of a physical key is that it is lost or broken, which you may have done with USB keys in the past.
There is also an option to have a long, complex authentication password physically written down. It is a string of numbers and characters and a popular method for securing cryptocurrency wallets. Because they are difficult to crack, the FBI broke into the house to find a piece of paper containing the 27-character password, which was easier than working it out. You can’t hack something written on a piece of paper and stored in a desk drawer, and supercomputers can take years to work through the possible combinations involved in high-level encryption.
Of course, if it’s in your desk drawer, it’s not with you. If you take it with you, you can lose it just as easily as you can lose a 2FA USB. And when it disappears, at best you’ll have to go through the account recovery process, or at worst, you’ll lose access to your account. The physical method is the best you can do in terms of safety, but the worst in terms of convenience. You can use it as a rock-solid account recovery method, but it’s probably best to avoid it for things you access on the fly.
App-Based 2FA is worth it
There are several benefits to downloading an app like Google Authenticator. It is more secure than methods such as email and SMS verification; it’s free in most cases and still works if the device doesn’t have an internet connection. This is due to a timing-based algorithm that creates different keys at different points in time. The key is only valid for a set period of time and should match the device and website the user is logging into.
There are still some vulnerabilities. With Google Authenticator, there’s no lock on the app itself, so anyone with access to your phone can open and use it. Some malware could also take advantage of the lack of a passkey, so you should consider alternatives like the Microsoft Authenticator app, which adds another layer of security to the authentication process with features like biometric unlocking. It’s also vulnerable to phishing attacks, where you enter a key on a fake website and allow a fast-acting hacker or bot to use it. They are also open to wiretapping.
You should still use 2FA
(I know it’s cheesy and pictures aren’t my forte, but it just doesn’t feel right unless you’re following the “all hackers wear hoodies in dark rooms” trope.)
I’ve identified flaws with each method listed, and more will likely emerge over time. But the more security you have, the better. You should 100% use 2FA and other methods like a password manager to secure your online accounts.
There is a balance between safety and convenience, so find what works for you. Maybe the hardware based method is overkill or something you are guaranteed to lose. SMS may not be as secure as it seems, but it still takes some effort to crack it. If you’re just an average Joe, it’s probably not worth targeting individually, and SMS authentication is something that will massively increase your online security.
Look at your life, assess what you have to lose and figure out how much effort you want to put in. However, choose at least one 2FA method (that isn’t email-based) and make sure you have a different password for each. an account you care about.