Two Factor Authentication Isn’t the Panacea Many Think It Is

Let me be very clear, two factor authentication (2FA) is an essential security tool that everyone should be taking advantage of when and wherever they can. That said, I have a confession to make. In short, I have been using 2FA with a number of accounts for quite some time with the mistaken belief that this tool provided more robust security than it actually does. I have since come to learn that I have been living under a false sense of security. I don’t want to see you make the same mistake because the consequences could be severe.

For those of you who are unfamiliar with the term “two factor authentication,” here’s what it is. 2FA adds an additional level of protection beyond a singular method of authentication. Think about passwords. By combining your password, which is a common single factor of authentication (1FA) and is something you know, with a second factor, which is either something you have or something you are, you gain an added layer of security. This second factor could be something like a smartphone, which is something you have, or a fingerprint, which is something you are.

Logging into a bank account online is an example. After you submit your user name and password (1FA), many online banking sites will send a verification code to your smartphone (2FA). You must then correctly enter the verification code in order to gain access to your account. Another example is an ATM machine. Here you insert your bank card (1FA), which is something you have, and then you must confirm it’s you by entering the correct pin number (2FA), which is something you know.

Once 2FA is set up on any site or service, it’s quite tempting to believe that you have locked your digital assets down and, to some degree, you certainly have. Again, 2FA is significantly more secure than 1FA. Always use it if it’s an option, even for access to your email accounts. It’s that important. Just understand that 2FA isn’t a panacea. In fact, I recently sat in on a cyber security presentation where 11 different ways of defeating 2FA were demonstrated, one of which has been in use since 2000. Suffice it to say, that got my attention.

The details of the different methods demonstrated are beyond the scope of this post, and in all honesty, beyond my skill set in terms of trying to provide a competent explanation. I also believe the details won’t matter much to the average person. What should matter includes the following. 2FA is hackable. 2FA can be defeated via phishing or social engineering attacks directed at you or at tech support of the site or service you are using 2FA with. 2FA really isn’t 2FA if the site or service makes its use optional. If it’s optional, it can be bypassed by some other less secure authentication method, for example a password reset request to tech support made by someone pretending to be you.

This brings me to the important take-aways. First, 2FA is a valuable tool as long as you realize that the security it provides only goes so far. Second, due to the inherent limitations of 2FA, there are things you still must do in order to stave off cybercriminals. I’m talking about things like not clicking on rogue links and never providing accurate answers to the password reset questions you select. It’s going to be all about prioritizing and focusing on the basics of social engineering awareness coupled with ongoing training for you and everyone who works at your firm.

With that out of the way, I suspect there are a few out there who either need a little more motivation or are just gluttons for punishment. If you count yourself as a proud member of either group, this link will take you to a demo of an actual hack into a LinkedIn account protected with 2FA. As you watch it, ask yourself if you would have fallen prey. Oh, also keep in mind that this is a demo of just one of the 11 ways 2FA can be defeated.