September 10, 2019

4 Reasons Two-Factor Authentication (2FA) Cannot Fully Keep You Safe

Remember when you had to change your password every 90 days? And then you couldn't repeat the past 12 passwords? Now you have to create increasingly complicated passwords - 8 characters, 1 upper case, 1 symbol, 1 number, 1 biometric eye scan? 

Obviously, the biometric eye scan was a joke (or was it?), but it serves to illustrate just how complicated passwords are required to be today. The advent of Two-Factor Authentication (2FA) was heralded as the latest way to keep you safe.

By requiring a username, password, and separate authentication - most commonly a verification code that is texted to you- 2FA was supposed to safeguard you from hackers. Has it? Here are 4 ways that 2FA is failing you:

1. Your Phone Number Isn't That Safe

2FA operates on the assumption that you and you alone have access to your phone. This isn't the case. The Federal Trade Commission reports qualitative evidence that SIM hijacking, or SIM porting, is a common occurrence. 

This type of hack gives the hacker access to your mobile account which may provide a transcript of text messages, including verification codes.

One way to avoid SIM hijacking is to add a PIN to your mobile account. This is just one added layer of security. Once a hacker has access to your phone, they can wreak havoc on your cyber life.  

2. Phishing is Sophisticated 

Here's how phishing works: a hacker sets up a fake website that looks deceptively similar to a website that you would use for personal information - say your bank account. Then, the hacker sends you an email from a legitimate-looking email address that says there's something wrong with your account, or there's a new message on your account, or your account needs an update, etc. 

The fake email provides you a link to the fake website that looks identical to the real website. You try to login using your username and password, which gives your login information directly to the hacker. 

In the past, phishing would stop there, because they only needed your username and password to access your account. But due to 2FA, phishing has become more sophisticated. 

Now phishing scammers will attempt to access your actual account at the same time you are logging into the fake website. This will prompt the real website to text you a real verification code. When you plug the real verification code into the fake website, you have given the hackers the information they need to circumvent 2FA.

3. Phones Can be Stolen 

Smartphones that store your email account can be particularly damning if stolen. 

Once a hacker has your cell phone, they can claim "lost password" and reset the account. Typically this requires a text or email verification to complete the update to the password. 

If the hacker already has your smartphone, they have access to your texts and emails to complete the verification. From there it's easy to access all of your personal account information. 

4. Third-Party Login Bypasses 2FA

Depending on the website you are attempting to log into, you are sometimes offered the option to use a third-party login. Some examples of this would be "Login with Your Facebook Account" or "Login with Your Google Account". 

Choosing this option bypasses 2FA protocol. 

If your Facebook or Google account is compromised, 2FA doesn't stand a chance of protecting your personal information. 

2FA Alone Can't Keep You Safe

2FA is simply the latest "best practice" to keep you safe. Unfortunately, hackers and scammers have quickly outwitted the safeguard. It's a great option, but alone it does not protect you against all attacks. 

When you're looking to do more to protect your online privacy, check out our behavioral multi-factor authentication tools. This takes the next step in continuous authentication! 

Or request a demo to see our products in action.

multifactor authentication authorization 2fa two factor authentication keep you safe