Last month I read an article reporting that researchers found two-factor authentication to be insecure and vulnerable to hacks. My initial reaction was skepticism, since it wasn’t recommending a more secure alternative like multi-factor authentication, but instead simply stating 2FA isn’t secure.
As I read more about the study, it began to make more sense. The article was actually a bit misleading. Instead of implying that 2FA as a whole isn’t secure, it was really saying that some people are too trusting and overlook potential vulnerabilities associated with certain methods of authentication. The article generalized 2FA as consisting of a password and a mobile verification code (email or text), but 2FA is much broader than just these two authentication methods. In fact, there are numerous other authentication methods that can be used together in place of passwords and mobile codes that would still constitute 2FA.
The study focused on the concept that using mobile verification codes as an authentication method can be vulnerable to phishing attacks.
Here’s how it would work: after entering a password, a one-time verification code is sent to the user via email or text. The user then enters the code into the program they’re trying to access. A second, bogus request is then sent to the user by a hacker, asking them to forward the original email or text containing the verification code.
Another similar situation where mobile verification codes present vulnerabilities is the traditional man in the middle attack. In this scenario, the attacker will phish the user to a phony site. Once there, the user will be prompted to enter their username and password. The hacker will then enter the user’s username and password to the real site, which generates and sends a passcode to the user. Upon receiving the passcode, the user inputs it into the phony site, never realizing this isn’t the real site they’re attempting to access. The hacker, operating the phony site, captures the passcode and enters it to the real site to gain access.
Why are there vulnerabilities with mobile verification codes?
SMS texts make it harder to verify the source of an authentication code than emails do. With email, you can examine the source. There’s a specific sender and a specific url associated with every email. It’s explicitly clear at a glance who the email is coming from. With texts, it isn’t always as clear since only a phone number is given. That number isn’t immediately indicative of the organization it belongs to like an email address is.
The advantages of mobile verification codes
I also need to say that while mobile verification code authentication has its vulnerabilities, it also has its advantages. The biggest one is cost. Nearly everyone has a smartphone now. The days of spending money on token devices is over. Mobile verification allows you to utilize technology your users already have.
2FA using mobile verification codes is a secure system - if set up properly. It’s certainly more secure than using only one form of authentication, but how do you set it up to ensure it’s secure? Here are a few tips:
- If you’re using a verification code, make sure a disclaimer message is always included with the email or text instructing the user never to forward or reply to the message.
- You must train your users. Some people are too trusting and are easy prey to a social engineering or phishing attack. Make sure your users are trained as you roll out a new authentication system so they understand exactly how it works - and the potential vulnerabilities they could run into such as false landing sites and form fills. When you hear of attacks and studies that expose a new vulnerability, make your users aware of them so they can watch out for similar attempts.
- Use a second authentication method that’s stronger than one-time SMS or emailed codes. Both are relatively weak since they’re valid for long periods of time. Consider smart cards, biometric factors or time-based one-time passwords (TOTP) instead.
Other blog posts that might interest you: