As I read more about the study, it began to make more sense. The article was actually a bit misleading. Instead of implying that 2FA as a whole isn’t secure, it was really saying that some people are too trusting and overlook potential vulnerabilities associated with certain methods of authentication. The article generalized 2FA as consisting of a password and a mobile verification code (email or text), but 2FA is much broader than just these two authentication methods. In fact, there are numerous other authentication methods that can be used together in place of passwords and mobile codes that would still constitute 2FA.
The study focused on the concept that using mobile verification codes as an authentication method can be vulnerable to phishing attacks.
Here’s how it would work: after entering a password, a one-time verification code is sent to the user via email or text. The user then enters the code into the program they’re trying to access. A second, bogus request is then sent to the user by a hacker, asking them to forward the original email or text containing the verification code.
Another similar situation where mobile verification codes present vulnerabilities is the traditional man in the middle attack. In this scenario, the attacker will phish the user to a phony site. Once there, the user will be prompted to enter their username and password. The hacker will then enter the user’s username and password to the real site, which generates and sends a passcode to the user. Upon receiving the passcode, the user inputs it into the phony site, never realizing this isn’t the real site they’re attempting to access. The hacker, operating the phony site, captures the passcode and enters it to the real site to gain access.
Why are there vulnerabilities with mobile verification codes?
SMS texts make it harder to verify the source of an authentication code than emails do. With email, you can examine the source. There’s a specific sender and a specific url associated with every email. It’s explicitly clear at a glance who the email is coming from. With texts, it isn’t always as clear since only a phone number is given. That number isn’t immediately indicative of the organization it belongs to like an email address is.
The advantages of mobile verification codes
I also need to say that while mobile verification code authentication has its vulnerabilities, it also has its advantages. The biggest one is cost. Nearly everyone has a smartphone now. The days of spending money on token devices is over. Mobile verification allows you to utilize technology your users already have.
2FA using mobile verification codes is a secure system - if set up properly. It’s certainly more secure than using only one form of authentication, but how do you set it up to ensure it’s secure? Here are a few tips:
Other blog posts that might interest you: