You should use two-factor authentication wherever it is available. It isn’t perfect, but it stops most attackers in their tracks. But don’t be fooled into thinking it’s impregnable. That’s not the case.
The Password Problem
The password has been the primary means of securing computer accounts since the 1950s. Seventy-odd years later we’re all inundated with passwords, mainly for online services. Out of curiosity, I checked my password manager. I have 220 sets of login credentials stored in it.
Unless you’re particularly gifted, it’s impossible to memorize that number of complex and robust passwords. That’s why people re-use passwords and use passwords that are weak but easy to remember. Of course, that’s the kind of behavior that places your accounts in danger of compromise.
Automated Brute-force attacks, dictionary attacks, and other look-up attacks use lists of words and databases of breached passwords to try to gain unauthorized access to people’s accounts. Whenever there’s a data breach, the data is made available on the dark web for use by cybercriminals. They use the databases of breached passwords as ammunition for their software. It machine-guns the stolen credentials into accounts, trying to match the passwords and gain access.
The Have I Been Pwned website collects the data from as many data breaches as it can. You can freely visit the site to check whether your email address or any of your passwords have been exposed in a breach. To give you an idea of the scale of the issue, there are over 11 billion sets of credentials in their databases.
With that many passwords, there’s a strong chance that someone else has chosen the same password as you. So even if none of your data has ever been exposed in a breach, somebody else’s data—who happens to have used the same password as you—might well have. And if you have used the same password on many different accounts, that puts them all at risk.
All organizations should have a password policy that gives guidance on the creation and use of passwords. For example, the minimum length of a password needs to be defined, and the rules surrounding the composition of a password should be laid out clearly for all staff to understand and follow. Your policy must forbid reusing passwords on other accounts, and basing passwords on pet or family members’ names, anniversaries, and birthdays.
The issue you have is how do you police it? How do you know if staff is obeying these rules? You can set rules for minimum complexity on many systems, so they automatically reject passwords that are too short, that don’t contain numbers and symbols, or are dictionary words. That helps. But what if someone uses the password for one of their corporate accounts as their Amazon or Twitter password? You have no way of knowing.
Using two-factor authentication improves the security of your corporate accounts, and provides some protection against poor password management too.
Two-factor authentication adds another layer of protection to password-protected accounts. Along with your ID and password, you need to have access to a registered, physical object. These are either hardware dongles or smartphones running an approved authenticator app.
A one-time code is generated by the authenticator app on the smartphone. You must enter that code along with your password when you sign into the account. Dongles may plug into a USB port or they may use Bluetooth. They either display a code or they generate and transmit a key based on a secret internal value.
Two-factor authentication combines things you know (your credentials) with a thing you own (your smartphone or dongle). So even if someone guesses or brute-forces your password, they still cannot log into the account.
Compromising Two-Factor Authentication
There are several ways for an attacker to overcome two-factor authentication and gain access to a protected account. Some of these techniques require elite technical capabilities and significant resources. For example, attacks that exploit vulnerabilities in the Signalling System No. 7 protocol (SS7) are usually conducted by well-equipped and highly-skilled hacking groups, or state-sponsored attackers. SS7 is used to establish and disconnect telephony-based communications, including SMS text messages.
To attract the attention of this caliber of threat actors, the targets have to be very high-value. “High-value” means different things to different attackers. The pay-off might not be a straightforward financial one, the attack may be politically motivated, for example, or a part of an industrial espionage campaign.
In a “port out scam” the cybercriminals contact your cellular carrier and pretend to be you. Sufficiently well-practiced threat actors can convince the representative that they are the owners of your account. They can then have your smartphone number transferred to another smartphone they have access to. Any SMS-based communications are sent to their smartphone, not yours. That means any SMS-based two-factor authentication codes are delivered to the cybercriminals.
Using social engineering techniques to sway the employees of cellular carriers isn’t simple. An easier method altogether is to use an online business text messaging service. These are used by organizations to send SMS reminders, account alerts, and marketing campaigns. They’re very cheap too. For about $15 you can find a service that will forward all SMS traffic from one smartphone number to another, for a month.
Of course, you’re supposed to own both smartphones or have the permission of the owner, but that isn’t a problem for cybercriminals. When asked if that’s the case, all they need do is say “yes.” There’s no more verification than that. Zero skills required on the part of the attackers, and yet your smartphone is compromised.
These types of attacks are all focused on SMS-based two-factor authentication. There are attacks that just as easily circumvent app-based two-factor authentication too. The threat actors may mount an email phishing campaign or use typosquatting to drive people to a convincing but fraudulent login page.
When a victim tries to log in they are prompted for their ID and password, and for their two-factor authentication code. As soon as they type in their authentication code those credentials are automatically forwarded to the login page of the genuine website and used to access the victim’s account.
Don’t Stop Using it!
Two-Factor authentication can be overcome by a range of techniques ranging from the technically demanding to the comparatively simple. Despite this, two-factor authentication is still a recommended security measure and should be adopted where ever it is offered. Even in the presence of these attacks, two-factor authentication is an order of magnitude more secure than a simple ID and password scheme.
Cybercriminals are unlikely to try to bypass your two-factor authenticate unless you’re a high-value, high-profile, or otherwise strategic target. So keep using two-factor authentication, it’s far safer than not using it.