What’s Wrong with Two-Factor Authentication?

Passwords have been used to secure facilities and information since ancient times. The Greeks and Romans used password protection in their militaries to ensure that approaching troops could be trusted, and even today the U.S. military makes use of call-and-response passwords to defend classified areas in austere environments.

However, throughout the course of history passwords have proven themselves to be fallible to any number of external threats, so security professionals have long sought a better way to let good guys in and keep bad guys out. Enter two-factor authentication (2FA).

What is Two-Factor Authentication?

Two-Factor Authentication is an electronic access-point management and authentication system in which a computer user receives access to a particular network, platform or application only after providing two independent sources of identifying evidence to the authentication mechanism.

Oftentimes, 2FA requires that a user provide both a password and a physical token, such as a debit card, or a passcode or QR code that has been generated by a third party security system and sent to a user’s cell phone.

This method of authentication is now standard among most organizations that maintain databases containing sensitive or classified information, such as hospitals, research institutes and government organizations. They’re attracted to the additional security that an extra layer of authentication affords them, as well as the relatively low cost of providing physical tokens or utilizing third party two-factor authentication systems.

What’s the problem with 2FA?

However, 2FA is far from perfect. Many users report that the additional hurdles of two-factor authentication are overly inconvenient, which can cause annoyed users to cut corners and take shortcuts that make the system more vulnerable.

Though requiring an extra identifier does deter some hackers from attacking systems defended with two-factor authentication, many others are willing to deal with the additional hurdle if they believe that the information stored within their targeted organization is worth the effort.

In addition, 2FA really doesn’t provide identity authentication. Instead, it authenticates devices under the assumption that the owner of a particular device will be the only individual using it, which can certainly be incorrect. In this way, 2FA is an ‘identity approximation’ system that seeks to grant access to individuals based on known devices, but hackers have become adept at subverting this system.

The most obvious method for a hacker to crack a two-factor authentication system would be to steal a physical token or cell phone, which can be done completely virtually. SIM cloning can reroute authentication SMS messages from a target’s cell phone to a hacker’s device, as happened to Twitter CEO Jack Dorsey in 2019. However, using a time-based one-time password (TOTP) algorithm, such as the multi-application system that SecurityScorecard has implemented, can be an effective defense mechanism for this type of scheme.

Social engineering attacks are common as well, and can take multiple forms. Criminals can call users and pose as banks or trusted agents and ask to confirm the passcode that was sent to them, or provide links to spoofed websites through phishing attacks. They can also pose as users and contact cell phone carriers in an attempt to carry out a SIM cloning attack.

Especially concerning is the fact that, for the most part, carrying out 2FA attacks does not require a great deal of skill or effort from hackers. These kinds of attacks are often carried out by novices, so organized crimes syndicates and nation-states with considerable resources pose an even more serious threat.

What’s the solution?

The primary vulnerability of current 2FA methods is their dependency on device authentication rather than true identity authentication, so any solution that promises to improve this mechanism must help machines better discern true human identities. Many cybersecurity experts now believe that biometric authentication could be the answer.

Biometric authentication utilizes sensors and body measurements to compare the physical characteristics of requesting parties with the verified characteristics of known users. Anyone who has ever used a fingerprint or facial scan to access their cell phone has made use of this technology.

The beauty of this security system is its ability to link access privileges to real people, rather than devices and passwords. There are no assumptions about ownership and knowledge with biometrics; there is only human identity. This makes it much more difficult for criminals to impersonate bona fide users, thereby making networks and platforms more secure.

Current iterations of biometric technology have been shown to have vulnerabilities, such as difficulty distinguishing between two-dimensional images and three-dimensional objects, but industry has kept pace and fielded technologies to counter these issues. Sufficient investment in biometric authentication should continue to yield more breakthroughs that make the prospect of hacking protected systems increasingly challenging.

Numerous other multi-factor authentication (MFA) systems are also in development that hope to make complying with stringent security standards less onerous to users. One method, for example, compares the ambient noise near a user’s cell phone with the ambient noise of the device requesting access, in order to ensure that the validated user is in proximity to the device being accessed.

Novel implementations of MFA and biometric technologies will be the future of authentication, and will help to make sure that individuals and companies everywhere stay one step ahead of criminals and hackers.

How can SecurityScorecard help?

Companies are only as strong as their weakest link, so it’s important that they have a strong hold on their security posture. Fortunately, SecurityScorecard’s security ratings platform gives you an outside-in view of your organization’s cybersecurity posture. We continuously scan your entire IT ecosystem, including vendors, across ten risk factor categories, including IP reputation, DNS health, network security, web application security, endpoint security, patching cadence, hacker chatter, information leakage, and social engineering.

Our easy-to-read A-F rating scale gives you at-a-glance visibility into your controls’ effectiveness. With our platform, you can drill down into each risk factor category to gain detailed information about weaknesses, helping your security team prioritize remediation activities for enhanced security.