Does Two-Factor Authentication Really Protect You?

The big recent differentiator in online security is now the Internet, potentially allowing anyone accesses to any system, anywhere anytime. A typical user needs to remember many combinations of credentials for different websites, including online financial systems.  They tend therefore to use one or two easily remembered passwords for all sites, or a password vault that automatically enters their credentials when they reach a site requiring a login.

That brings a host of other problems in its wake.  User information has been stolen from corporate systems, giving hackers the ability to plunder money from bank accounts, make purchases from your credit card, and in more advanced cases, carry out ID theft. Online Security has become serious stuff for both systems administrators and users.

A recent innovation to improve online security is two-level or two-factor authentication (“2FA”). Simply put, 2FA is a second layer of security to help protect your personal information.  In this model, the user signs on to the website as usual.   The system then asks for further verification.

As the adoption of 2FA has spread, the quality and style have varied.  One common request is for a time-limited PIN code sent by SMS to the cell number set out in the user profile. It may also be sent by email.  Sometimes the user must provide the correct answer to a security question or two.

If 2FA isn’t implemented a hacker can lock you out of your account if they can hack into it.

There are, however, some questions over whether two-factor authentication works successfully.

Does it Really Protect You?

Does 2FA work

This is a difficult question to answer.  It sometimes does, and sometimes doesn’t provide the levels of security it is thought to. Remember that 2FA has been around for general use for at least 10 years, which has given hackers oodles of time to crack it.

The answer will be different for different environments.  It has become the de facto standard for financial applications by trying to link the person logging on to the real user as defined in the site’s user profile.

2FA is not such a big thing for sites that don’t require personal identification.

Having said all that, though it is a valiant attempt to provide a further level of security to protect and reassure users and protect vendors.

How 2FA works

How 2FA works

  • It increases security by linking the account owner and a second verification from a separate linked device in the account holder’s possession. It could be an SMS with a PIN code sent to a nominated cell number.  It could be a physical token, such as a dongle or random number generator issued to the user.
  • It makes it difficult for hackers and thieves to compromise an account because it is unlikely that the hacker or thief has access to the second device. The idea of 2FA security is not to be 100% secure, but make it sufficiently difficult to break so that the thief moves on to an easier target. 2FA achieves this by requiring that the hacker compromise a third party such as a cell service provider.
  • It provides comfort to the user of online financial services in that they feel more secure about access to their financial and personal data. Online retailers and financial service providers like banks rely on repeat visits by the clients and customers.   They will move on if they feel that their credentials or personal and financial information could be compromised.

Why 2FA may not work

Why 2FA may not work

  • In the past, authentication relied on hardware tokens or one-time passwords, leading to the current SMS or email PIN code.  Both are insecure in that they are issued by third parties or travel through third party networks that can be compromised.
  • It relies on a user keeping their authentication device and credentials secure.  If for example, a user records their credentials in a file on their cell-connected smart device and that device is stolen, the thief has ready access to their bank accounts and can make purchases on online websites.

On the positive side, the increasing use of smart devices with an embedded processing capability allows on-device applications to carry out authentication making the 2FA environment more secure and helping the user by automating the process.

The current move is towards using a cryptographic key or biometric information processing app on a smart device.  The app validates the onboard application, which in turn authenticates to the remote service.

2FA is an incomplete solution to an intractable problem that will always be with us. It provides a degree of comfort to users but does not guarantee complete security. That will only be possible when the entire chain is made secure.

It is best viewed as a component of an online security environment rather than as a solution in itself.

Leave a Reply

Your email address will not be published. Required fields are marked *