What’s So Funny About Two Factor Authentication?
Apologies to Elvis Costello. There has been a lot of buzz lately about organizations implementing two factor authentication (known as 2FA). In recent months organizations such as Twitter, Facebook, Evernote and many, many others have added 2FA capabilities to their sign on process. So, what is this all about, and how well does it work?
What is 2FA?
First, what is 2FA? It is the notion of taking at least two of A) something you have (e.g. ATM card, mobile phone), B) something you know (e.g. password, secret question), and C) something you are (e.g. fingerprint, voiceprint). The idea behind the implementation of 2FA by these organizations is that sending a code to the phone by SMS or a call and having that code entered in the website, the mobile phone becomes “something you have” in addition to the password.
So, does it work?
Yes…..and no. It depends. For most non-financial organizations it is a reasonably good solution to improving security and preventing account takeovers. This is not to say it is perfect. There are potential weaknesses – for example if you don’t enable 2FA and a criminal gained access to your password, they could enable 2FA and make it virtually impossible to regain control of the account. Similarly, depending on the implementation, there could be other weaknesses, such as this one described by F-Secure. Like any security practice, the implementation specifics impact how well the practice works, but for low to medium security applications, the method tends to work well at a reasonable cost.
How about high security applications like banking?
High security applications such as online banking or access to corporate resources require strong authentication. Some financial institutions implemented similar SMS and token based 2FA over the last few years. For some time it worked well, but it did not take long before advanced cybercriminals developed malware to circumvent this technique, allowing the criminal to “piggyback” on the legitimate user’s authenticated session. They’ve also developed SIM swapping and Call Forward Unconditional (CFU) techniques to directly steal the verification codes. In short, while these techniques are useful for banking, simple token based 2FA may not be enough for clients with high balances such as small businesses or wealth management customers.
So what are the alternatives for financial institutions? We’ll get deeper in to that in an upcoming post looking at a range of authentication options. In general though, if a web service offers 2FA, it is probably a good idea to enable it.