Article in Code Manual, Product Development and Strategy categories.

How Secure Is Two-Factor Authentication?

SMS two-factor authentication won't give you total security. Google Authenticator or USB dongles are better, while a hardware token is best.

Some of you have a special authentication service or code-generating device to secure your online transactions. To you, we bow down. The rest of us, if we’re honest, are doing the bare minimum not to have our Citibank accounts hacked by Russian malware. Yet we know that security is one of the biggest issues for users and app developers. And chances are, your information isn't safe.

You’ve likely noticed an uptick in the number of sites and apps that require you to type in a code sent to you via SMS or email to verify that it is you making a purchase or changing your account details. And in the past few years, you’ve probably needed to update your password after a security breach. Passwords seem to be getting longer and more complex (“password must be 13 digits, and contain a prime number and a pineapple emoji”) and users are being prompted to add their mobile phone number to accounts as backup.

The latter step is part of a process called two-factor authentication, or 2FA for short, and is what a lot of tech companies use as a fix for protecting their users from security breaches. The Times recently called it a "moral imperative." The most commonly used 2FA uses an SMS code. While it would be nice to have a universal authentication device, phones have become the default, simply because so many users own them. Password-protected accounts can always be hacked, and, at its best, 2FA removes vulnerable passwords (“secret” “1234”) from the equation.

Head of Backend Development at Fueled, Paul Oostenrijk, has seen the conversation around digital security grow over the past few years. “Two-factor authentication wasn’t a thing anyone was using four years ago — you had those VPN chains,” he says. “That was the first form of 2FA. But security is more of a concern now and the conversation has progressed.”


All Hail Two-Factor Authentication

Having gained attention after a fairly well-known hacking of journalist Mat Honan in 2012, 2FA was hailed as the next best way to keep users safe online. Two-factor authentication requires that the user prove two out of three credentials: Something you know (PIN, password), something you have (smartphone, ATM card, fob), or something you are (fingerprint or voice print).

Let’s look at how this works. Everyone online is familiar with using a password or PIN (something they know), which is one factor, and now many receive a one-time code via SMS on their mobile phone (something they have/second factor), to buy something online, change a password on a locked account, or transfer money, among other things. Some people use a code-generating fob (another second factor) in order to securely access a bank account or access a work server via VPN from home. Depending on what you do online and what equipment you have, you may be using fingerprints or voiceprints (something you are) to gain access to an account details or pay for something with, say, Apple Pay or Google Wallet with your smartphone (something you have).

In the U.S., Twitter, Facebook, Google, Apple, Amazon, Bitcoin, Yahoo!, almost all email services, some banks, some insurance companies, and some other online services have implemented some type of 2FA. (Not included in that list are Netflix and most airlines, because you’re sharing your Netflix login with your friends around the world anyway, right?) You’ve likely noticed you’re doing more work to log in to your accounts, especially verifying certain purchases or when you forget your now-complicated password. You are pretty confident this means it is harder for a hacker to get into your account, because more work for you means more work for them, right?


Some 2FAs Are Better Than Others

Unfortunately, not all 2FAs are equal. The most common type is the one-time code sent via SMS because this is the easiest one for a company to implement. Who wants to carry around a code-generating fob to make a purchase, say, on iTunes? Plus, getting a one-time code that goes directly to your mobile phone is kind of a pain, and what hacker is going to be able to intercept an SMS? Actually, it’s not that hard and happens with high-profile cases rather often.

In fact, it has happened so often that the U.S. National Institute of Standards and Technology (NIST) decided in August 2016 to stop allowing any services that plug into government IT systems from using SMS-based 2FA codes. NIST wants people to use services such as Google Authenticator or USB dongles. Devolutions concludes that of the most popular 2FA services, those reliant on a dongle provide a loss risk. An online authenticator is a better option, and Authy seems generally the most appealing of those, being available in a desktop app as well as on mobile, and easy to integrate with your phone's authentication settings. Among non-dongle services, Authy saves you headaches if you lose your phone or switch to a new one by allowing you to reinstate it without re-configuring all your accounts. Authy's competitor, Google Authenticator, doesn't do that.

Developers need to balance security features with usability and pricing, Oostenrijk says. “The old VPN code generators on these keychains were great, but it’s cumbersome for the user. And building in support for a third-party device just isn’t a realistic solution for app developers.”


What About Biometrics?

There’s an entire world of discussion about the security of using biometrics like fingerprints, voice prints, ear shape, iris scans, or face recognition software to protect your accounts. Proponents of biometrics like that it reduces your effort level, particularly for high-profile users or those who need really strong security for what they do online. The underlying fear about this method is that once your fingerprints, or some other biometric, are compromised, you can’t exactly change your fingerprints and start over. It’s a great Black Mirror episode plot, but not what you want to deal with in your life.

Whether or not those biometrics could be used to get into someone’s iPhone and then into all their Touch ID accessible accounts, for example, is a question that warrants a separate post. Apple and Google, unsurprisingly, both have a Secure Enclave feature in their newer iPhone and Android OSs meant to improve security when using fingerprint-based access, but there is  debate if it’s really the “ultimate lock down.”

Security Can’t Stop a Brute-Force Attack

There is no such thing as complete security, Oostenrijk argues. “If you have fences across your garden, those will deter intruders but never keep them out entirely. It’s the same with online security: you can never completely lock up security, short of operating on your own private network.” The internet is premised, of course, on being open, he says, and barriers to connectivity can end up driving the user mad. You want to make it as easy as possible for the user to get in and as difficult as possible for hackers. “Passwords are indeed a powerful tool if you choose a hard password. Likewise, 2FA can be a powerful tool, but biometrics are going to be more powerful than SMS codes. It’s all a question of deterrence.”

In the meantime, you now know that the commonly used SMS codes for 2FA aren't entirely sufficient, even if the public perception is that the practice feels secure. If you’re bothered, use one of the more secure methods available and, more importantly, let the companies who run the services and apps you use know that you want them to do better.


Users Still Shoulder Some of the Responsibility for Security

The flip side of “doing better” is that it creates more work, and possibly frustration, for Joe or Jane Average user who probably should already have a better password in the first place and likely has all of them written on a piece of paper in his or her desk drawer. But then again, how much fun is it to get notification from yet another bank, email service, big-box chain, insurance, or other company stating that your personal or financial details have been part of a cyberattack? No one wants the disruption of having to change your password or get a new credit card. Meanwhile, whatever bits of your personal or financial details that were stolen are still “out there.”

2FA in all its forms is an integral part of a balance of how far a company is willing to secure their services, how much  “inconvenience” they can bear to ask of their users, how much security Joe or Jane Average wants, and how much they perceive they are getting.

More Articles By micheleperez

Recent Articles

Previous post Do You Need a .Com Domain? August 31, 2017
Next post The Startup App Economy September 7, 2017