The limitations of Two-Factor Authentication (2FA)
2FA has become the standard for account security, but it also carries with it some meaningful limitations. This includes contributing to a false-sense of "absolute" security.
2FA has become the standard for account security, but it also carries with it some meaningful limitations. This includes contributing to a false-sense of "absolute" security.
Users and account holders have become used to the prompts by apps, banks, platforms and websites to turn on Two-Factor Authentication (2FA). But because of the implied narrative that accounts will "become" secure with 2FA turned on, an unintended consequence is that users believe that their accounts have now been permanantly secured.
Unfortunately, time and time again we've seen that when there's a big enough reason to bypass 2FA, hackers and nefarious actors can do so. Social-engineering is a common attack vector for this, but so is SIM swapping. And while these attacks used to be rare, they're becoming more common day by day.
“The problem with 2FA isn't 2FA itself. It's how it's deployed. If an attacker can break any link in the 2FA chain, he can break into your systems.” Steven J. Vaughan-Nichols
SIM Swapping is a type of attack that will often also make use
of
Social Engineering Attacks.
It involves fraudulently obtaining a copy of a prospective
victim's SIM card (used to receive text messages). By doing so,
they're able to trigger 2FA requests (which often will make use
of SMS messages for single use codes when logging into
services).
One of the unique aspects of this type of attack is that the
victim almost always has no way of knowing they've been
attacked. Furthermore, they're often not involved with the
attack. Because so much private data is now available online,
gifted hackers can obtain enough information about a prospective
victim through detailed online searches. Thereafter, they can
use this information to fool tele-communication companies (Bell,
Verizon, etc.) that they're the rightful owner of a SIM card,
and thereby obtain a duplicated SIM card for their attack.
While you may have heard of
phishing attacks,
traditionally they've only been used to capture a user's login
credentials. However, with the advent of 2FA, they've also been
updated to simulate 2FA security pages.
In this type of attack, hackers will code a page that
looks like a website's 2FA security page. When a user
goes through this process (perhaps prompted by a phishing
email), and they put in the valid code from their authentication
app, this code will then be sent directly to the hacker.
At this point, the hacker will immediately enter this code from
their computer or phone. The victim will just think that the
code didn't work for them (and therefore, are again often
unaware that their account has been hacked).
Arguably the biggest limitation of a 2FA integration is the
false sense of security it can imply to your users. 2FA is often
presented as the way to secure an account. Thereafter,
users are often lulled into a false sense of security: their
accounts are secure, therefore they don't need to employ other
security practices in their day-to-day.
One manifestation of this are users choosing weaker passwords
when they have 2FA turned on. They can think "if my account is
secured with 2FA, then my password is less important". This
naturally is an erroneous line-of-thought.
Another manifestation of a user falsly believing their accounts
are secured is how comfortable they are sharing details about
their online selves: if their accounts are secured, then there
isn't an issue with posting on social media what platforms they
use for banking, stock trading, or health tracking. As a result
of this type of thinking and behaviour, it can leak valuable
details that increases the likelihood of one of
the attacks mentioned above.
Banks and platforms that contain meaningful amounts of Personally Identifable Information (PII) work hard to program multiple checks-and-balances. These can include security emails notifications (like what we here at Zenlogin focus on), 2FA, bot detection, VPN & TOR restrictions and relationships with ISPs and large cloud computing platforms to prevent abuse.
But for smaller platforms and companies, this can be cost-prohbitive. Finding the engineering time and talent to implement multiple fail-safes can be difficult. Naturally, we think integrating Zenlogin (or a service like it) is the right approach, but services like Auth0 and Okta can speed up this process dramatically.
Regardless of the approach, technique or partner you choose to
work with, we strongly recommend that any app
or platform that allows users to log into an account should work
hard to ensure they have multiple security fail-safes in places
for their users.
These can include 2FA, but depending on your
product and how much PII you store, may simply focus on
less-obtrusive techniques (such as email notifications, bot
detection, VPN detection, etc).
Secure your users accounts with a few lines of code.
