The limitations of Two-Factor Authentication (2FA)

2FA has become the standard for account security, but it also carries with it some meaningful limitations. This includes contributing to a false-sense of "absolute" security.


Users and account holders have become used to the prompts by apps, banks, platforms and websites to turn on Two-Factor Authentication (2FA). But because of the implied narrative that accounts will "become" secure with 2FA turned on, an unintended consequence is that users believe that their accounts have now been permanantly secured.

Unfortunately, time and time again we've seen that when there's a big enough reason to bypass 2FA, hackers and nefarious actors can do so. Social-engineering is a common attack vector for this, but so is SIM swapping. And while these attacks used to be rare, they're becoming more common day by day.

“The problem with 2FA isn't 2FA itself. It's how it's deployed. If an attacker can break any link in the 2FA chain, he can break into your systems.” Steven J. Vaughan-Nichols

Limitations of 2FA

SIM Swapping

SIM Swapping is a type of attack that will often also make use of Social Engineering Attacks. It involves fraudulently obtaining a copy of a prospective victim's SIM card (used to receive text messages). By doing so, they're able to trigger 2FA requests (which often will make use of SMS messages for single use codes when logging into services).

One of the unique aspects of this type of attack is that the victim almost always has no way of knowing they've been attacked. Furthermore, they're often not involved with the attack. Because so much private data is now available online, gifted hackers can obtain enough information about a prospective victim through detailed online searches. Thereafter, they can use this information to fool tele-communication companies (Bell, Verizon, etc.) that they're the rightful owner of a SIM card, and thereby obtain a duplicated SIM card for their attack.

Phishing Attacks

While you may have heard of phishing attacks, traditionally they've only been used to capture a user's login credentials. However, with the advent of 2FA, they've also been updated to simulate 2FA security pages.

In this type of attack, hackers will code a page that looks like a website's 2FA security page. When a user goes through this process (perhaps prompted by a phishing email), and they put in the valid code from their authentication app, this code will then be sent directly to the hacker.

At this point, the hacker will immediately enter this code from their computer or phone. The victim will just think that the code didn't work for them (and therefore, are again often unaware that their account has been hacked).

False sense of security

Arguably the biggest limitation of a 2FA integration is the false sense of security it can imply to your users. 2FA is often presented as the way to secure an account. Thereafter, users are often lulled into a false sense of security: their accounts are secure, therefore they don't need to employ other security practices in their day-to-day.

One manifestation of this are users choosing weaker passwords when they have 2FA turned on. They can think "if my account is secured with 2FA, then my password is less important". This naturally is an erroneous line-of-thought.

Another manifestation of a user falsly believing their accounts are secured is how comfortable they are sharing details about their online selves: if their accounts are secured, then there isn't an issue with posting on social media what platforms they use for banking, stock trading, or health tracking. As a result of this type of thinking and behaviour, it can leak valuable details that increases the likelihood of one of the attacks mentioned above.

Multiple security fail-safes

Banks and platforms that contain meaningful amounts of Personally Identifable Information (PII) work hard to program multiple checks-and-balances. These can include security emails notifications (like what we here at Zenlogin focus on), 2FA, bot detection, VPN & TOR restrictions and relationships with ISPs and large cloud computing platforms to prevent abuse.

But for smaller platforms and companies, this can be cost-prohbitive. Finding the engineering time and talent to implement multiple fail-safes can be difficult. Naturally, we think integrating Zenlogin (or a service like it) is the right approach, but services like Auth0 and Okta can speed up this process dramatically.

The right steps to secure your user accounts

Regardless of the approach, technique or partner you choose to work with, we strongly recommend that any app or platform that allows users to log into an account should work hard to ensure they have multiple security fail-safes in places for their users.

These can include 2FA, but depending on your product and how much PII you store, may simply focus on less-obtrusive techniques (such as email notifications, bot detection, VPN detection, etc).

Let your users know you care.

Secure your users accounts with a few lines of code.