2 Factor Too Weak
Two factor authentication isn’t enough
Being a smart and responsible internet user you have enabled two factor authentication (2FA) on all of your accounts. So when you sign in a code is texted to your mobile and then you enter that as well as your password to login. The double layer of security makes it impossible to hack your accounts right?
Wrong! this system relies on that one time pass code (OTP) to be secure, however the transmission process it uses to send that code isn’t secure. The SMS system uses signaling system no.7 (SS7) this system contains a security vulnerability that allows hackers to forward calls, read SMS and track the location of the phone.
Devices that allow hackers to do this are available cheaply provided the hacker can get your phone number.
It is also potentially vulnerable on the application side. In recent years PayPal, WordPress and google have all had vulnerabilities in their 2FA exposed. These vulnerabilities allowed hackers to completely bypass the need for the one time code and gain access to the accounts.
Another issue with 2FA is synchronization. The key idea behind 2FA is that you need two things to access accounts, something you know (your password) and something you own (your phone). However, these accounts are no longer isolated to PCs and laptops put can be used on phones as well.
I’m sure those that use online banking are aware that it can used in a web browser or an app. Having multiple ways to access these accounts means that everything must synchronize. Unfortunately, the process of synchronization makes the 2FA system vulnerable to man in the middle attacks, which were one of the types of attacks that 2FA was originally created to prevent.
Should I still use multi factor authentication?
We would still recommend using two factor authentication where it is available as some security is better than no security. It is time however to stop think of 2FA as a magic bullet that stop you being hacked.
Your security should contain multiple layers, 2FA can be one of those layers just so long as it is not the only layer.
To make 2FA more secure consider using another method of receiving the one time codes that is not SMS (or email).
If you must use SMS; consider getting a cheap disposable phone with a secret telephone number and use that secret number solely for 2FA.