Where are the flaws in two-factor authentication?
One of the main tools for keeping hackers at bay offers no guarantee of security
Two-factor authentication (2FA) is becoming ever more popular as companies deal with growing concerns over cyber-insecurity. With 2FA, account-holders validate their identity online by entering a password and then adding a countersign that is generated by something to which they have physical access. This “second factor” is not fool-proof, though. DeRay Mckesson, an activist with Black Lives Matter, had his 2FA-protected Twitter account hacked last year. Banking customers in Germany had their 2FA accounts hijacked in May. And in August a bitcoin entrepreneur had the equivalent of $150,000 drained from his virtual wallet. How did a second factor fail them?
Security factors can be something you know (a password), something you own (a phone or a smart dongle) or something you are (like a fingerprint). The idea is that whereas a ne’er-do-well might crack your password, that action is futile without access to a piece of hardware you keep close, or a piece of your body. The test often takes the form of a text message (SMS) sent to a mobile phone. Many modern phones are unlocked by fingerprint, which ostensibly adds a biometric layer of protection on top. In theory, these second factors deflect attempts to…
