The Perils of Two-Factor Authentication

The realities of 2FA and how it has led to too many digital attacks

Jan 7, 2019 · 6 min read
Image for post
Image for post
Photo by on Unsplash

Frequent hackings in the last few years have exposed numerous security holes even in platforms managed by tech industry giants. Whether it be traditional social media platforms like LinkedIn or Twitter, or newly popular cryptocurrency exchanges like CoinCheck or Mt. Gox, it seems that no one is safe from being hacked. With the increasing prevalence of digital attacks, two-factor authentication has often been prescribed as the magic pill that can secure digital accounts. As a result, two-factor authentication seems to have become ubiquitous amongst all online platforms like Google, Facebook and Twitter to name a few. However, its wall of defense against hackers is wearing thin as they continue to find ways to infiltrate large-scale systems and databases.

Just how risky is it to depend on 2FA alone?

Why is 2FA Failing as a Security Tool?

Even though when used together, these two factors can meaningfully increase account security, evidence shows that they are not very secure on their own.

Below, we examine the present vulnerabilities within both password protection and the mobile networks individually.

Your passwords might be floating around the dark net

Image for post
Image for post
Photo by Markus Spiske on Unsplash

Passwords have historically proven to be un-secure on their own. But the biggest problem with passwords is that it is digital information that can be stolen without the user’s knowledge. According to Verizon’s Data Breach Investigations Report (2017), 81% of hacking-related breaches leveraged either stolen and/or weak passwords. This shows just how popular it has become for hackers to use passwords as an entry point into targeted accounts.

Passwords can be stolen in a number of ways, but spear phishing has become an increasingly popular way for scammers to obtain password information. Spear phishing is a technique that draws victims to click or interact with malicious material (like emails) by personalizing the attack. For example, hackers will impersonate people from the victim’s network through email communication to minimize suspicion. According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. The dominance of this technique speaks to its ability to trick even internet-savvy users into giving up sensitive information. As these types of attacks become more and more sophisticated, users can easily give up their passwords without knowing that they have been attacked.

Stolen personal information is often then sold on the dark web for buyers to access valuable accounts. In addition to phishing, data breaches affecting large-scale organizations like Eurostar and Reddit have become commonplace. It is difficult to know exactly how many people’s accounts are currently affected, and anyone’s private information could be being sold on the dark web. In a hack that stole more than 160 million passwords and account details from LinkedIn, the hacker reportedly sold 117 million email and password combinations on a dark web marketplace.

This just displays the magnitude of how weak password protection has become in today’s digital age, no matter how secure your passwords are. Even if you employed the use of high-security password combinations or password managers, it is difficult to defend against accidentally giving up your information through a phishing attack or having your personal information leaked when a large company is hacked.

The mobile network is often the weakest link

“The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.”

Image for post
Image for post
Photo by Hassan OUAJBIR on Unsplash

However, even when standard protocol is followed, mobile users can still be defenseless against scammers. In a hack where the victim lost $8k worth of bitcoins, the user first received a text that read: “You’re on the phone with Verizon and just authenticated with an alternative method.” Shortly after, he started noticing that his Gmail and Coinbase accounts were both overtaken. After looking into how he lost access to his Verizon account, he realized that the only information the hacker needed to take over the account was his phone number and billing information.

In another story detailed on Wired, the victim found out that “a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.” He subsequently lost access to his Amazon, Apple, Google and Twitter accounts, in turn losing valuable memories that were stored on his computer.

With mobile network vulnerabilities coming to light in the last few years, even the National Institute of Standards and Technology has declared that they don’t support using SMS for authentication. Evidently, it is now time to look beyond what is currently existent towards technology designed specifically for verification.

In order for two-factor authentication to deliver on its promises of increased security, it is essential for both factors used in the authentication process to be dependable and secure. The harsh reality is that both of these factors have increasingly become vulnerable to hacking and phishing attacks. We need to think of new ways to not only bring in new types of factors (biometric data) into the cybersecurity equation but also to protect the data that we already own by using blockchain technology to decentralize the storage of data.

You can follow BidiPass on Twitter, Telegram, LinkedIn, or Facebook.

Written by Renee Yang & Cesar Patiño


The First 2-step MFA Decentralized Authenticator worldwide

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store