Should 2FA be Mandatory?
With most people spending the foreseeable future working from home, I figured that it would be a good time to discuss password security. With the increasing amount of breaches every year, a strong password isn’t enough to stop you from getting hacked, even if it is salted and hashed. This is where two-factor authentication (2FA) steps in to help improve your security. As I have discussed in a previous article, enabling 2FA on all websites and applications that offer it is a quick way to make yourself more secure.
What is 2FA?
2FA is a subset of multi-factor authentication (MFA). MFA is an authentication method that requires you to present 2 or more pieces of evidence that you are who you say you are. 2FA is less strict than MFA since it only requires 2 pieces of evidence, also known as factors.
What are the factors?
Depending on who you ask, there are anywhere from 3–5 different authentication factors that may be used by 2FA systems. However, most systems use the following 3 factors:
- Something you know: This is something that is only known to you. Some examples include a password or a bank PIN
- Something you have: This is something that only you should have. Some examples include a bank card, a key card, or an RSA SecurID key
- Something you are: This is something that only you are. An example of this is a fingerprint.
Using these 3 factors, you can create a secure 2FA system. The most common example of 2FA involves using a bank ATM. To use a bank ATM, you must insert your bank card (something that you have) and enter a bank PIN (something that you know).
The other 2 factors that some systems use are:
- Location: This limits the locations that you can log in to a service from or uses your current location to track where you are logging in from to detect suspicious activity (such as logging in from two different locations at once)
- Time: This restricts logins to a specific time interval
Why should we use it?
By enabling 2FA, you are adding another layer of security between your data and an attacker. It’s similar to a home security system. Everyone has locks on their doors, but some people go the extra mile and add home security systems, cameras, and other devices to increase their security and feel safer in their own homes. In this case, the lock on your front door is your password, and everything else, while not required, makes your home more secure if someone tries to break in.
The trick lies in balancing security and convenience. You wouldn’t use a home security system that required you to remember a 32 digit code, perform a retina scan, and restricted your ability to leave the house after 10 PM. These features, while being extremely secure, are too invasive to be used by a regular homeowner. A convenient amount of security is provided simply by using a 4 digit code that you must enter on a keypad when you leave your house. Similarly, 2FA should be easy and seamlessly integrated into the application otherwise users won’t use it.
How is it implemented?
Today, many of the most common applications and websites offer 2FA such as Google, Facebook, Twitter, Steam, and Amazon. There are 4 main ways of implementing 2FA that affect how a user logs in to an application:
- SMS Message: Upon entering their username and password, a text message is sent to the user with a code that must be entered to log in to the application.
- Email: Upon entering their username and password, an email is sent to the users' email address and may either contain a code that must be entered or a link to the website.
- Security Keys: Upon entering their username and password, the user will be prompted to enter a code displayed on a physical key device that they carry with them. The most common example of this is the RSA SecurID token.
- Authentication App: Upon entering their username and password, a push notification is sent from an app on the users' phone that contains a time-sensitive code that they can use to log in to the application. The Steam authenticator is shown below.
How can it be compromised?
2FA is not perfect, it can still be breached by attackers. Below are 4 ways that an attacker can compromise a 2FA account. Some of these methods depend on weaknesses in the implementation of 2FA on the applications side, while others can be executed on fully secured systems through social engineering.
- Phishing: If a victim is lured to a fake login page, the attacker can take the credentials (username/password) entered by the victim and forward them to the real login page. The real login page will then ask the attacker for a 2FA code that is sent to the victim. The attacker then prompts the victim for the 2FA code that they received on their phone, which they then forward to the real login page. It should be noted that this attack is even easier without 2FA enabled, as it would only require the attacker to prompt the victim for their username and password.
- Password Reset: On many applications, 2FA can be bypassed by using the “Forgot your password” function. Your email address must already be compromised for this attack to work.
- Brute Force: An attacker may be able to attempt all of the combinations of letters and numbers that make up the 2FA code. There is not much that you as a user can do to prevent this. A good 2FA implementation will restrict the number of attempts at guessing the 2FA code and will also make the 2FA code work for a short period (for example 20 seconds after entering your username and password).
- Third-Party Login: If you use “Login with Facebook” to skip creating an account for certain websites, you are putting yourself more at risk if your Facebook account gets compromised.
Should it be mandatory?
Now that we understand what 2FA is, how it’s implemented and some possible ways around it from an attacker's perspective, it’s time to answer the question. In my opinion, 2FA should be mandatory for all consumer applications and any internal applications that deal with important or sensitive data. Offering 2FA makes applications more secure while not sacrificing many conveniences on the users' end. There are many ways to implement 2FA and companies can choose the one that works for them the best.
However, it’s important to note that making 2FA mandatory will not solve all of our security problems. Adding 2FA does add another system that can potentially fail, leading to system downtime or customer complaints. As has been shown above, there are still many ways to get around 2FA as an attacker. Many of these attacks have nothing to do with faults in the implementation of 2FA and instead target the users of it.
As always, there is no silver bullet to security. You are never 100% secure and your data is never 100% safe. Any additional protections that you put in place are there to decrease the probability that you will get hacked and to reduce the damage caused by getting hacked.