We all know by now that passwords alone aren’t cutting it as a security tool anymore. In fact, a recent study by TeleSign found that 70 percent of consumers have lost confidence in passwords to provide real security for their personal information and 72 percent want something more effective to secure their accounts.
For that reason, we’re seeing a lot of companies turn to some method of two-factor authentication. A new website called Turn It On provides easy instructions for companies who are interested in adding multiple layers of protection to the authentication process. It’s fairly clear why it is important for companies to make two-factor authentication available to their customers—even if it isn’t always easy to get the customers on board to making the switch willingly. Yes, people talk a good game about wanting better security, but if you give them a choice, they will still take the easiest path. As ZDNet explained, often it comes down to explaining the importance of using new authentication in terms the user can understand:
As threat actors involved and phishing campaigns increase in complexity, there is more risk than ever of falling prey to a scammer and handing over sensitive data -- or being infected with malware which logs your keystrokes. Therefore, it is important to make the general public understand basic security systems and how they can protect their accounts without the need to be a cybersecurity expert.
However, as appealing as two-factor authentication may be—and I am a big proponent of adding layers to the process—it isn’t foolproof. Cybercriminals are smart, and it appears that they’ve already found ways to circumvent the extra security steps.
According to an eSecurity Planet article, criminals have developed a spear phishing attack that bypasses two-factor authentication methods on mobile devices to gain access to email accounts. All the attackers need to get is an email address and a mobile phone number. The article then explained how they gain access:
The attackers simply leverage the email provider’s password recovery feature, which allows users who have forgotten their passwords to verify their identities by having verification codes sent to their mobile phones. By clicking on the “forgot password” link and requesting the verification code, the attacker prompts the email provider to send an SMS message with the code to the victim’s mobile phone.
This spear phishing attack also appears to follow the recent trend of gaining personal information over financial information.
It’s a very clear reminder that while we do—and should—want something beyond a simple password and username/email combination for authentication, there is still no magic bullet, no 100 percent foolproof authentication process out there. Two-factor is better than single-factor authentication, to be sure, and its use should be encouraged, but don’t ever forget that cybercriminals are always looking for a way to beat the system.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.