Two-Factor Authentication: Better Than Passwords But Still Not Foolproof

Sue Marquette Poremba
Slide Show

Five Reasons Why Information Security Is Everyone's Job

We all know by now that passwords alone aren’t cutting it as a security tool anymore. In fact, a recent study by TeleSign found that 70 percent of consumers have lost confidence in passwords to provide real security for their personal information and 72 percent want something more effective to secure their accounts.

For that reason, we’re seeing a lot of companies turn to some method of two-factor authentication. A new website called Turn It On provides easy instructions for companies who are interested in adding multiple layers of protection to the authentication process. It’s fairly clear why it is important for companies to make two-factor authentication available to their customers—even if it isn’t always easy to get the customers on board to making the switch willingly. Yes, people talk a good game about wanting better security, but if you give them a choice, they will still take the easiest path. As ZDNet explained, often it comes down to explaining the importance of using new authentication in terms the user can understand:

As threat actors involved and phishing campaigns increase in complexity, there is more risk than ever of falling prey to a scammer and handing over sensitive data -- or being infected with malware which logs your keystrokes. Therefore, it is important to make the general public understand basic security systems and how they can protect their accounts without the need to be a cybersecurity expert.

However, as appealing as two-factor authentication may be—and I am a big proponent of adding layers to the process—it isn’t foolproof. Cybercriminals are smart, and it appears that they’ve already found ways to circumvent the extra security steps.

According to an eSecurity Planet article, criminals have developed a spear phishing attack that bypasses two-factor authentication methods on mobile devices to gain access to email accounts. All the attackers need to get is an email address and a mobile phone number. The article then explained how they gain access:

The attackers simply leverage the email provider’s password recovery feature, which allows users who have forgotten their passwords to verify their identities by having verification codes sent to their mobile phones. By clicking on the “forgot password” link and requesting the verification code, the attacker prompts the email provider to send an SMS message with the code to the victim’s mobile phone.

This spear phishing attack also appears to follow the recent trend of gaining personal information over financial information.

It’s a very clear reminder that while we do—and should—want something beyond a simple password and username/email combination for authentication, there is still no magic bullet, no 100 percent foolproof authentication process out there. Two-factor is better than single-factor authentication, to be sure, and its use should be encouraged, but don’t ever forget that cybercriminals are always looking for a way to beat the system.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Jun 26, 2015 7:26 AM Hitoshi Anatomi Hitoshi Anatomi  says:
A+B A but it does not guarantee A1+B A2 (An elderly and a small child could be easily defeated by a single adult). Physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort. A truly reliable 2-factor solution needed for important accounts requires the use of the most reliable password. It is obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords and the likes. Reply
Jun 27, 2015 1:54 PM user user  says:
In a business environment we are aware that a self service portal for two factor is itself a threat. Therefore we have no self service portal for an attacker to request a new pin or OATH token. there is no forgot password feature when you have no portal available. Lost devices are disabled asap and they still require another factor even when lost prior to disablement. geofactor as a third factor is not discussed in this article. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.