It’s an all-too-common situation. You’re out to dinner when you receive an alert on your phone. It’s a text message prompting you to enter a numerical code so you can access a bank or social media account. You weren’t trying to log into one of your accounts, but clearly, someone else was. Thankfully, two-factor authentincation thwarted the attack.
Around for decades, two-factor or multifactor authentication (2FA) is the digital equivalent of providing your driver’s license, followed by a passport or signature. To prove who you are, you must present two of three items: something you know (a password), something you have (a cell phone or hardware token) and something you are (a fingerprint or face ID).
Chip-and-PIN credit cards are one of the earliest examples of two-factor authentication. You can swipe your card at an ATM, but before you can access your account, you must supply a PIN number.
The same thing occurs when you purchase things online. After entering your credit card number, you must enter the three-digit CVV code on the back to prove that you have the card in hand. The theory is that it’s much harder for a thief to steal your card and PIN, or your credit card number and your card.
Two-Factor Takes Over
Two-step verification caught on in the mid-2000s as companies like Apple began locking smartphones with PIN codes. This form of authentication is now offered by almost every major website and company.
Whenever customers log in via an unfamiliar device or IP address, they automatically receive a one-time numerical PIN code on a trusted device or account — usually via email or text. Hackers can’t gain access unless they have both your password and the phone where you’re receiving texts. And since alerts come straight to your phone, you’re notified in real-time that an attempted hacking is taking place and you should change your password ASAP.
In our increasingly hackable world, multifactor authentication has caught on like wildfire. Nine in 10 consumers feel like two-factor authentication makes their accounts more secure. And it very likely does, since 54% of consumers use fewer than five passwords, meaning one breach can leave your entire digital and financial life up for grabs.
How did two-factor authentication become so acceptable, despite the friction it adds to online experiences? You can thank Heartbleed, the massive 2014 scandal that exposed millions of passwords related to Global 2000 firms. Suddenly, the public realized how vulnerable regular passwords really were, leading the White House to launch a campaign called #TurnOn2FA.
An increasing number of companies offer two-factor authentication, including Google, Facebook, Instagram, WhatsApp, Twitter, Apple, Microsoft, Amazon, LinkedIn, Yahoo, Snapchat, Reddit, Pinterest, Slack and PayPal. Now, some companies even require it.
Whenever possible, consumers and companies should enable two-factor authentication, especially on sensitive accounts like banking, email, health records and social media profiles.
While 2FA can go a long way in making accounts more secure, there are hundreds of options, each offering different levels of security. Adding to the headache, fraudsters are busy probing the technology’s vulnerabilities.
Hackers Take on Two-Factor
While many see two-factor as a one-size-fits-all security cure, motivated hackers are realizing that a stolen phone puts the whole system at risk.
Many current two-factor systems rely on SMS texts, which is problematic if someone gets a hold of your SIM. Once a hacker has access to your phone number, they can redirect two-factor text messages to their own phone and gain access to all of your accounts.
In this situation, phone companies have proven to be the weakest link in the security chain. A hacker can call a mobile carrier and impersonate you using some personal details — a leaked Social Security Number or a credit card number — and get them to switch your phone number to their phone. They could even grab two-factor voice codes by simply gaining access to your voicemail or setting up call forwarding to their phone.
While phone companies are getting better at notifying customers of SIM swaps, these very real security concerns prompted the National Institute of Standards and Technology to stop supporting SMS-based two-factor in August. But few companies and customers recognize that not all 2FA is created equal.
In an alarming phishing attack first demonstrated at a conference in Amsterdam this spring, hackers employed tools called Muraena and NecroBrowser to lure a victim to a phony site where they entered a 2FA code along with their username and password. Once entered, the software records the personal information of thousands of unsuspecting victims.
While the philosophy behind two-factor — providing multiple forms of identity — is sound, the technology must evolve to stay relevant. Recent attacks have shown that text ID cannot stand up to rigorous scrutiny, because a hacker with access to a phone number has access to everything.
If SMS is the weakest form of 2FA, authenticator apps offer a higher level of security. Apps like Authy, Google, 1 Password and LastPass flash a six-digit code that only lasts 30 seconds. The benefit? Tying codes to physical devices instead of phone numbers prevents hackers from stealing or cloning your number to gain access. To set these services up, look for the two-factor authentication options on a particular account and click “use an app” instead of via text or email.
Currently, the highest level of two-factor authentication is a U2F key — a physical device that plugs into your computer to verify your identity. These hardware tokens, like Yubikey or Google’s Titan Security Key, use Bluetooth or USB to communicate with login pages.
The Future of Two-Factor
Just as digital security moved on from usernames and passwords, it will also move on from the two-factor that we know today. Using machine learning and biometrics, new forms of security will employ a form of threat detection that draws from multiple sources of information — on-page behavior, location, voice prints, iris scans, gestures and DNA profiles to decide if you are who you say you are. Evidence of red flags will cause accounts to freeze and lock up until a user can verify their identity.
As we await this brave new world of bionic security, it’s important to upgrade all of your accounts from SMS 2FA, and remain vigilant about not clicking suspicious links or entering login information via public WiFi.
While Bluefin can’t protect you from every form of cyber theft, its advanced technology ensures cards are encrypted the moment they enter a payment system. To find out how our P2PE and tokenization services protect your organization from a data breach, contact a Bluefin representative today.