Skip to main content

Here’s why people are saying two-factor authentication isn’t perfect

When two-factor authentication was first introduced, it revolutionized device security and helped make identity theft much more difficult – at the slight cost of minor inconvenience added to logins.

But it’s not perfect, nor has it solved all of our hacking and data theft problems. Some recent news has provided more context for how hackers have been sidestepping two-factor authentication and eroding some of our trust in it.

Two-factor authentication over a laptop.
Image used with permission by copyright holder

What exactly is two-factor authentication?

Two-factor authentication adds an extra layer of security to the login process for devices and services. Previously, logins had a single factor for authentication — typically, a password, or a biometric login like a fingerprint scan or Face ID, occasionally with the addition of security questions. That provided some security, but it was far from perfect, especially with weak passwords or autofilled passwords (or if login databases are hacked and that info starts showing up on the dark web).

Recommended Videos

Two-factor authentication addresses these issues by adding a second factor, another thing a person hasto do to guarantee that it’s really them and they have authority to access. Typically, that means being sent a code via another channel, like getting a text message or email from the service, which you then have to input.

Duo Authentication Example.
Image used with permission by copyright holder

Some use time-sensitive codes (TOTP, Time-Based One Time Password), and some use unique codes associated with a specific device (HOTP, HMAC-based One Time Password). Certain commercial versions may even use additional physical keys that you need to have at hand.

The security feature has become so common, you’re probably used to seeing messages along the lines of, “We’ve sent you an email with a secure code to enter, please check your spam filter if you haven’t received it.” It’s most common for new devices, and while it takes a little time, it’s a huge jump in security compared to one-factor methods. But there are some flaws.

That sounds pretty secure. What’s the problem?

A report came out recently from cybersecurity company Sophos that detailed a surprising new way that hackers are skipping over two factor authentication: cookies. Bad actors have been “cookie stealing,” which gives them access to virtually any kind of browser, web service, email account, or even file.

How do these cybercriminals get these cookies? Well, Sophos notes that the Emotet botnet is one such cookie-stealing piece of malware that targets data in Google Chrome browsers. People can also purchase stolen cookies through underground marketplaces, which was made famous in the recent EA case where login details ended up on a marketplace called Genesis. The result was 780 gigabytes of stolen data that was used to try and extort the company.

While that’s a high-profile case, the underlying method is out there, and it shows that two-factor authentication is far from a silver bullet. Beyond just cookie stealing, there are a number of other issues that have been identified over the years:

  • If a hacker has gotten hold of your username or password for a service, they may have access to your email (especially if you use the same password) or phone number. This is especially problematic for SMS/text-based two-factor authentication, because phone numbers are easy to find and can be used to copy your phone (among other tricks) and receive the texted code. It takes more work, but a determined hacker still has a clear path forward.
  • Separate apps for two-factor authentication, like Google Auth or Duo, are far more secure, but adoption rates are very low. People tend to not want to download another app just for security purposes for a single service, and organizations find it a lot easier to simply ask “Email or text?” rather than require customers to download a third-party app. In other words, the best types of two-factor authentication aren’t really being used.
  • Sometimes passwords are too easy to reset. Identity thieves can gather enough information about an account to call up customer service or find other ways to request a new password. This often circumvents any two-factor authentication involved and, when it works, it allows thieves direct access to the account.
  • Weaker forms of two-factor authentication offer little protection against nation-states. Governments have tools that can easily counter two-factor authentication, including monitoring SMS messages, coercing wireless carriers, or intercepting authentication codes in other ways. That’s not good news for those who want ways to keep their data private from more totalitarian regimes.
  • Many data theft schemes bypass two-factor authentication entirely by focusing on fooling humans instead. Just look at all the phishing attempts that pretend to be from banks, government agencies, internet providers, etc., asking for important account information. These phishing messages can look very real, and may involve something like, “We need your authentication code on our end so we can also confirm you are the account holder,” or other tricks to get codes.

Should I keep on using two-factor authentication?

Absolutely. In fact, you should go through your services and devices and enable two-factor authentication where it’s available. It offers significantly better security against problems like identity theft than a simple username and password.

Even SMS-based two-factor authentication is much better than none at all. Infact, the National Institute of Standards and Technology once recommended against using SMS in two-factor authentication, but then rolled that back the next year because, despite the flaws, it was still worth having.

When possible, choose an authentication method that’s not connected to text messages, and you’ll have a better form of security. Also, keep your passwords strong and use a password manager to generate them for logins if you can.

Security and Privacy settings open on a MacBook.

How can two-factor authentication be improved?

Moving away from SMS-based authentication is the big current project. It’s possible that two-factor authentication will transition to a handful of third-party apps like Duo, which remove many of the weaknesses associated with the process. And more high-risk fields will move into MFA, or multi-factor authentication, which adds a third requirement, like a fingerprint or additional security questions.

But the best way to remove issues with two-factor authentication is to introduce a physical, hardware-based aspect. Companies and government agencies are already starting to require that for certain access levels. In the near future, there’s a fair chance we’ll all have customized authentication cards in our wallets, ready to swipe at our devices when logging into services. It may sound weird now, but with the steep rise of cybersecurity attacks, it could end up being the most elegant solution.

Tyler Lacoma
Former Digital Trends Contributor
If it can be streamed, voice-activated, made better with an app, or beaten by mashing buttons, Tyler's into it. When he's not…
Why the Nvidia RTX 4060 Ti simply isn’t enough for 2023
Logo on the RTX 4060 Ti graphics card.

The RTX 4060 Ti isn't one of the best graphics cards you can buy. It's hard to even call it a good graphics card, with reports suggesting that there has been "zero" interest in Nvidia's latest GPU. I've tested the card, and I was going to review it, but this is a GPU that challenges the status quo.

If you visit several sites that review graphics cards, you'll find that scores are all over the place. Some are praising the card for solid power efficiency improvements and Nvidia's Deep Learning Super Sampling (DLSS) at a lower price, while others are focusing on its limited VRAM and the implications that has in modern games.

Read more
Here’s why people are saying to avoid the entry-level M2 Pro MacBook Pro
A person sitting in a vehicle using a MacBook Pro on their lap.

One thing Mac users have always been able to count on in recent years is the blazing speed of their computer’s storage. The brand-new M2 Pro MacBook Pro and M2 Mac mini, however, look set to be bitterly disappointing in that regard.

That’s because multiple outlets have confirmed that Macs outfitted with entry-level M2 chips (both the M2 itself and the M2 Pro) come with much slower read and write speeds compared to the previous-generation models. For instance, 9to5Mac benchmarked the new 14-inch MacBook Pro with M2 Pro chip and found its SSD’s read and write speeds dropped by 40% and 20% respectively.

Read more
Hacker ranks explode — here’s how you can protect yourself
padlock on keyboard.

The number of people that have hacking skills has exploded recently but it's still possible to protect yourself against almost all attacks, according to Microsoft's latest Digital Defense Report.

Microsoft has among the most complete collections of cybersecurity data compiled from Windows computers around the world and has analyzed that information to uncover some interesting insights for 2022. Something immediately obvious from the report is the threat from phishing attacks and ransomware is growing rapidly and at the same time becoming more sophisticated but you can still protect yourself.

Read more