2FA isn't always as secure as you think it is.
Two-Factor Authentication (2FA) should be a key element of everybody’s cyber-security toolkit. And yes, that does include you. No longer an obscure option used only by computer geeks, 2FA helps secure your online accounts (well, most of them - we’re looking at you here Netflix) by requiring an additional form of authentication to login, separate from your username and password. Sounds good, and it is - mostly. But, as Reddit have recently discovered to their cost, not all 2FA is equally secure. The onus is still on end-users - yes, that’s you, again - to set up and use 2FA correctly.
I already have a secure password, why do I need 2FA as well?
First things first, why do we have logins for our online accounts? Well, partly it’s to make sure that the likes of Gmail can show you the right data; but mostly, it’s a way of proving that you really are you.
Traditionally, this process of authentication has used usernames and passwords. But, even the most secure passwords (and they are few and far between) are pretty useless forms of authentication. First of all, most people are incredibly bad at choosing secure passwords. And secondly, thanks to bugs like Heartbleed, passwords are remarkably easy for malicious actors to discover and use to access your personal data.
2FA works using a cryptographically derived one-time token to validate your identity. What that means in plain English is a special code - usually 6 numbers - either sent to a trusted device, or generated on a trusted device, which the website or app requires before letting you access your account. However it is implemented, using 2FA is undeniably better than not using it, but it is true to say that some ways of using 2FA are better than others.
SMS Messages: better than nothing, but only just
The simplest form of 2FA involves a code sent to your smartphone by SMS message. Even though, it’s important to say again, SMS-based 2FA is better than nothing, there some serious drawbacks with this setup.
SMS messages aren’t secure. The very idea of 2FA is that only you should be able to access the one-time security code, a premise which can’t be guaranteed with SMS. Reddit recently announced a major security breach where a third party was able to access a complete backup of their site, containing all Reddit data from 2007 and before, including email addresses and passwords. The hackers broke in by accessing employee accounts which were protected by SMS-based 2FA, through compromising and intercepting the SMS messages containing the security codescompromising and intercepting the SMS messages containing the security codes”
How secure is your mobile phone? If - like most people - you have a smartphone which displays text messages as a pop-up on the screen when they arrive, anyone who pockets your phone will be able to read the security codes you receive and hack your account. That’s before we consider the ease of hacking Android and iOS phones with malware which allows the bad guys to read your messages anyway.
In short, SMS-based 2FA isn’t that great an idea after all; so what’s better?
TOTP/ HOTP Apps
TOTP and HOTP are two different protocols for generating one-time login codes for use with 2FA. The difference between them isn’t important for our purposes - you can read more here. What matters is that in these cases, the code is generated on your device, usually a smartphone. This is better than SMS, since it completely removes the possibility of the code being intercepted when it’s sent to you. There’s still the risk that your phone itself will be compromised, but by comparison with SMS-based options it’s a huge improvement.
Hardware tokens
In the world of 2FA, hardware tokens are the holy grail. Small devices similar to USB sticks, hardware tokens are designed to live on your keyring or lanyard and plug into your computer when you need them. Using an independent, encrypted, secure device to generate a code is far and away the most secure option. Hardware tokens aren’t as universally accepted as TOTP apps yet, but it’s only a matter of time. At just a few pounds, they are an option well worth considering for anyone concerned about their online privacy.
Of course, 2FA isn’t a magic bullet. These options are all valuable privacy tools, but many other things such as ensuring that websites you visit use up-to-date encryption (like ours), and that your emails and instant messages are protected with end-to-end encryption, are equally vital. Perhaps most importantly of all, however, is to thoroughly consider how you use your online accounts, and make sure that you adopt robust security practices across the board.