You should use two-factor authentication where it is available. It̵
The password problem
The password has been the primary means of securing computer accounts since the 1950s. Seventy years later, we are all inundated with passwords, mainly for online services. Out of curiosity, I checked my password manager. I have saved 220 sets of credentials in it.
Unless you’re particularly gifted, it’s impossible to remember that number of complex and robust passwords. That is why people reuse passwords and use passwords that are weak but easy to remember. Of course, that’s the kind of behavior that puts your accounts at risk.
Automated brute-force attacks, dictionary attacks, and other lookup attacks use lists of words and databases of hacked passwords to try to gain unauthorized access to people’s accounts. When there is a data breach, the data is made available on the dark web for use by cyber criminals. They use the databases of broken passwords as ammunition for their software. The machine guns the stolen credentials in accounts, try to match the passwords and gain access.
The Have I Been Pwned website collects data from as many data breaches as possible. You can freely visit the site to check if your email address or one of your passwords has been hacked. To give you an idea of the magnitude of the problem, there are more than 11 billion sets of references in their databases.
With so many passwords, chances are someone else has chosen the same password as you. So even if none of your data has ever been exposed to a breach, it’s quite possible that someone else’s data — who happened to be using the same password as you — is. And if you’ve used the same password for many different accounts, they’re all at risk.
RELATED: How to check if employee emails contain data breaches
All organizations should have a password policy that provides guidelines for creating and using passwords. For example, the minimum length of a password must be defined and the rules surrounding password construction must be clearly explained so that all employees can understand and follow it. Your policy should prohibit the reuse of passwords for other accounts and basing passwords on the names of pets or family members, anniversaries and birthdays.
The problem you have is how do you control it? How do you know if the staff adheres to these rules? You can set minimal complexity rules on many systems so that they automatically reject passwords that are too short, that don’t contain numbers and symbols, or are dictionary words. That helps. But what if someone uses the password for one of their company accounts as an Amazon or Twitter password? You have no way of knowing.
Using two-factor authentication improves the security of your company accounts and also provides some protection against bad password management.
RELATED: The problem with passwords is people
Two-factor authentication adds an extra layer of security to password-protected accounts. In addition to your ID and password, you must have access to a registered, physical object. These are hardware dongles or smartphones with an approved authentication app.
A one-time code is generated by the authenticator app on the smartphone. You will need to enter that code along with your password when you log into the account. Dongles can be plugged into a USB port or they can use Bluetooth. They either display a code or they generate and transmit a key based on a secret internal value.
Two-factor authentication combines things you know (your credentials) with something you own (your smartphone or dongle). So even if someone guesses or brutally forces your password, they still won’t be able to log into the account.
RELATED: Two-Factor Authentication via SMS isn’t perfect, but you should use it anyway
Compromising Two-Factor Authentication
There are several ways that an attacker can bypass two-factor authentication and gain access to a secure account. Some of these techniques require elite technical capabilities and considerable resources. Attacks that exploit vulnerabilities in the Signaling System No. 7 protocol (SS7), for example, are usually run by well-equipped and highly skilled hacking groups or state-sponsored attackers. SS7 is used to establish and disconnect telephony-based communications, including text messages.
To attract the attention of this caliber of threat actors, the targets must be of very high value. “High value” means different things to different attackers. The pay-off may not be simply financial, the attack could be politically motivated, for example, or part of an industrial espionage campaign.
In a “port out scam”, cyber criminals contact your mobile operator and pretend to be you. Sufficiently trained threat actors can convince the rep that they are the owners of your account. They can then have your smartphone number transferred to another smartphone to which they have access. All SMS-based communication is sent to their smartphone, not yours. That means that all SMS-based two-factor authentication codes are delivered to the cyber criminals.
It is not easy to use social engineering techniques to influence the employees of mobile operators. An easier method is to use an online business SMS service. These are used by organizations to send SMS reminders, account alerts, and marketing campaigns. They are also very cheap. For about $15 you can find a service that forwards all text traffic from one smartphone number to another for a month.
Of course, you’re supposed to own both smartphones or have owner’s permission, but that’s no problem for cybercriminals. When asked if that is the case, all they have to do is say ‘yes’. There is no more verification than that. No skills required from the attackers, and yet your smartphone is compromised.
These types of attacks are all aimed at SMS-based two-factor authentication. There are also attacks that bypass app-based two-factor authentication just as easily. The threat actors can set up a phishing email campaign or use typosquatting to lead people to a convincing but fraudulent login page.
When a victim tries to log in, they are asked for their ID and password and for their two-factor authentication code. Once they enter their authentication code, that data is automatically forwarded to the login page of the real website and used to access the victim’s account.
Don’t stop using it!
Two-factor authentication can be overcome through a range of techniques, ranging from technically demanding to relatively simple. Despite this, two-factor authentication is still a recommended security measure and should be applied wherever it is offered. Even in the face of these attacks, two-factor authentication is an order of magnitude more secure than a simple ID and password scheme.
Cyber criminals are unlikely to attempt to bypass your two-factor authentication unless you are a valuable, high-profile, or otherwise strategic target. So keep using two-factor authentication, it’s much safer than not using it.