Cyber criminals are getting smarter and more resourceful at the same time as the technology at their fingertips continues to evolve. This combination is breeding a new class of hackers that are able to bypass systems previously thought secure. The most vulnerable of yesterday’s “secure” access management systems is two-factor authentication (2FA), and the One-Time Password-based (OTP) systems primarily used for 2FA.
The Problem with OTPs
At one time OTPs were thought to be an incredibly secure solution to secure login. Using a hardware 2FA token or SMS-based OTP is better than using a password alone, but they are still based on a vulnerable system – a crackable algorithm generates the code.
All OTP generators use an algorithm to produce the seemingly random sequence of numbers and letters that 2FA uses. This algorithm is shared between the token and the system, which doesn’t check the actual string, but rather that the string is decipherable by the algorithm. If it is, you’re granted access. That’s why you can just type in a bunch of random numbers and letters to crack an OTP-based 2FA system. However, it does mean that it’s vulnerable to a hacker. All a criminal needs to do is access the system and extract the algorithm itself (a task that is easier said than done, but not impossible), and they’ll be able to generate legitimate codes that would be accepted by the system, and it’s rendered useless.
Of course, there are systems that can be put in place to decrease the opportunity for a hacker to do this, but it’s also not the only weakness of these systems. Man-in-the-Middle and brute force attacks can also crack 2FA systems given enough time.
Why 2FA is Still Better Than Your Password
That said, you’re still better off using a two-factor authentication system than your password alone. Two layers of security are better than one, even if they are both flawed in some way. Passwords are inherently weak because they are vulnerable to the same threats as 2FA, in addition to social engineering and other threats. Adding in an OTP provides significantly more protection, particular SMS-based 2FA, which is, effectively, multi-factor authentication (MFA), because it requires a third factor – your smartphone – to log in successfully.
Multi-Factor Authentication is King
A true MFA system, of course, is ultimately the best protection from hackers. In addition to a password you add two strong forms of authentication, such as an enrolled mobile devices and your biometric signature. You can prove the mobile device is yours by previously enrolling the device’s unique identification number, as you would your fingerprint, face, iris, or other biometric. Then, whenever you need the highest levels of security to log into an account, such as when making a financial transaction or logging into a corporate server, you combine these, or other strong forms of authentication, to truly prove your identity.
More importantly, MFA also allows for customization of the authentication factors, helping businesses adjust how complicated logging in is based on their own security needs, optimizing convenience and security for all users.