Two-factor authentication (2FA) is vastly superior to using a password alone, adding a second layer of security over something that we all admittedly don’t protect as well as we should. Do you regularly change your password? Is it longer than 12 characters? Did you just use “!” for the required special character? If you’re guilty of these mistakes, 2FA is likely the only thing keeping your accounts from being compromised. But SMS-based 2FA and tokens have their own flaws we need to consider as well.
Most 2FA systems are based on one-time password (OTP) technology. A secret algorithm is used to generate a string of characters that you then enter into a text field, often with a certain time limit. SMS has replaced hardware tokens for convenience and for securing consumer accounts when purchasing a physical token isn’t worth the cost, but SMS-based 2FA has a critical flaw in that SMS messages can be intercepted.
There are two ways that SMS-based 2FA can be compromised: Man-in-the-Middle and Man-in-the-Browser attacks.
With a Man-in-the-Middle attack, the bad actor is actually intercepting the text message “in flight,” grabbing it while it transmits from server to device. This is actually a rather challenging attack, as some mobile protocols encrypt SMS messages. While this encryption isn’t foolproof, it does slow down the attacker from using the OTP being sent. However, if the attacker is able to clone the victim’s mobile device, they may be able to acquire the SMS message much faster and bypass the 2FA with ease.
With a Man-in-the-Browser attack, the hacker deploys malware to the victim’s device that actually intercepts the OTP when it’s being entered in. This can be accomplished using phishing or other methods to get the user to install the malware, then the bad actor just has to wait patiently.
Both methods are highly successful ways of gaining access to someone’s bank, email, or corporate accounts. It’s because of this that we need to change our mindset surrounding 2FA and one-time passwords. One way to do this is to authenticate the transaction, rather than the user. Adding layers of security on transactions and events, such as downloading sensitive data or making a funds transfer, will increase the complexity of security and help protect the end user. But it can still be targeted by the same methods above, just with a reduced likelihood of success.
The other method is to use biometric authentication instead of OTPs. Biometrics provide a unique value that cannot be easily replicated by a hacker. Even if they intercept the authentication request they have no way to fulfill it with a biometric system. And the ubiquity of smartphones gives us all a devices we can use to authenticate with our biometrics in the palm of our hands.