The traditional mode of logging in to an account involves entering a username and password. This is referred to as single-factor authentication. Two Factor Authentication (2FA) is a verification process that adds another level of authentication by mandating the user to key at least two out of the three different types of credentials before allowing access to an account. Usually these two factors address “what the users have” and “what the users know”. Broadly they can be outlined as follows:
The simplest example of 2FA could be the use of a credit or debit card. For successful transaction, we have to swipe the card as well as enter the associated PIN code. Only then the transaction is confirmed. Anyone with just a credit card or a password cannot make the transaction. 2FA is now moving to the mobile domain as many new authentication solutions have started using SMS messages or mobile applications containing a cryptographic secret.
Two factor Authentication has been found to be quite effective in preventing identity thefts because mere knowledge of user name and password will not be enough to let the hacker access personal information. He should have both pieces of the puzzle “what the users have” and “what the users know”. Only then will successful hacking occur.
Our professional and personal lives are increasingly becoming digital. We execute our banking transactions online. Our personalities have moved online through social media platforms like Facebook and Twitter. We are operating through global delivery models with teams distributed across the world, working and collaborating online. Each of these activities in turn generate loads and loads of confidential data, many of which have far reaching implications in the hands of the wrong people. Hence, data theft and online fraud have become big business.
Different forms of data theft have evolved over time, the likes of which include identity theft and phishing. For most types of online fraud, the criminal needs a foot in the door. Accessing someone’s login credentials is one such step. 2FA is not fool proof but makes it very difficult for the criminal since two different credentials are needed wherever 2FA has been implemented.
Like most good inventions and practices, 2FA has its own challenges and loopholes. Physical devices (hardware tokens like key fobs and card readers) have to be procured and allocated, creating procedural delays in the system. This does not go down well with the company’s customers due to delay in gaining access to their own private data. These tokens have to be physically carried around all the time, adding to the irritation of the customer. They are usually small and hence get lost frequently compounding the problems.
In order to bypass 2FA, the hackers have to gain access to the physical device used in 2FA or gain access to the cookies placed on the device by the authentication mechanism. This can be done through different ways including malwares, credit card reader skimming and account recovery. The last one works as a tool for breaking 2FA because it usually by passes 2FA completely.
2FA is also rendered useless wherever there is a loophole in its implementation. 2FA for many platforms can be circumvented, especially on the mobile channel. A senior security researcher at Duo security labs was able to log in to a PayPal account without having to authenticate using 2FA on the 2FA enabled account. The same security lab has also been able to bypass Google’s two step authentication process by misusing unique passwords that are used to connect individual applications to Google accounts.
2FA also has vulnerabilities when it comes to dependencies. Third party authentication tokens are dependent on the security of the issuer or manufacturer. If that gets compromised, so does the 2FA implemented using those devices. A case in point being the March 2011 breach of the RSA SecureID tokens. Mobile based 2FA authentications are susceptible to failure when the security of the mobile service provider is breached or when malwares on the user’s phones intercept the authenticating SMS messages and send them to the hacker.