Securing Your Accounts Is Difficult. This Is What You Should Know About Multi-Factor Authentication.

Posted on Apr 6, 2022 by David Rutland

Security isn’t something you can compromise on in the 21st century. Without it, your bank accounts would be drained, your identity would probably be stolen, and your sensitive files would likely be held hostage by a 14-year-old Japanese hacker.

One way to keep yourself more secure on the web is by using multi-factor authentication. While it might take you a few extra seconds to log in to your accounts with added security, it really is worth the hassle. 

Unfortunately, hackers may still find their way around multi-factor authentication depending on the type you choose (are you ever really secure on the web?). But double-layer security is a lot more secure than using a simple password and email method to protect your accounts.

In this article, I’ve explained everything you need to know about multi-factor authentication, why you need to use it, and the slightly annoying but need-to-know drawbacks you should be aware of.

The Need for Added Security

I’ve previously talked about phishing and how online grifters can trick you into giving away your email and password combinations using clever social engineering techniques. 

Large numbers of people around the world have had their personal and work accounts hacked and strip-mined by criminals on the internet. But even if login details are compromised, it doesn’t mean hackers automatically get access to your account — not with multi-factor authentication in place, anyway. 

The double-layer security stops hackers in their tracks, as they need more sensitive, personal details about you to actually access your account. And that’s exactly why banks and other financial institutions employ multi-factor authentication to keep their customers’ assets safe.

A teenage hacker at work | Credit
Richard Patterson
CC BY 2.0

Over the last two decades, banks and other institutions have become increasingly aware that customers tend to use easy-to-guess passwords and employ the same password for multiple accounts. Some even freely share password recovery information with strangers on social media, such as the name of their first pet and the street they grew up on.

Every time I log into my PayPal account to send money for a fast food delivery or yet another ill-considered eBay purchase, I need my phone by my side ready to receive a six-digit, one-time code that will allow me to log into my account. It’s irritating, and if my phone is out of charge or in another room, it’s time consuming, too.

But extra security is necessary; few data breaches are reported instantly, which means your email address and password may have already been sold on the black market before their loss is publicized. Text message-based authentication is an example of two-factor authentication (2FA) and allows PayPal to verify that I am who I say I am.

What Is Two-Factor Authentication and Why Phones?

To establish my identity and gain access to my PayPal account, email and password combinations aren’t enough. PayPal needs to be able to check my identity another way, and the simplest solution is to send a text to my phone.

Phones are ubiquitous in 2022.

The email and password combination with a phone number are the two factors that make up the most common type of 2FA. Other examples of 2FA include biometric data, hardware tokens, and phone-based apps.

By using a phone based 2FA, your bank can be reasonably satisfied that it isn’t handing over your money to an unauthorized third party. Anyone can log into your account with your email address and password, but you’d hope that a complete stranger can’t receive a text message sent to your phone. Unfortunately, it’s not impossible.

Is Phone-Based 2FA Vulnerable to Criminals?

Security is a game of catch up, and any measures put in place to prevent theft will probably be compromised, eventually.

If you think about home security in the 21st century, a well protected pad will have alarms, motion sensors, CCTV, lasers, and possibly a shark pit. The best security comes with multiple layers.

In the virtual world, an email and password combination is the equivalent of a bar across the door, while phone-based SMS is a clunky Egyptian wooden key — visible for all to see and simple to copy to facilitate a break in.

If you’re unfortunate enough to have been identified as a potentially valuable target, scammers will attempt to have one-time code texts delivered to their phone rather than to yours, leaving you vulnerable to attacks. That doesn’t mean it always works, but they like to try nonetheless. 

How Can Criminals Intercept Your Text Messages?

The easiest way for criminals to receive text messages meant for you is to have your phone company provide them with a new SIM card that has your number.

To do this, they need information to convince a customer service representative that they’re you.

If you’ve already fallen prey to a phishing scam, or you’re one of the countless millions who have had their personal information dumped onto the market as a result of a retailer’s poor data security, criminals probably already have your full name, phone number, birthday, and street address. And, as I mentioned above, many other details can be gleaned or inferred from social media posts about you — whether you posted them or a friend or family member did.

With these details in hand, a criminal can walk into any of your service provider’s high street outlets, answer a few simple questions, and have a new SIM programmed for them in store. It takes around 10 minutes.

Once the SIM is activated, any text messages sent to you will be received by the new SIM. The criminal now has complete control of your account, and is able to transfer money wherever they choose.

The process is known as either simjacking, sim-splitting, or sim-swapping. According to the FBI, attacks of this sort are becoming increasingly common; between January 2018 and December 2020, Americans lost $12 million to simjackers. In 2021 alone, they lost more than $68 million.

Biometric Identification Could be the Next Default for 2FA

Neither passwords nor phone numbers are good enough to properly secure your accounts against a determined adversary who’s prepared to put in a little work. So the next step for verification is to base authentication on what you are.

Biometrics are measurements of physical characteristics unique to you that, supposedly, cannot be faked or forged.

Your fingerprints are an example of biometric information. So too is the distance between your eyes, the shape of your ear, the pattern of your retina, or anything else that can be measured and is unlikely to change.

It’s possible to fool phone-based 2FA, but it’s considerably more difficult to create a fake ear, retinal scan, or a series of facial measurements.

A number of companies are already attempting to entice users into giving up their biometrics in order to help secure accounts against theft.

In August 2021, Amazon unveiled its ‘Amazon One’ program promising customers $10 in credit if they allowed their hand to be scanned. They referred to this process as “mapping”, which involved scanning “the minute characteristics of your palm — both surface-area details like lines and ridges as well as subcutaneous features such as vein patterns — to create your palm signature”.

Everyone’s hand signature is unique |Credit: Tomaž Štolfa CC BY-NC 2.0

In addition to the $10 virtual gift card, customers would benefit by being able to use their palm signature to pay for goods in real-world locations across the US — removing the need for credit cards and PINs .

Biometric payment cards are currently being trialed in locations across Europe. A number of online banking apps record videos of users that use biometric identification based on the face to set up accounts on new devices or verify transactions.

The Flaws of Biometric 2FA 

The first problem with biometric identification is that it can be fooled. This has been proven time and time again by Vietnam-based security researchers, Bkav. In 2009, they defeated facial recognition on a range of popular laptops. 

In November 2017, only a week after Apple unveiled FaceID, Bkav managed to trick the iPhone using a 3D mask. It would be foolish to assume that other methods of biometric identification are more secure — especially as you likely have a camera pointing at your face right now. Is it scanning you? How would you know?

The second problem is that few companies can be trusted to hold onto sensitive biometric data and not abuse it, sell it, or use it for marketing purposes.

Amazon in particular has a troubled history with facial recognition. Its software named “Rekognition” has given US lawmakers “heightened concern given recent reports that Amazon is actively marketing its biometric technology to US Immigration and Customs Enforcement”. Amazon is currently being sued for illegal collection of biometric data by scanning employee faces and temperatures as part of COVID-19 detection measures.

There’s no reason to believe that they (or other companies) won’t behave just as recklessly with other biometric data.

Alternatives to Biometric Identification

Sure, there are alternatives to biometric identification. But the problem is that users often don’t see the point of them. They get in the way of late night pizza orders or rely on gadgets that are otherwise seen as non-essential, so they get lost or broken. The alternatives also come with security issues of their own.

Here are the most common ones:

Hardware Tokens

These usually take the form of a USB key that can be inserted into a host PC to verify the identity of the user. This comes with the disadvantage that it must be carried at all times and if lost, can give an attacker complete control of an identity.

Single Sign-on Authentication Apps

These are mobile apps that are usually managed by a third party and generate one-time codes that can be used to access a service. 

To use these, you usually need to have a smartphone and an account with either Google or Apple (something privacy-conscious individuals may avoid). Phones can also be cloned, meaning that the authentication app can be used by a third party.

How Can I Keep Myself Safe?

In this article I have discussed how no method of authentication is entirely safe. Usernames and passwords become available due to data breaches, SMS codes can be intercepted, and it’s getting easier to spoof biometric ID. 

At the same time, by handing over your biometric markers, you’re exposing yourself to a completely different kind of danger in the form of loss or misuse by the organizations that hold the data.

Having said that, 2FA certainly does what it says by adding another layer of security to your accounts. By combining biometrics and other personal details with your email address and password, it’s considerably less likely that hackers can get access to your information, even after logging into your account. Right now, it’s one of the best ways to keep yourself secure (if there’s such a thing) on the web.

As a method of privacy good practice, make sure you’re also employing these top tips alongside multi-factor authentication:

  • Use unique username, email, and password combinations for every account.
  • Don’t give away personal information to strangers or on social media.
  • Try to avoid handing over personal information to online retailers — they will, most likely, get hacked.