Two factor authentication explained

Two factor authentication is a means to ensure someone is who they say they are by verifying identity through a second means, typically that the person actually has something. Single verification methods such as a password can easily be compromised since many people use weak passwords and there is no redundancy. Security is about layers and if you only have one layer and that layer gets breached, you’ve been compromised.

Two factor authentication requires you to also have something physical such as a phone (or access to a phone #) or a small device with a unique code that authenticates you have the device. You have to know something (a password) and you have to prove you have something (unique code sent to a phone # or from an Authenticator app). SMS-based authentication to a phone is a convenient way for people with any type of mobile phone to have a second method of verification. That’s helpful for the millions of people around the world who don’t have smartphones. The problem is that criminals can “port” a victim’s phone number to a handset they control and beat the system.

Someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.

-Justin Williams, software developer

All two factor authentication isn’t the same

Criminals have recently stolen cryptocurrency such as Bitcoin and Ethereum by calling a victim’s cell service provider such as AT&T or Verizon and, pretending to be the victim through social engineering tactics, requested that the cell phone number be forwarded to another carrier and account under control of the criminal. The criminal receives all the SMS codes meant for the victim’s phone because the criminal now controls the victim’s phone number on the criminal’s phone and takes control of the victim’s account. This presents a vulnerability for SMS-based two factor authentication.

Many times the weak link is a human, often in the account department of a cell phone provider. Justin Williams had his identity stolen along with hundreds of dollars from his PayPal account when a criminal called AT&T multiple times in one day until s/he got a rep that failed to follow protocol and allowed the criminal to access the account without the required account passcode.  Cell phone providers are behind the times when it comes to security and because of this the problem of phone porting is growing.

Jesse Powell, CEO of cryptocurrency firm Kraken, likens telco security practices to third-rate coat checks:

Hacker:  Can I have my jacket?

Telco: Sure, can I have your ticket?

Hacker:  I lost it.

Telco:  Do you remember the number?

Hacker:  Nope, but it’s that one right there.

Telco:  Ok cool.  Here ya go.  Please rate 10/10 on survey ^_^

In our experience, the safest and easiest way to implement two factor authentication is to either use an authenticator app or a hardware-based authenticator device such as YubiKey. For the authentication apps you actually have to have the device, not just the phone number and YubiKeys are even more secure because the only way someone could compromise your account is if they had the actual device which they’d have to physically steal from you.

what to do:

Setup two factor authentication now

If you have to use SMS-based two factor authentication, use it because it’s better than nothing. It adds another layer beyond just your password as a basis for authentication. Some sites like PayPal only use SMS-based authentication so, again, any two factor authentication is better than none. But we are in the midst of a phone porting crime wave so better to use an authenticator app and get ahead of the curve.

Use an authentication app

If you are going to spend the time to set up two factor authentication, use an authentication app whenever you can. It’s easy to use and safer than SMS-based authentication. The FTC planted fake accounts online and it took hackers 9 minutes to access and begin making fake charges. Two factor authentication provided increased protection against theft of the fake accounts in the study.

Consider hardware-based authentication

If you have an increased threat profile (e.g. Bitcoin developer, have high profile clients or regularly handle confidential information), use a hardware-based authentication device such as a YubiKey. It’s $50 and significantly hardens your defenses.