What is 2FA and is it really secure?

The Issue of Phishing Attacks

90% of security attacks start with a phishing attempt. This is because attackers want to get hold of your password. Once they have obtained this, they can become you, and access wherever you can access.

Passwords work as a “share secret” solution. If you can demonstrate to the computer or website that you know the secret (password), it will let you in. The problem is that anyone else that finds or guesses the password can get access as well.

Passwords have become one of the biggest security challenges we face.  Where passwords must be used, good password choices must be made.

Two Factor Authentication vs. Two Step Verification

Two common solutions are two factor authentication and two step verification - these are different from one another. Although they are remarkably similar in concept, the difference is the trust model. In any security system, trust is a crucial element to understand.

Two factor authentication and two step verification are both authentication systems designed to increase the level of trust in a username/password exchange. Rather than simply rely on the user indicating their knowledge of a password (which an attacker can steal or guess), the concept is to rely on two independent items of information. For example, this might be a password and an additional code sent via SMS message. It is the independence of this additional item of information that makes the difference, and crucially how much you can trust it.

With two-factor authentication, there should be complete independence. One factor cannot be influenced or gained by knowledge of the other. This is where hardware devices such as  smart cards or authentication tokens are used.

But what about SMS tokens sent to  a phone? The question here relates to independence. Certainly there are two steps – hence two step verification. But are they independently providing two factors? 

Let’s explore a use case… I try to log onto a secure site from my smartphone. I provide my username, followed by password. The service provider sends a code via SMS to the same smartphone. I provide the code from the SMS to the login screen (two steps). What happens when a hacker breaks my phone? They can intercept my username & password and SMS – it’s all in one convenient place. Same if they steal my phone. Hence, these mechanisms are not “two factor” – they fail the independence rule.

Two-step verification is vastly better than just passwords alone. But be wary, it is not fool-proof – if your phone is hacked or stolen, the attacker can still become you, just as they could in the password-only world.

For added security, try to use genuine two factor authentication where possible.

Is 2FA Really Broken?

There has been a rise in articles stating that 2FA is broken. Of course, it’s not infallible, and better solutions would be good. Yes, SMS messages can be intercepted. Yes, man in the middle attacks can still work. But, if we all implemented 2FA, the headlines stating that “90% of security attacks start with phishing” would significantly drop, and make the attackers job much harder.

Share this


Join us for an Introduction to techUK on Tuesday 24 November. Whether you are new to techUK, thinking of joining u… https://t.co/Xrp47iFBPP
Last chance to join us for Hong Kong Fintech Week 2020! If you're a techUK member, claim your discounted access to… https://t.co/4QToCzMNho
🚨 New #techUK report - Delivering diversity. techUK has catalogued how members are being proactive in tackling ine… https://t.co/ErzZx1C1Mi
Data adequacy is a hot trend right now. Read our experts letter for @LawSocBrussels delving into importance of data… https://t.co/ekCJOLf7Q5
@AwenCollective Welcome to techUK - we are delighted to have you on board!
The @techcharterUK have launched a new campaign called #DoingItAnyway to help more women get into #tech. Get inspi… https://t.co/WfftI5rKOD
Join our friends @bethebusiness and @Facebook next Wednesday for their latest regional event. If you’re a business… https://t.co/7xXtnWJeMJ
FINAL CALL: Nominations to the Health and Social Care Council close on the 2nd November. Step up and help to lead t… https://t.co/a5DIXuq64U
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...