The Issue of Phishing Attacks
90% of security attacks start with a phishing attempt. This is because attackers want to get hold of your password. Once they have obtained this, they can become you, and access wherever you can access.
Passwords work as a “share secret” solution. If you can demonstrate to the computer or website that you know the secret (password), it will let you in. The problem is that anyone else that finds or guesses the password can get access as well.
Passwords have become one of the biggest security challenges we face. Where passwords must be used, good password choices must be made.
Two Factor Authentication vs. Two Step Verification
Two common solutions are two factor authentication and two step verification - these are different from one another. Although they are remarkably similar in concept, the difference is the trust model. In any security system, trust is a crucial element to understand.
Two factor authentication and two step verification are both authentication systems designed to increase the level of trust in a username/password exchange. Rather than simply rely on the user indicating their knowledge of a password (which an attacker can steal or guess), the concept is to rely on two independent items of information. For example, this might be a password and an additional code sent via SMS message. It is the independence of this additional item of information that makes the difference, and crucially how much you can trust it.
With two-factor authentication, there should be complete independence. One factor cannot be influenced or gained by knowledge of the other. This is where hardware devices such as smart cards or authentication tokens are used.
But what about SMS tokens sent to a phone? The question here relates to independence. Certainly there are two steps – hence two step verification. But are they independently providing two factors?
Let’s explore a use case… I try to log onto a secure site from my smartphone. I provide my username, followed by password. The service provider sends a code via SMS to the same smartphone. I provide the code from the SMS to the login screen (two steps). What happens when a hacker breaks my phone? They can intercept my username & password and SMS – it’s all in one convenient place. Same if they steal my phone. Hence, these mechanisms are not “two factor” – they fail the independence rule.
Two-step verification is vastly better than just passwords alone. But be wary, it is not fool-proof – if your phone is hacked or stolen, the attacker can still become you, just as they could in the password-only world.
For added security, try to use genuine two factor authentication where possible.
Is 2FA Really Broken?
There has been a rise in articles stating that 2FA is broken. Of course, it’s not infallible, and better solutions would be good. Yes, SMS messages can be intercepted. Yes, man in the middle attacks can still work. But, if we all implemented 2FA, the headlines stating that “90% of security attacks start with phishing” would significantly drop, and make the attackers job much harder.