What is 2FA and is it really secure?

The Issue of Phishing Attacks

90% of security attacks start with a phishing attempt. This is because attackers want to get hold of your password. Once they have obtained this, they can become you, and access wherever you can access.

Passwords work as a “share secret” solution. If you can demonstrate to the computer or website that you know the secret (password), it will let you in. The problem is that anyone else that finds or guesses the password can get access as well.

Passwords have become one of the biggest security challenges we face.  Where passwords must be used, good password choices must be made.

Two Factor Authentication vs. Two Step Verification

Two common solutions are two factor authentication and two step verification - these are different from one another. Although they are remarkably similar in concept, the difference is the trust model. In any security system, trust is a crucial element to understand.

Two factor authentication and two step verification are both authentication systems designed to increase the level of trust in a username/password exchange. Rather than simply rely on the user indicating their knowledge of a password (which an attacker can steal or guess), the concept is to rely on two independent items of information. For example, this might be a password and an additional code sent via SMS message. It is the independence of this additional item of information that makes the difference, and crucially how much you can trust it.

With two-factor authentication, there should be complete independence. One factor cannot be influenced or gained by knowledge of the other. This is where hardware devices such as  smart cards or authentication tokens are used.

But what about SMS tokens sent to  a phone? The question here relates to independence. Certainly there are two steps – hence two step verification. But are they independently providing two factors? 

Let’s explore a use case… I try to log onto a secure site from my smartphone. I provide my username, followed by password. The service provider sends a code via SMS to the same smartphone. I provide the code from the SMS to the login screen (two steps). What happens when a hacker breaks my phone? They can intercept my username & password and SMS – it’s all in one convenient place. Same if they steal my phone. Hence, these mechanisms are not “two factor” – they fail the independence rule.

Two-step verification is vastly better than just passwords alone. But be wary, it is not fool-proof – if your phone is hacked or stolen, the attacker can still become you, just as they could in the password-only world.

For added security, try to use genuine two factor authentication where possible.

Is 2FA Really Broken?

There has been a rise in articles stating that 2FA is broken. Of course, it’s not infallible, and better solutions would be good. Yes, SMS messages can be intercepted. Yes, man in the middle attacks can still work. But, if we all implemented 2FA, the headlines stating that “90% of security attacks start with phishing” would significantly drop, and make the attackers job much harder.

Share this


Guest Blog: Facing up to cyber threats during COVID-19 and beyond by David Viola, @QinetiQ explores how cyber threa… https://t.co/pdrVjW5jBx
techUK members are invited to join a Zoom webinar this Friday 5 June from 15:00 on 'An Introduction to BSA Buying G… https://t.co/1ZF6nptnTj
.@techUK Cloud Week is back 15-19 June. Cloud computing has played a pivotal role in helping during the Covid19 cri… https://t.co/Jcanfykkt2
On 16 June from 14:00-15:00, #techUK will be hosting a session with tech #SMEs to discuss what guidance and support… https://t.co/UaisZagzmX
#techUK, along with other leading international tech and business trade associations, have issued recommendations t… https://t.co/PDqTElNHIl
Last chance to register for today's webinar on responsible mineral sourcing - a massive issue for tech firms - toda… https://t.co/h9aSXM4bnH
Join us on Monday for a webinar looking at human rights due diligence. We've got a great panel of experts setting o… https://t.co/JBDZkkBds0
For our #ConnectandProtect campaign, @PDevComms explains that the experience of @TCS_UKI during #COVID19UK has acce… https://t.co/6sMsDV377D
International perspectives: Join us on 16 June from 12:30 - 13:30 to hear from Patrik Sundström, the architect behi… https://t.co/kTL39WWWMS
This afternoon #techUK will host its ninth post-COVID webinar, this time to discuss the topic of #Diversity &… https://t.co/8Ch8eLzj4U
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...