What is 2FA and is it really secure?

The Issue of Phishing Attacks

90% of security attacks start with a phishing attempt. This is because attackers want to get hold of your password. Once they have obtained this, they can become you, and access wherever you can access.

Passwords work as a “share secret” solution. If you can demonstrate to the computer or website that you know the secret (password), it will let you in. The problem is that anyone else that finds or guesses the password can get access as well.

Passwords have become one of the biggest security challenges we face.  Where passwords must be used, good password choices must be made.

Two Factor Authentication vs. Two Step Verification

Two common solutions are two factor authentication and two step verification - these are different from one another. Although they are remarkably similar in concept, the difference is the trust model. In any security system, trust is a crucial element to understand.

Two factor authentication and two step verification are both authentication systems designed to increase the level of trust in a username/password exchange. Rather than simply rely on the user indicating their knowledge of a password (which an attacker can steal or guess), the concept is to rely on two independent items of information. For example, this might be a password and an additional code sent via SMS message. It is the independence of this additional item of information that makes the difference, and crucially how much you can trust it.

With two-factor authentication, there should be complete independence. One factor cannot be influenced or gained by knowledge of the other. This is where hardware devices such as  smart cards or authentication tokens are used.

But what about SMS tokens sent to  a phone? The question here relates to independence. Certainly there are two steps – hence two step verification. But are they independently providing two factors? 

Let’s explore a use case… I try to log onto a secure site from my smartphone. I provide my username, followed by password. The service provider sends a code via SMS to the same smartphone. I provide the code from the SMS to the login screen (two steps). What happens when a hacker breaks my phone? They can intercept my username & password and SMS – it’s all in one convenient place. Same if they steal my phone. Hence, these mechanisms are not “two factor” – they fail the independence rule.

Two-step verification is vastly better than just passwords alone. But be wary, it is not fool-proof – if your phone is hacked or stolen, the attacker can still become you, just as they could in the password-only world.

For added security, try to use genuine two factor authentication where possible.

Is 2FA Really Broken?

There has been a rise in articles stating that 2FA is broken. Of course, it’s not infallible, and better solutions would be good. Yes, SMS messages can be intercepted. Yes, man in the middle attacks can still work. But, if we all implemented 2FA, the headlines stating that “90% of security attacks start with phishing” would significantly drop, and make the attackers job much harder.

Share this


Event reminder: join our roundtable this Wednesday to hear insight from industry, local and central government on h… https://t.co/tJa1smeW0N
Join us online for the #techUKSmarterState conference on 16 & 17 September. The event will bring together leaders… https://t.co/OfwfsS4XlY
Thank you, and thank you to everyone that contributed to our #PlaceLedInnovation week! You can catch-up with all th… https://t.co/pipMh0Gr1v
Mayor of London calls for an Emerging Technologies Charter, with @LDN_CDO & Smart London Board tasked with developi… https://t.co/GMlOlCKGr4
Guest blog: New Tech Solutions to Old Tech’s Environmental Problems by Mohit Joshi @Infosys President as part of ou… https://t.co/1D4ecmKXhF
Guest blog: Don’t take digital access for granted by @NatMitch1 CEO @intechnologySC & Vice-Chair of techUK's Local… https://t.co/Rj0S2xJz4c
On 16-17 September we'll be hosting the first virtual edition of the #techUKSmarterState conference. Delegates an… https://t.co/pTBpTzBRBR
Great to see the Government announce £20 million in new grants to help SMEs adopt digital technology and access adv… https://t.co/LdswpdgSfM
Guest blog: Neil Manthorpe, Associate Director of Design at @atkinsglobal explores how technology and big data can… https://t.co/RoLYmL1tnS
Become a Member

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...