2FA also known as 2-factor authentication fortifies passwords with a second piece of information which involves a one-time passcode being sent at the time of login.
Maintaining the security of your online accounts and ensuring your personal data remains private has become paramount in recent years following data breaches and password leaks from targeted attacks by hackers. 2FA has now the trend to protect yourself in case your passwords get compromised.
The logical step is setting up either:
• SMS-based 2FA where you give platforms your phone number so they can send you text with that contains the One Time Password or
• TOTP-based 2FA (Time-based One-Time Password algorithm) where you’re asked to scan a QR image using a specific smartphone application such as Authy or Google Authenticator app. These apps continuously generate the One Time Password for you.
The case for the SMS-based 2FA
This method is the simplest and more adoptable for most users.
The case against SMS-based 2FA
The SMS-based 2FA has its downfalls such as waiting for the text every time you log in among other important security issues as it can be spoofed easily.
Just last week, it was found that Facebook was using the number you provided the platform with to protect your account but the social media giant used the number for ad targeting purposes and it can also be looked for and you can’t remove it.
Even scarier it’s that it’s easy to intercept the 2FA codes. In Germany, attackers used SS7 vulnerabilities to get user’s codes that were later used to drain the bank accounts of the victims. The same flaw affected a UK bank too early this year.
The recent incident in Kenya where malicious people swapped your SIM card without your consent is also a scary if you only rely on texts.
Telcos need to increase the security of their customer’s numbers and take measures when they notice any tampering to make it harder to exploit text messages.
Why you should still use SMS
This doesn’t mean, you shouldn’t use it. It’s the easiest 2FA to set up and yes it’s not the most secure but it’s the first step to securing your accounts, and a great one at that.
The case for authentication apps
Authentication apps are the true authentication as the TOTP method creates a one time password on the user side instead of server-side through the app.
There’s a ton of apps out here to manage your 2FA logins. Here are the popular ones:
Microsoft Authenticator – it’s a free 2FA app that will link to your online accounts with a QR code scan
Google Authenticator – this is the best and easiest one to use
The desktop, Android and iOS apps let you search for tokens by name, display tokens as a list or grid view, greater device information so you can view and remove unused apps. You also get push authentication support for websites that have implemented it.
It’s best to install the app on your phone and desktop or another device so that when the tokens are synched to the Authy Cloud, they automatically sync. This is so when an attempt to install another instance of Authy, you get notified via the other app as Authy checks the new device against an existing device they already trust.
Once this is done, go ahead and turn off the apps multi-device feature so that no additional apps are installed.
Most sites will suggest Google Authenticator app for 2FA but you can easily substitute that for Authy.
This site has a comprehensive list of services that offer 2FA support. It also shames sites that don’t.
2FA apps vulnerability.
Most sites have a logic flaw vulnerability that let you log in without knowing the current password. It works for when you’re trying to change your password while being in the process of logging in in the 2FA login page. Google fixed this issue. Instagram and Microsoft are still vulnerable. Read all about it here.
Consumers are becoming more aware of 2FA and moving beyond password-only logins as there’s been a 538% increase in users enabling 2FA from 2015 to 2017.
For sites that don’t allow 2FA via authenticator apps, SMS based 2FA will work just fine, but if there’s an option for app based 2FA, use that.
It is now becoming important and difficult to protect your online and it’s imperative we talk about the pros and cons of all the tools we’re using.
Hackers will go the extra length to get access to your personal data. Passwords can be leaked or easily be figured by malicious actors so it’s high time to protect your accounts with 2FA as an additional safety measure.
2FA will add the inconvenience of having another added step to your login process buts it’s worth it, it’ll give you peace of mind.