As we start to see account hacking and data leakage appear more and more in the media, the rise and need for two Factor Authentication, or 2FA, is inevitable if businesses want to retain their customers’ trust.
2FA only denotes the number of factors required to confirm an identity. Often the first factor is a classic password; the type we forget, so we write it down in our phones, or make it something obvious, or use it across every platform we sign into, from
our bank to that recipe site we love. The second factor is supposed to mitigate the poor decisions we make around our password, reducing the element of human error even the best of us are prone to. But what if that second factor is equally as prone to our
poor judgement and human error as the first?
A common second factor being used by many is the SMS that gets sent to our phone connected to our accounts. That certainly does add a layer of security that wasn’t there before. If we break down an individual’s identity (this being just one way) into something
that we are (face or fingerprint), something that we know (password or pin), and something that we have (ID card or USB key)
[Identification Revolution by Alan Gelb and Anna Metz], then a text message to our phone fulfills the something that we know pillar. What we end up with really isn’t 2FA, but another authentication group called 2SV or two step verification. We aren’t using
two different factors, just the same one twice, even if one thing we “know”, we only know for a short time. So, what if we leave our phone on our desk while we go for a bio-break, or we’re unlucky enough to have our
SIM hacked, or a
hacker redirects our phone traffic from our phone to theirs after a convincing phishing email? All these things are happening, and though we are seeing companies make a positive change, hackers redirecting phone traffic has been happening for years, and
we are still being surprised when some monster company announces its move away from SMS based “2FA”.
This is just one example of a poor choice in improved authentication. The jury is certainly still out on facial recognition (covering another pillar of our identity), with many groups recommending against it as a way to authenticate ourselves (along with
other biometric options). An
interesting article on Motherboard last year showed how infrared lights taped to a baseball cap could fool facial recognition cameras. But others have managed it using the myriad photos many of us post on social media and 3D rendering. This technology is
getting better, but so is that which can beat it or take advantage of it, so are we ready to bet our life savings on it?
There are authentication factors that are better, and others that are worse, but my point is this:
it’s not the number of factors that makes an authentication service secure, it’s the quality of those factors. It would be easy for the average person on the street to assume MFA is more secure than 2FA, lulled into a false sense of security because
they need a password, receive a text, and have to give their first-born child’s blood type. It’s the complacency that this breeds that takes away from the truly secure options out there, and gives the advantage to those that don’t have our best interests
at heart.