Two-factor authentication is been adopted by everyone from Amazon to Google when it comes to securing consumer data in the cloud. And why not? Two-factor authentication (2FA) is a great way to secure access to your data.
But of course, there are always drawbacks or risks. Like every security method, it’s not entirely foolproof. While SMS messaging might seem like an ultra-secure method, it’s recently been proven to be exploitable.
Although SMS-based 2FA is very secure, it’s not completely hack-proof. (In fact, nothing is.) There are a couple of vulnerabilities—and a couple of more secure alternatives.
SMS Spoofing With 2FA
Just like with spoofing a phone number, it’s possible to spoof SMS text messages as well. Of course, it’s difficult to do, but for a sophisticated hacker, it’s not impossible.
In a Forbes scoop, a white hat hacker group call Positive Technologies demonstrated just how easy it was to take control of a cryptocurrency wallet behind a Google Account protected by 2FA.
The hackers can access Signaling System No. 7 (SS7). It’s a system that cell networks use to send and receive messages, including SMS messages. From there they can intercept the SMS text messages sent to your phone—and then lock you out of your account by resetting your password with the authorization code.
It’s pretty scary overall for a targeted attack. But that doesn’t mean 2FA is a bad security method. While SMS is vulnerable to attacks like these, there’s a more effective method that doesn’t require a SMS message:
What Are Authenticator Apps?
Authenticator apps are great alternatives to SMS messaging, especially if you’re harboring incredibly sensitive data. Authenticator apps are separate applications that generate random numbers for end users.
While the apps are linked to specific accounts, they have all of the security features of 2FA and are less vulnerable. This is because the number that’s generated is random and changes after a set interval of about 30–60 seconds, depending on the app used.
Of course, this doesn’t mean that your system is foolproof. But as long as you don’t download any malicious programs and keep your phone’s software up to date, it’s highly unlikely that your phone will be breached.
Discrete applications are generally more secure than SMS-based 2FA methods. Another way to ensure greater 2FA security is with specialized hardware such as YubiKeys.
What Are YubiKeys?
YubiKeys are physical devices that unlock your account. They don’t require batteries—rather, they’re like key fobs, but for credential verification and account authentication. Many hardware-based 2FA devices like YubiKeys plug into USB ports to operate.
Hardware-based 2FA is one of the most secure ways to ensure account security. However, if you lose your hardware, you may also lose your account. Alternatively, you may be subject to lengthy phone calls with vendors to reauthenticate and regain access.
So, which method of 2FA should you go with? That’s up to you and your use case. If you feel like your data is incredibly sensitive, it’s hard to not recommend hardware-based solutions. However, if there’s a bit of wiggle room—and if user experience is important—application-based 2FA is an easier, more cost-effective option. Even SMS-based solutions will work if you’re not concerned about elaborate hacking schemes.
Hypershift is a consulting organization focused on SaaS, subscription software, and cloud technologies. We help organizations navigate their shift toward subscription software models. Our mission is to ensure best-in-class security, support, and management to optimize enterprise-level cloud strategies.