Is Two-factor Authentication Process Really Foolproof ?

There are people with high-tech security infrastructure to safeguard their online transactions. They are doing an incredible service for themselves. However, the majority of the people still operate under the severe risk of getting their online transactions hacked by Russian malware. Security is one of the critical factors for both users and app developers. Still we take chances. There are several sites and apps where you need to type in a code sent to you via SMS or email to verify that you are purchasing or changing your account details. Passwords are becoming longer and very complicated with certain sites demanding you to build one with special characters and numerical and users are being asked to add their mobile phone number to accounts as backup.

The latter one happens to be a part of an aspect called two-factor authentication, or 2FA for short, and it is what several tech companies use to secure their users from safety breaches. “The most frequently used 2FA uses an SMS code. While it is a good idea to have a common authentication device, phones have become the default device due to the fact that the majority own them. Password-secured accounts can easily be hacked, and, 2FA, in the best possible scenario, eliminates hackable passwords (“secret” “1234”) from the equation.

A THUMBS UP FOR TWO-FACTOR AUTHENTICATION

After getting attention post a famous hacking of journalist Mat Honan in 2012, 2FA was celebrated as the next weapon to protect users online. Two-factor authentication needs the user to come good on two out of three factors: Something you are aware of (PIN, password), something you possess (smartphone, ATM card, fob), or something that is yours (fingerprint or voice print).

Let’s see how this functions. We all are well-versed with using a password or PIN (something they know), one factor, and now people will get a one-time code via SMS on their mobile phone (another factor), to purchase some stuffs online, replace old password with a new one on a locked account, or transfer money, among several other things. Some people opt for a code-generating fob (second factor) to safely access a bank account or a work server through VPN from home. Based on what you perform online and which device you possess, you might use fingerprints or voiceprints (something you are) to obtain access to an account details or make payment for something with, Apple Pay or Google Wallet through your smartphone (something you have).

In the U.S., Twitter, Facebook, Google, Apple, Amazon, Bitcoin, Yahoo!, almost every email service provider, banks, insurance companies, and online services have executed some kind of 2FA. You might be working a bit harder to log in to your accounts, particularly verifying some purchases or when you cannot remember your complex password. This implies that itt has become tougher for a hacker to access your account, because if you are made to toil hard then imagine the burden on their shoulders.

CERTAIN 2FAS ARE BETTER THAN OTHERS

Not every 2FA’s are common. The one-time codes dispatched through SMS are quite common as this is the convenient way for a company to implement. Who wishes to hoard a code-generating fob to purchase something, say, on iTunes? Also, receiving a one-time code that makes its way straight to your mobile phone can be cumbersome at times, and how is a hacker going to intercept an SMS? Actually, it’s not very tough and it is quite common with high-profile cases more often than not.

In fact, it has occurred so frequently that the U.S. National Institute of Standards and Technology (NIST) made up its mind in August 2016 to disallow any services that plug into government IT systems from using SMS-based 2FA codes. NIST requires people to utilize services such as Google Authenticator or USB dongles. Devolutions concludes that out of the most popular 2FA services, those dependent on a dongle offer a risk of loss. An online authenticator is an ideal alternative, and Authy seems to be the most attractive of those, which can be accessed on a desktop app as well as on mobile, and easy to merge with your phone’s authentication set ups. Looking at the non-dongle services, Authy spares you the migraine ie. if you lose your phone or buy a new one, it permits you to reinstate it without re-configuring all your accounts. Authy’s rival, Google Authenticator, doesn’t indulge in this habit. Developers have to achieve a parity among safety features, usability and pricing.

WHAT ABOUT BIOMETRICS?

We have been through a lot of discourses regarding the safety of biometrics such as fingerprints, voice prints, ear shape, iris scans, or face recognition software to safeguard your accounts. The admirers of biometrics feel this is apt, especially for high-profile users or those seeking robust security cover for the stuff they carry out online. However, the huge cause of concern is that the process involving fingerprints, or some other biometric, if compromised, it is impossible to alter the fingerprints and start again. This can be a good idea for a science fiction drama, but in reality a bit unfounded.

If these biometrics can be breached to access someone else’s iPhone or Motorola or not is a good topic but for another day. Apple and Google contain a Secure Enclave feature in their newer iPhone and Android OSs that enhances security while using fingerprint-oriented access, but if it is an “ultimate lock down.” or not can be debated at some other time. So, rest our case regarding biometrics as a safe option for now.

SECURITY HAS ITS LIMITS

There is nothing as total safety. The internet is based absolutely on the concept of openness, and any kind of hiccups with regard to connectivity can drive users crazy. The endeavor is to make it easy for users and extremely tough for hackers. Passwords are without doubt a potent tool if you opt for a tough password. Similarly, 2FA is also a powerful tool, however biometrics are more effective than SMS codes. Further, you might have noticed that the frequently used SMS codes for 2FA aren’t very adequate, despite the perception that it is secure. If this has triggered an alarm bell inside you, then use a safe method available and, critically, let the companies who operate the services and apps you are hooked onto understand that you expect nothing but the best from them.

USERS SHOULD PUT WITH INCONVENIENCE FOR THE SAKE OF SECURITY

The disadvantage of performing better is that it adds on to your list of works, and might result in frustration for users, who should ideally have had a good password to begin with. However it is not at all amusing to find a notification from a bank, email service, big-box chain, insurance, or other company telling that your personal or financial details have been compromised by cyberattack. Nobody likes the idea of changing the password or getting a new credit card. Also, the personal or financial details that were breached are still lying unsafe before a wicked hand. The 2FA is nothing but an extension of security cover offered by a company to safeguard their services. It might cause a bit of discomfort or pain or frustration to the users but the users should realize it is for their betterment.

Leave a Reply

Your email address will not be published. Required fields are marked *