Back to Blog

Degrees Of Security: What to Look For in Your 2FA

Maze-LockWe’re all familiar with single-factor authentication—even though we never called it that—where we’re asked to enter a username and a password to gain access to a website. And more and more of us are getting used to two-factor authentication (often referred to as 2FA) which adds another level of authentication to an account log-in. Simply put, 2FA requires a user has two out of three types of credentials before gaining access. These are:

  • Something you know, such as a personal identification number (PIN), password or a pattern
  • Something you have, such as an ATM card, smartphone, or small hardware fob that continuously displays digits
  • Something you are, such as a fingerprint, iris scan, voice print or other biometric

Obviously, two factors are better than a single factor. And 2FA is substantially more secure than a username and password, which provides hardly any protection at all these days. But don’t be fooled: not all 2FA is built the same. Some 2FA methods have a greater degree of risk than others. So whether you’re a user of two-factor authentication, or a site developer or blogger who wants to keep users safe from attackers and cyber-thieves, you’ll want to understand which method of 2FA is best for you.

Evaluating 2FA protection

When determining if a 2FA method is suitable for a particular activity, the first thing you’ll want to do is to gauge the level of risk against the level of protection provided.

At the low end of the spectrum, as discussed above, any site that requires only a single factor of authentication (username and password) is also providing a good chance that you’ll be hacked (if you haven’t been already).

Improving on this requires 2FA and the most common method is SMS. For a low-security activity, like visiting an entertainment news website where you can read stories, watch videos, and leave comments but where you don’t store personal data like credit cards or social security numbers, usually SMS is sufficient. But—and it’s a big butSMS is also the least secure way to deliver 2FA. Recently we wrote a blog post about our concerns with SMS-based 2FA.

Indeed, SMS-based 2FA as a second factor is a huge improvement over passwords alone. But SMS has weaknesses, including the frighteningly common incidences of hackers convincing mobile service providers to transfer a phone number, SIM card cloning, SMS network compromises, and SMS-capturing traps via phishing websites.

In short, SMS-based 2FA has never been the most reliable or secure option, echoed recently by the National Institute of Standards & Technology (NIST). The media’s exposure of recent user attacks and SMS vulnerabilities are reason enough to entice every online service relying solely on SMS for authentication, from blogs to banks, to consider improving their 2FA offering.

Consider a financial institution where you keep your savings. Or a healthcare firm that stores your personal medical records. Common sense would dictate that these types of services ought to provide a very high level of account protection. Unfortunately many do not, and the SMS-based 2FA they often rely on may not be sufficient. If your bank or health provider offers protection that simply sends an SMS code after you type in a username and password, you might want to look for a more secure service provider.

Voice authentication (which automatically dials a user and, when it identifies that a real human is on the receiving end of the call, reads them a code) is often better than SMS, although it too has an element of risk. Any service that provides real human interaction is vulnerable to social engineering, phishing and “sim swap fraud”, a scam which overrides typical security used by banks to protect customer transactions.

Because of this the growing threat of advanced hacks—and the realization that SMS just can’t provide the security needed—many technology companies are offering more advanced 2FA techniques. The most common of these is the Time-based One-Time Password (TOTP) which can be delivered as a ‘soft token’ (derived from the term ‘software generated token’) or hardware token. Hardware tokens deliver TOTPs via a key fob or USB stick that you must have on your person. Soft tokens are stored on a desktop computer, a laptop, or a mobile device, and are very popular because, unlike hardware tokens, one piece of software can generate many tokens for different services, lowering the number of devices you have to carry around.

The best step up for 2FA security leverages the growing network of internet-connected smartphones to provide security that’s even more convenient. Rather than relying on a token being entered during authentication, a push notification can be sent from the site to a user’s device, alerting them that an authentication attempt is taking place. Simply touching the notification reveals an app-based interface in which the user can accept or reject the request. Industry research group Gartner recommends push-based authentication over SMS because there’s a direct and secure connection between the device and the 2FA service, removing opportunities for phishing, man-in-the-middle attacks, or unauthorized access. In fact, Forrester has made similar recommendations.

To understand the risks better, let’s look at these four different 2FA types side by side, and compare their security offerings:

Is the 2FA method delivery channel encrypted?

2016-07-26_1933Chart Explanation: If 2FA information is delivered to a user, it may be intercepted if the delivery channel is not encrypted.

Why Is This Important: SMS channels can be intercepted by privileged users, or by compromising SMS logs. Voice is a bit harder to intercept, but a tapped line is possible. TOTPs, regardless of whether they are soft tokens or hard tokens, are generated on a trusted device instead of being delivered, so they are generally not susceptible, except by rogue apps on jailbroken or rooted devices, or if the token app does not have additional defenses. The real winner here is 2FA that uses push notification. Push creates a direct, mutually-authenticated, securely encrypted channel between the trusted 2nd-factor device and the authentication service.

Does the 2FA method work with no network access?

2016-07-26_2030

Chart Explanation: Most services consumed by users today are online/connected services, but a user’s trusted 2nd factor might not be online when needed.

Why Is This Important: While there may be times when you’re in a location where network access is limited or non-existent, you don’t have to settle for being less secure. Because a time-based one-time password is generated and not delivered, soft-tokens and hard tokens are a good fallback when push-notification can’t get through, like when you’re on an airplane or working from a wired desktop where wifi or phone service is unavailable.

Does the 2FA method work without Voice or SMS service?

2016-07-26_2032

Chart Explanation: Not every user will have an SMS capable phone, or even voice phone service. But they may have a tablet that can connect to WiFi.

Why Is This Important: Sometimes a subset of users (such as union members or hospital employees) are not allowed to bring personal phones to work, and have not been issued company phones. Having 2FA options that don’t require phone service is essential in these circumstances.

Is the 2FA method protected against SIM Swap?

2016-07-26_2033

Chart Explanation: A SIM card is the component in a phone that identifies the phone to the phone company. Recent significant hacks involving a hacker calling the phone company and convincing them to switch established service (of the targeted user) to a SIM card owned by the hacker, is known as “SIM Swap fraud”, a scam which overrides typical security used to protect customer transactions.   

Why Is This Important: While this is a sophisticated hack, when the value of a target is high enough, it’s worth the effort to the hacker. Because of this and other risks, NIST is now recommending that SMS is no longer sufficient for many 2FA implementations. Both SMS and Voice channels are vulnerable to SIM Swap, but TOTP and Push methods are not.

Is the 2FA method protected against displaying on a locked mobile device?

2016-07-26_2049

Chart Explanation: Access to a user’s trusted mobile device, even without unlocking the phone, can sometimes compromise a user’s security if their first factor (a password or PIN, generally) is also known.

Why Is This Important: By default, SMS messages (with codes) can be seen on locked phones. Voice calls can often be answered without unlocking the phone. While hard tokens often displaying a TOTP by default, soft tokens require unlocking the phone and gaining access to the TOTP app (which may be protected by a secondary PIN), unless the user configures tokens to be available from the locked screen. For added security, most push notification-based 2FA services require the user to unlock the phone before the authentication request can be approved.

Is the 2FA method protected against rogue apps stealing codes?

2016-07-26_2037

Chart Explanation: On some devices, any app can read (and even delete) SMS messages sent to the phone.

Why Is This Important: If a rogue app is installed, codes sent to the device can be captured and sent on to the hacker, without needing physical access to the phone, nor requiring the phone to be rooted (on iOS, the phone would need to be jailbroken). This is much harder (but maybe not impossible) to do with the other methods, but a jailbroken or rooted phone would be essential.

Is the 2FA method protected against phishing?

2016-07-26_2041

Chart Explanation: The most common method of phishing is persuading a user to click on an email that leads them to a website that looks like a legitimate site they do business with. The rogue site will steal both the user’s username and password, AND their one-time password delivered by SMS or Voice. It can even steal TOTPs generated from a disconnected soft-token app or physical hard token.

Why Is This Important: This is the biggest and most prevalent vulnerability with 2FA-protected solutions today, and all one-time password solutions are vulnerable. Push authentication methods eliminate this type of attack.

Is the 2FA method protected against Privileged Man in the Middle (SS7, SMS logs)?

2016-07-26_2043Chart Explanation: SMS messages appear in logs, and both SMS and Voice can be redirected by people with privileged access to telecom infrastructure like the SS7 system (click here to learn more about this specific attack).

Why Is This Important: If the value of a target is high enough, a hacker can compromise infrastructure to capture or redirect telecom like SMS and Voice. TOTP and push-notification are not vulnerable to this type of attack.

Does the 2FA method allow you to use desktops/laptops as trusted 2nd factor?

2016-07-26_2045

Chart Explanation: SMS and Voice generally require a phone, which may not always be an option.

Why Is This Important: Having additional devices provides convenience, flexibility, and redundancy to users. Trusting a specific desktop or laptop may be needed or desired for some users.

Push notification is the mosts secure 2FA

As you can see, the push notification is a winner when it comes to security and convenience. Our push-notification product, Authy OneTouch is the most convenient and most secure of the Authy security products, and it’s being adopted as an industry go-to. When accessing a site that offers Authy One Touch, users get a notification which displays the request on a mobile device. To gain access, they simply touch on the “Approve” button and they’ll immediately be logged into the website they’re visiting. No codes to retype. No more buttons to press. Touch “Deny” and the attempted login fails, sending the user back to the login screen.

In fact, the Authy OneTouch plug-in is now available to secure blogs and sites created on the popular WordPress blogging platform, currently used by more than 60 million websites. You’re bound to run across OneTouch soon if you haven’t already.

Sure, there are some sites where SMS is the preferred method standard (we’re talking to you, Twitter) but, as mentioned before, even using SMS 2FA is better than no 2FA. We’re betting that soon enough, stronger authentication will be demanded by users everywhere, and we feel push-notification is the best choice to meet that growing demand.

Want to know more?

About the author Dan Killmer

Dan is the Lead Solutions Architect at Authy, and manages the Authy Sales Engineering team. Dan spends a great deal of time listening to customers, and helping them understand how our security products fit their business needs, along with helping customer technical teams succeed. Dan actively participates in identifying and specifying new features, as an outcome of customer and user comments and requirements.

We can text you a link to get started:

Close