Have you ever logged into an online account and then received a text message to confirm it was you actually logging in? It’s a common experience nowadays, especially with financial accounts, but increasingly with many kinds of online accounts that have sensitive information.
This type of security is called two-factor authentication, because you need two kinds of verification to prove that it’s really you – not some bad guy – accessing the account. Two-factor authentication is one of the most widespread technologies used to secure your account, but at least one observer suggests that the tech has not been studied enough to know its weaknesses.
That lack of knowledge could mean your accounts aren’t as secure as they seem, potentially leaving your money vulnerable to hackers who can exploit loopholes in the process.
What is two-factor authentication?
Two-factor or multi-factor authentication is a way to verify that you are who you claim to be. Usually it combines a piece of information that you know, such as a password, with something that you have, such as a phone, a code card or a physical key that you must slide into your device.
Sometimes that second factor might involve identifying a pre-selected picture on a website or verifying account access by a voice phone call. Some financial sites require a login and password and then verify you based on your browser or device.
One of the first brokers to adopt two-factor authentication was Interactive Brokers, says spokesperson Kalen Holliday. The broker used a code card for many years, and now also offers an app for desktop and mobile that requires you to enter a PIN number or fingerprint on your phone. Interactive Brokers can also be set up to require facial recognition, says Holliday.
Two-factor authentication has made financial accounts more secure, but it’s not clear by how much. Identity theft continues to be a huge problem, and while consumers may feel more secure using the multi-step process, not enough research has been done to study how effective it is.
So how secure is two-factor authentication?
“Two-factor authentication does not provide as much security as one might assume,” says Dr. Yinglian Xie, CEO of DataVisor.
Even the industry standard and best practice are still liable to hacking, according to experts. And some financial institutions are lax in how they implement their authentication, too.
To be implemented properly, such authentication must use a mix of different factor types, such as knowledge-based, biometric or a physical item, says Maxime Rousseau, chief information security officer at Personal Capital. Instead, some companies simply added security questions on top of the password requirement, which doesn’t afford the same security, he says.
“Industry-standard multi-factor authentication today typically combines a password and SMS code,” says Rousseau. But the leading organizations or higher-risk ones are moving from this standard to app-based codes to combat phone-hijacking attacks, he says.
These hijackings are becoming more common, rising from about 380,000 in 2017 to some 679,000 in 2018. Of course, phones are one of the most popular verification methods.
“As mobile technologies become more vulnerable, two-factor authentication as a security measure is increasingly less effective,” says Dr. Xie.
But how ineffective? Dr. Josephine Wolff, a professor of cybersecurity policy at Tufts University, says there’s been little published on exactly how secure two-factor authentication is.
“It hasn’t been studied and tested as thoroughly as it could be,” says Wolff. “So we still don’t have a great grasp on the strengths and weaknesses of different types of second factors.” However, she notes that Google recently published a pair of studies that “make big steps” to dissect which factors are more secure.
And as for the safety of financial institutions, we simply don’t know, says Wolff. “Most sites don’t release any numbers about how often their users’ accounts are compromised, so we don’t really know who’s doing the best or worst job.”
Potential loopholes for hackers
“While no security system is foolproof, adding multi-factor authentication is a smart way to reduce the risk of account takeover,” says Gary Zimmerman, CEO of MaxMyInterest. But some types of two-factor authentication are weaker than others, he says.
For example, if you use your email’s login and password for a financial account, hackers could easily access both, since they can verify your identity through email. It’s like giving thieves the keys to your front door and hoping they don’t discover the keys work for your safe, too.
Breaking some types of two-factor authentication is not uncommon, says Dr. Wolff. Hackers can design fraudulent websites that look nearly identical to the real ones. Then purporting to be from a bank or broker, they email people that their account is about to expire or they’re missing data. But the email instead sends the customer to the fake site, which fraudulently captures any login information being phished from them.
The hacker enters this information on the real bank site, generating a text message with a one-time code to the user. Unsuspectingly, the user then enters that code on the fake website, and then the hacker enters it on the real site, gaining access to the account.
Such an imperfection doesn’t mean we should abandon two-factor authentication, Wolff says. Rather, “we should study it rigorously and figure out how it can be implemented most effectively.”
Consumers often find security technology to be annoying
Account security is not helped by the fact that some consumers can find two-factor authentication annoying. A 2017 survey of cybersecurity professionals by SecurAuth Corporation found that 74 percent whose organizations use two-factor authentication receive complaints from users about the process. Nearly 10 percent of users said they actually hate it. Despite these problems, many have become accustomed to the extra step and barely notice it now.
“The best approach is one that requires the fewest steps and the fastest authentication, while still keeping financial accounts as secure as possible,” says Holliday.
Many people would trade an occasional annoyance when signing on to ensure that their identity and financial accounts remain secure. So two-factor authentication has proliferated, notably at financial institutions, which have a lot to lose if your money is stolen.
The surge of new fintech companies and the development of a wave of digital products has also driven the move to multi-factor authentication, says Pierre Demarche, vice president, product and marketing at TeleSign, an online security company. “As these newcomers enter,” he says, two-factor authentication “isn’t viewed as a nice-to-have but rather an expected feature.”
Consumers may view these security steps as annoying, but they’re not going away. “Banks are constantly testing and comparing their options in an effort to stay relevant and secure,” says Demarche, and that’s only going to continue.
How consumers can stay secure when online
Although two-factor authentication is not perfect, consumers should look to adopt this new standard, because it helps protect their money and their identity.
“While it may feel inconvenient to have to go through multi-factor authentication to access your accounts, know that the websites and financial institutions are implementing it for your benefit,” says Zimmerman.
So circumventing procedures created to protect your account are not recommended, even if logging in does become a bit more cumbersome.
In the meantime, security professionals will continue working toward authentication that is less intrusive while still maintaining security.
Dr. Xie explains one vision of such a process called zero-factor authentication. Such a process uses your “digital DNA” – your various online behaviors such as devices and activities – to verify your identity. “With AI, the reality of zero factor authentication is closer than we think.”
Some of the oldest advice is still some of the best. Don’t share your passwords, and create distinct passwords for each of your accounts.
But if you want to take security a step further, Wolff suggests going with a physical device such as Yubikey as a second factor for high-value accounts. She also recommends using a password manager that can store and create complex and unique passwords. Two popular password manager apps are Keeper Security Password Manager and LastPass. Both can be accessed for free and are available on multiple computing platforms.
Two-factor authentication is valuable even if it’s not foolproof. As the pros study which techniques are the most secure, consumers should expect to see new types of security emerge over time.
But the bad guys will still be looking for ways to go up, around or through the digital fence to get to your money. So consumers should carefully follow best practices for protecting their financial information to eliminate or at least mitigate their risk.