While some people may be lazy or unoriginal and use weak passwords that are easy to break, strong passwords aren’t necessarily indestructible. They can be intercepted, keylogged, or leaked in large data breaches.
Over the last few years, two-factor authentication has increasingly grown, primarily because a single password is too fragile and adding a second layer can keep your accounts more secure.
However, two-factor authentication isn’t impeccable, either. It can come around and bite you if you don’t pay attention to these overlooked risks.
Types of authentication factors
Multi-factor authentication is a method that requires users to present several pieces of evidence that confirm identity. If users fail to accurately provide all the authentication factors, the system will not grant access to the account.
Two-factor authentication is, as the name suggests, when the system requires two bits of confirmation.
While there are a variety of authentication factors that can be used as part of a system, they typically fall in one of three groups:
- Knowledge (something you know): The system accepts you if you prove that you know a certain bit of information such as a PIN, answer to a security question, and tax return details.
- Possession (something you have): The system accepts you if you prove that you have a physical device on you, including USB keys, card readers, SMS codes, auth apps, and wireless tags.
- Inherence (something you are): The system accepts you via a biometric comparison, such as fingerprint scanners, retina scanners, and voice recognition.
As with every system, there are issues that can arise. Let’s take a look at three risks and disadvantages of two-factor authentication:
1. Factors can get lost
There is no certainty that your authentication factors will be available when you need them. Typically, you are locked out of your account after one mistake is made.
In situations when you lose power or your phone is damaged by water, you won’t be able to get your SMS codes as the second authentication factor. Relying on a USB key as a second factor is also risky. It can easily be misplaced or accidentally run through the laundry. If you trust factors like PINs, there’s always the chance that you forget it. Biometric factors like eyes and fingers can be lost in accidents.
Most recently, Hurricane Harvey and Irma victims found themselves locked out of their accounts because they had no way to charge their phones. Without a phone, you cannot get authentication, and without that, you’re not granted access.
While account recovery is possible, it’s likely to be time-consuming and somewhat difficult. Also, if you have a number of accounts protected with a single factor and you lose that, then you’ll need to recover all of those.
2. False security
Two-factor authentication provides a level of security, but it’s typically exaggerated. For example, if you were locked out of a service because you lost a factor, you’re basically in the same predicament as a hacker attempting to gain access to your account. If you can reset your account without an access factor, then a hacker can, too.
Recovery options typically contradict the point of two-factor authentication, which is why companies like Apple have done away with them. However, without recovery options, your account may be lost forever.
There are also services like PayPal that use two-factor authentication but don’t fully execute it. The company offers a second factor called “PayPal Security Key,” but in 2014, it was able to be completely bypassed with no effort.
In sum, this means that you can follow two-factor authentication and still have your account breached.
3. It can be turned against users
While two-factor authentication is intended to keep hackers out of your account, the opposite can happen. Hackers can set up or reconfigure two-factor authentication to keep you out of your own accounts.
Two-factor authentication may not be effective enough to secure your accounts but can also be too effective if you’re not careful. As services improve with two-factor practices and make account recovery more difficult, it’s pertinent to set up the authentication on your necessary accounts before a hacker does.
Source: MakeUseOf
Advertisement
Learn more about Electronic Products Magazine
