Why Passwords and 2FA Aren’t Enough

Eric Seward June 19, 2019

Amid growing threats of cyberattack, companies are requiring both password protocols and two-factor authentication (2FA). Some of today’s more popular methods include answering secret questions, using biometrics such as a fingerprint, or entering a one-time authentication code (OTP) sent to your phone via SMS text.

But as the popular site Reddit recently found out the hard way, hackers can intercept 2FA text messages just as easily as they can crack weak passwords.

Reddit breached via 2FA intercept

Attackers were able to access several areas of Reddit’s network systems, including backup data, source code, and other logs. Fortunately, they gained read-only access to those areas and weren’t able to alter any information, but it still led to a lockdown (and a wake-up call) on Reddit’s part.

“SMS-based authentication is not nearly as secure as we would hope,” system admins posted on the site in a note to users. “The main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

Reddit isn’t unique in this vulnerability. Hackers don’t even have to rely on a weakness in your site’s security; they can exploit a weakness in human behavior and a freely available and easy to use tool.

Why is text-based 2FA so vulnerable to attack?

Text-based 2FA has been a popular way to verify identification over the years, largely because of its convenience and ease of use. But SMS, which is used to send those texts, uses an old signaling technology called Signalling System No. 7 (SS7), and it contains a known flaw that allows hackers to not only intercept text messages but track locations in real time and eavesdrop on phone calls.

Reddit’s advice to switch to token-based 2FA involves using an app to generate an OTP that’s known only to you and your company server (called a software token). The app is synchronized between devices using a QR code and updates every 30 seconds with a randomly generated new code. Some experts say this method is more secure because it’s not vulnerable to replay attacks or the SS7 flaw.

But this system isn’t fool-proof, either. Cell phones can be lost or stolen, and it is possible for the software to be hacked. So if cybersecurity is a top priority for your company, it’s important to take protection to the next level.

A strong cybersecurity strategy is the best defense

Two-factor authentication is only the beginning of a strong cybersecurity plan. In addition, a comprehensive strategy also includes user access restrictions, vulnerability assessments, a recovery plan, human-error mitigation and more.

That’s a lot of moving pieces, and the stakes are getting higher with each new fire-alarm headline. One way to ensure that you’re developing the best-possible security framework for your company is to align to certifiable IT compliance standards, such as HIPAA, ISO 27001 or the NIST Cybersecurity Framework.

Becoming compliant ensures that you’re operating based on internationally recognized standards for cybersecurity. And when 61% of companies around the globe say they experienced a cyber incident in the past year, staying ahead of hackers is more important than ever.