杏吧传媒

Search
searchclose icon
HomeBlog
Is There a Right Way to Set Up Two-Factor Authentication?
Published:
November 30, 2021

Is There a Right Way to Set Up Two-Factor Authentication?

By:
Lily Lewis
Glitch effectGlitch effectGlitch effect
Glitch banner

There鈥檚 been a lot of chatter lately around two-factor authentication (2FA) and multi-factor authentication (MFA). We鈥檙e seeing more and more websites and applications enforcing 2FA鈥攍ike Google recently announcing 2FA will be turned on by default for all accounts, plus 杏吧传媒 has already hopped on the enforced MFA bandwagon.听

But that led us to wonder: How easy is it for malicious threat actors to circumvent 2FA?

In a recent Tradecraft Tuesday episode, we talked about the various types of 2FA and if there鈥檚 a 鈥渞ight way鈥 to set up 2FA (or even better, MFA). You can , or keep reading for some key takeaways and to see how easy it can be to sneak past 2FA.

What Is 2FA?

Two-factor authentication is a verification method that requires users to provide at least two forms of identification in order to access something.

Rather than just asking for a username and password, 2FA requires an additional verification factor, which can decrease the likelihood of a successful cyberattack. These factors can include:

  • Knowledge (something only the user knows)
  • Possession (something only the user has)聽
  • Inherence (something only the user is)
  • Location (somewhere only the user is)

Why Is 2FA Used?

When you think of authentication, you probably think of the typical username and password (that's the single factor). But as we all know, those passwords can easily be stolen, shared, reused or compromised in some way.听

Instead of relying on a single factor, 2FA adds an additional layer of security by requiring another or multiple forms of authentication鈥攊n theory, making it harder for hackers and unauthorized users to gain access to your accounts or devices.听

How Attacker Bypass 2FA

Because two-factor authentication adds that extra layer of security, a lot of people assume that makes it impenetrable. But, like almost anything these days, 2FA can be bypassed.听

Let鈥檚 dive into just how easy it is to bypass 2FA. For the purposes of this example, we鈥檙e only going to pick on SMS-based authentication, which is a method that allows users to verify their identities with a code that is sent to them via text message.

The SIM Swapping Problem

As the avid cell phone and smartphone users that we all are, we know how phone carriers want to provide their customers with the best customer service. Unfortunately, that need to please can easily be exploited.听

The image below illustrates how attackers can trick phone carriers through a tactic called SIM swapping. In a nutshell, SIM swapping is when a scammer steals your mobile phone number by assigning it to a new SIM card. By calling up your carrier鈥檚 customer service line and giving a few details about you, a hacker can claim that your original phone and SIM card were lost or destroyed and they have a new SIM card they鈥檇 like to activate.

Here鈥檚 a look at SIM swapping in action:

Let鈥檚 put this into the context of SMS-based 2FA. Can you see why SIM swapping could be a huge issue?

If an attacker knows your username and password and was successful in tricking your carrier into a SIM swap, once they enter your credentials now they receive the authentication code via text message and BOOM, they鈥檙e in. That so-called second factor is now bypassed鈥攁ll because people are way more exploitable than technology.

Please note: We鈥檙e not trying to strike fear into your heart鈥攁ctually, the most common targets of SIM swapping are celebrities, politicians or Forture 500 CEOs鈥攂ut what we are trying to emphasize is that in this case, the security of your SMS authentication relies on the security of a third-party carrier, or lack thereof.

Is 2FA Worth Setting Up?

Yes, 100% it is. Layers are so important, and 2FA is another layer in your defense against attackers鈥 but as we鈥檝e seen, it isn鈥檛 perfect.听

In our example, we showed just how bypassable SMS-based authentication is through SIM swapping or social engineering phone carriers. It鈥檚 clear that hackers are growing more sophisticated every day鈥攚ith small amounts of information, there鈥檚 a lot of damage they can do. So if possible, avoid SMS-only authentication when you鈥檙e setting up 2FA.听

And of course there鈥檚 the convenience argument. Some users will complain that 2FA is a pain for them because they need to take another step to log in. That鈥檚 understandable, but cybersecurity is always a trade-off. Given the sheer cost of security incidents today, a few extra steps are much less painful than dealing with a cyberattack.听

And if there are a few key lessons we can leave you with, it鈥檚 these:

  • Enable 2FA or MFA wherever possible. In addition to educating users to use unique passwords for each application, this will reduce the chance that their account is compromised.
  • Leverage SSO with 2FA. This allows you to have a central location to disable user access.
  • Educate your users on the benefits of using 2FA. Understanding the trade-offs may make the extra step less painful for users. And while we鈥檙e at it, remind users not to provide their 2FA tokens to anyone else.

If you want some more two-factor tips or want to see a live demo of a real 2FA bypass, !

Categories

See 杏吧传媒 in action

Our platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC).

Share
Glitch effect

You Might Also Like

Sign Up for 杏吧传媒 Updates

Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy
Oops! Something went wrong while submitting the form.
杏吧传媒 at work