Everything you Need to Know About 2FA

A straightforward guide to everything 2FA. From how it works, to why it matters, and even how it can be hacked.

More and more companies are taking the step towards making 2FA mandatory, Google, GitHub, Salesforce, Twitter (just kidding), it’s looking like 2FA is going to become an ever larger part of our lives.

We’ve noticed that a lot of the explainers out there aren’t exactly accessible to the folks who have the most pressing questions. That’s where we come in. We’re going to try to answer all of the questions you might have about 2FA, in a way that not only makes sense, but helps you feel more confident in your online security. Let’s get started!

Page Break

What’s the history of 2FA?

The history of 2FA is a bit fuzzy, but most people say it all started back in 1965 at Barclay’s Bank in England when they developed the original ATM (then known as the Automated Teller Machine). To operate and receive your money, you needed to enter a number code — simple!

Over the decades, we’ve seen numerous high-security institutions like the government use different versions of generated number codes in order to add extra security to their login credentials. But it wasn’t until January 2010 that the 2FA system we know today started to become a feature available to the public.

In 2011, Google was the first business to introduce 2FA for their MyBusiness accounts. Google needed to take action because they had noticed a drastic increase in account hacking. For several years, Google was the only company offering 2FA security, but between 2011 and 2016 numerous other industry leaders like Apple, Twitter, and Dropbox followed suit.

Recently, there’s been an uptick in companies enforcing 2FA, that’s thanks to the Covid-19 pandemic. With the lockdown leading many people to switch to remote work, numerous people changed the ways they use their computers, leading to a rise in phishing schemes and hacking attempts. It seems like 2FA is only going to become a bigger part of people’s lives.

What’s phishing?

It’s the fraudulent practice of hackers sending emails or other messages pretending to represent reputable companies in order to trick individuals into gaining access to their accounts. Hackers gain access to people’s accounts by forcibly getting them to reveal personal information, such as passwords, 2FA codes, and credit card numbers.

What is 2FA? How does it work?

Let’s break it down. 2FA (Two Factor Authentication), also known as MFA (Multi-Factor Authentication), is an extra layer of security that goes beyond simply using your username and password to log into your accounts. When you try to log into your account, the business will send a code to your phone via text, you type the code into your computer, and you’re in. Even if someone else has your username and password, they won’t be able to access the code that’s on your phone, keeping your account safe.

2FA is just one way to verify your identity, Cyber Security professionals actually have 3 different methods to help you prove your identity when logging into a program, they may ask you for:

  1. Something you know: For example, your username and password. But let’s be honest, there’s a reason why businesses are moving away from relying on the traditional username and password method, people often write down or reuse passwords, which can make your information and the business’ system vulnerable.
  2. Something you have: For example, a 2FA code through your cellphone. Requiring you to have a separate, physical device (your cellphone) in order to authenticate your identity.
  3. Something you are: For example, scanning your fingerprint or listening to your voice. This is known as Biometric validation, it allows you to validate your identity via specific biological markers.

One thing to keep in mind, the codes you get on your phone don’t last forever. They can expire anytime between 30 seconds and 10 minutes, depending on the business.

Why is 2FA important for security?

First off, let’s face it, making and keeping track of passwords is a hassle. According to studies by NordPass and Dashlane, the average person has between 70 to 100 different accounts. It’s easy for people to fall into the trap of using the same weak passwords across multiple accounts. But that’s a recipe for disaster, hackers can easily crack weak passwords and can learn everything they need to know about you across different accounts.

That’s where 2FA comes in. It adds an extra layer of protection, even if a hacker got a hold of your password, they would need your phone to get into your account.

If you’re struggling to manage all your passwords, we recommend using a password manager like Bitwarden. Password managers allow you to store all your passwords securely, and help you generate strong, unique passwords. It helps you go from memorizing dozens of passwords, to just one!

Now, the second reason why 2FA is essential is because businesses are just as vulnerable to cyber-attacks as individuals. It’s not easy to store thousands or millions of peoples passwords. A study by the Identity Theft Resource Centre showed that in 2022 there were 1,802 data breaches, impacting 10 million users, exposing critical information like passwords and social security numbers.

Again, even if a hacker was able to steal your password from a business, if you have 2FA enabled on your accounts, your information would be safe. However, it’s still important that you immediately change your password if you hear of a data breach involving a company you have an account with.

What’s the difference between 2FA and MFA?

First of all, 2FA is actually a type of MFA. 2FA is a method of authenticating your identity using two factors, for example your password (something you know) and an SMS text-message code (something you have). MFA refers to any identity authentication method that uses two or more pieces of evidence to confirm your identity, for example you might be asked to provide a fingerprint (something you are) along with a password and SMS text-message code.

It’s worth noting that there are lots of different types of MFA and 2FA out there. But when you hear businesses talking about 2FA, they often mean the SMS text-based method.

Is it safe to share my 2FA codes?

It’s safe — as long as you’re sharing them with trusted parties and you share them safely. Whether you share an account with your team or your partner, it’s good to take some precautions to make sure your account and your information stays secure:

  • Ask your team to double and triple check they’re sending the codes to the right person, email address, or phone number
  • Ask your team to lock their phones with a secure code or pattern
  • Teach your team how to spot potential threats like phishing emails
  • If you want to be extra-secure, provide your team members with a work phone that never leaves the office — that way, you can be sure the codes are going to the right place.

What are the consequences of someone stealing my information?

For businesses or individuals, it can mean a lot of trouble.

A data breach from a business can seriously damage a company’s reputation and financial standing. Losing user data can result in lost business, diminished trust from customers, and costly legal action.

The consequences for individuals can be even more dire. If someone gets their hands on your personal information, they can use it to commit fraud and wreak havoc on your life. The worst-case scenarios involve ruined credit, legal troubles, and generally feeling helpless against a faceless hacker.

It’s hard to think about but there are numerous steps you can take to protect yourself.

Can 2FA be hacked?

While it’s rare, there have been cases where hackers have tried to outsmart 2FA. We’ve listed some of the most common 2FA hacking methods below, along with ways to keep yourself safe from these kinds of attacks.

  1. Social Engineering: This is where a hacker tricks a person into gaining their important login information, like passwords, usernames, and 2FA codes. Often, hackers pretend to be a customer service representative, please remember, you should never need to give a customer service agent any login information.
  2. Identity Theft: A hacker can gather enough information about you to call up customer service and pretend to be you, gaining access to your account. We hope that companies customer service departments are aware enough to prevent this from happening, but to be on the safe side, make sure that your security questions have answers that nobody could easily guess or find out about you.
  3. OAuth (Open Authorization): Occasionally applications may ask for permission to access your account, a common example is applications asking to access your Facebook account in order to post on your behalf. It’s best to rarely give applications access to your other accounts, and if you do, make sure the application is trustworthy and check that you aren’t giving them total access to your account.
  4. Proxy Attacks: A hacker may try to trick you into giving up your login credentials and 2FA code by leading you to a fake website that looks exactly like the real one. One common way they do this is by sending you a legitimate looking email with a link that takes you to a phony website. So, before you click on any links inside an email, make sure to double-check that the email and website addresses are the real deal. If you’re not sure, just do a quick Google search to find the right email and web address.
  5. Text-Based “Man-in-the-Middle” Attacks: A hacker can assign your phone number to a phone that they control, often by tricking telecom customer service staff to reroute your phone number to a different phone. You can protect your phone number by asking your phone carrier to setup extra security, often by adding a PIN to your account.
  6. Supply Chain Attacks: Hackers can even attack the software that creates and distributes 2FA codes for businesses, helping them get into your account. Once they’re in your account, they try to intercept future 2FA codes by registering a secondary phone in your account. Unfortunately, these kinds of attacks can be hard for you to prevent, but one way to protect yourself is to keep an eye out for any unexpected emails about changes to your account. If you see something fishy, don’t hesitate to investigate further or reach out to the company for help.
  7. “Pass-the-Cookie” Attacks: Some browsers store authentication details, like 2FA codes, in cookies. Cookies are traditionally used to save information about your browsing session to make your experience smoother, in this case, your browser is storing your 2FA code so you don’t have to log into website again and again. Unfortunately, if your authentication details are stored improperly, hackers can extract that data and take over your account. Again, you’re relying on businesses security measures to prevent this kind of attack from happening, but one way to protect yourself is by consistently clearing your browser cookies.

What are the different types of 2FA?

  1. SMS & Voice 2FA: This isthe type of 2FA you’re likely most familiar with. Basically, you give a company your phone number, and when you log in, you get sent a text message or automated phone call. It’s popular because it only requires your cellphone, something you’re likely to have on you at all times. However, some people don’t like giving out their phone number to every single company, and it can be tricky to navigate 2FA if you’re travelling internationally.
  2. Push Notifications: When you login, a prompt is sent to your phone, the prompt checks to see whether the location of the device you’re logging into matches the location of your phone (through IP address). If both devices are in the same location it’s unlikely you’re being hacked. Once the system has checked your location, you can approve or deny the login attempt. The one downside of this method is that you need data or an internet connection to approve.
  3. Email: You’re sent an email when you login, and you copy a code or click a button to finalize the login. It’s highly intuitive since you’re likely already working on your computer but this method is considered the least secure because it’s only re-verifying your password, and not truly asking for another layer of identification.
  4. Authenticator Apps, Software Token, & TOTP 2FA: These methods require you to install an application onto your phone and computer, then, when you next log in, you scan a QR code on the website you’re logging into, you receive number-based code, and complete the login. The pros are that you don’t need to have access to the internet to use Authenticators, and that hackers would never be able to intercept the number-code without the QR code. The downsides are that it can be an inconvenient process if you have to login again and again, and some websites don’t support Authenticators.
  5. Hardware Tokens: When you login, you plug a USB device into your computer, the USB passes a code along to the program you’re logging into. The downside is that they can be expensive for businesses to maintain, and it’s easy to lose something physical.
  6. Biometrics: This method uses a sensor to scan your face, fingerprint, retina, or voice as proof of your identity. This method is considered extremely secure, however, there are privacy concerns regarding companies saving biometric data, it can be expensive to implement, and it can be exclusionary to people with physical disabilities.

What if I lose my 2FA device?

Don’t panic! There are a few steps you can take to protect your accounts and information if you’ve lost your phone.

  1. Try to locate your device: Give your phone a call, use your phone carrier’s mobile app to send an alert, or use a built-in find-my-phone feature. Maybe some kind person has found it and will return it to you.
  2. Remotely erase your data & lock your device: Both Apple and Android phones have features that allow you to erase your phone’s data and lock your device remotely. This is especially important if you suspect your device has been stolen.
  3. Contact your mobile carrier: Ask your carrier to disable service to your phone, so that no one else can access your 2FA codes. This may also prevent the thief from selling your stolen phone.
  4. Get a new phone: Most likely your carrier should be able to transfer your phone number to a new phone.
  5. Update your account information: If you lost your phone number, you’ll need to update your number on all of your accounts. This will require additional validation via email, voice authentication, ID upload, or backup codes.
  6. Change your passwords: If your phone had access to any accounts, it’s a good idea to change the passwords for those accounts. This will prevent anyone from accessing your account, even if they have access to your 2FA code.

Should I use 2FA on all my accounts?

While 2FA may be a little less convenient than just using a username and password, it’s highly recommended that you use it wherever possible, especially on accounts that hold sensitive information, such as:

  • Identification: Social Security numbers, home address, phone number, birth dates, etc.
  • Financial: Credit card numbers, bank account information, investment information, etc.
  • Health: Details regarding health conditions and medical records.
  • Intellectual Property: Product information, such as manuals, specifications, formulas, etc.
  • Competitive Documents: Market studies, pricing information, business plans, etc.
  • Legal: Documentation regarding cases, legal options, etc.
  • IT Security Data: Lists of user names, passwords, encryption information, etc.

Are there alternatives to 2FA?

If you want to use a service that requires 2FA, there really are no alternatives. Although, in addition to 2FA, you can add even more security by using a password manager and a 2FA Authenticator App.

Is SMS text-based 2FA the most safe identity authentication method?

The safest method is the method that people will actually use. While other authentication methods may technically be safer, they can also be more frustrating or expensive to implement. Both individuals and businesses need to find a balance between developing a safe and easy-to-use method.

Consider how many times you log into your accounts every day. If the authentication process is long and frustrating, people are more likely to try to work-around your security solution. That’s why it’s important to strike a balance between security and usability.

Page Break

Phew!

That was a lot of information! We hope we were able to answer all your questions about 2FA! It can be hard to leap into learning about an unfamiliar and technical concept but we hope we were able to break it down for you. Keep your eye out for our next article, and thanks for your time!

Page break

Sources

Ready to get your project started?

Get in touch