Though two-Factor Authentication (2FA) is a relatively old security tool to secure your login, many have not yet enabled the feature to prevent their accounts from being misused. Yes, 2FA adds an extra step to your log-in process and enabling it for every account could be a little tiresome, but an unprotected password will make it easier for fraudsters to gain access to your bank account, debit/credit cards, or social media accounts.
If you have linked several third-party accounts or sites to your Google account, then it is highly advisable to enable 2FA because if a hacker manages to log in, then he will be able to access all your linked accounts and even change the password to take away your access. Similarly, if you have linked your Instagram account to Facebook, then the hacker just needs to crack the password to get access to both accounts and thus your entire online reputation.
If you don’t think this will happen to you, understand that hackers can break into your account through a phishing scam, credential stuffing, brute-force attack, and other methods. You can avoid these type of situations if you enable two-factor authentication as it would require an OTP or code that you have on your smartphone. So, the hacker won’t be able to sign in even if he has the password.
Google offers quite a few options to protect your account. After enabling 2FA, you can sign in with backup codes, or get instant codes via text, voice call or the Google Authenticator app that no one can access. You can even use a physical security key or enable push notification on your phone.
But with the uptake of two-factor authentication still not that high, Google is planning to make it mandatory. While Google hasn’t revealed the current percentage of users using 2FA, it is known that over 90 per cent of Google account users were not using this security feature in 2018. Other popular apps like Facebook, Twitter, WhatsApp, and Amazon also offer 2FA, but with similar levels of success.
While Amazon now has a 2FA in the form of a link send to the user’s mobile phone when a new login is being initiated, e-commerce companies like Flipkart are yet to adopt similar features. E-commerce accounts are particularly risky now since a lot of users have pre-loaded card details to their accounts.
Prime Video, being an Amazon service has 2FA enabled, while Netflix does not. The latter however does send log-in alerts.
Can two-factor authentication (2FA) be hacked?
While 2FA is not 100 per cent hack-proof, cybersecurity firms like Kaspersky and Checkpoint told indianexpress.com that it can certainly prevent misuse of data in case of a breach.
“Two-factor authentication, although not 100% hack-proof, is one of the most effective ways available to safeguard your accounts. If it seems like a minor hassle, weigh that brief inconvenience against the headaches of clearing up identity theft,” a Kaspersky spokesperson said.
While financial institutions worldwide use two-factor authentication, send one-time passwords via SMS text messages might not be the best method as they are open to interception. For example, one can easily sneak a peek at passwords sent by SMS if lock-screen notifications are enabled. Even if notifications are turned off, a SIM card can be removed and installed in another smartphone, giving access to SMS messages with passwords. Kaspersky claims password-bearing SMS messages can even be intercepted by a Trojan lurking inside the smartphone.
Checkpoint believes both SMS and emails are not that safe. “Trickbot, which is a banking trojan, send unsolicited emails that direct users to download malware from malicious websites or trick them into opening malware through an attachment,” says Sundar Balasubramanian, Managing Director, India and SAARC Region, Check Point.
Additionally, researchers from IBM discovered that TrickBot operators had developed a malicious app called TrickMo, which intercepts the OTP codes that banks send to customers for authentication, without the knowledge of the user.
“Using various underhanded tactics (persuasion, bribery, etc.), criminals can get hold of a new SIM card with the victim’s number from a mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network. SMS messages with passwords can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages,” adds the Kaspersky spokesperson.
What you can do to secure your accounts?
Balasubramanian suggests a more secure option is a Time-based One-Time Password (TOTP) algorithm like the ones used in many smartphone apps. “During setup, the authentication device (smartphone, USB key, etc.) share a secret random seed value. Both the server and the authentication device then use a common algorithm to transform this seed over time.”
Kaspersky highlights how users can use various 2FA versions and combinations for different services. For example, top-priority accounts (a mailbox linked to other sites) should be protected to the hilt — that is, locked with a hardware U2F token with all other 2FA options blocked.
The U2F hardware security tokens are basically a USB drive and are based on the FIDO U2F standard, which is difficult to intercept. The tokens use USB or Bluetooth to offer 2FA across different services. One can purchase Google’s Titan Key or YubiKey. That way you can be sure that no one will ever gain access to your account without this token.
“Users can also use different types of keys: For example, an authenticator app on your smartphone as the primary one, and a U2F token or a slip of paper with one-time passwords in your safe as a backup. In any case, the main piece of advice is to avoid using SMS-based one-time passwords whenever possible, especially for banking-related accounts,” advises the Kaspersky spokesperson.