In a time where data breaches have become the norm, there is no such thing as exercising too much caution when it comes to protecting your online assets, including your login credentials and access to accounts. Two-factor authentication (2FA), a method of confirming a user’s identity via combining two factors is widely accepted and recommended by security experts as a necessity for optimum security online. 2FA is a great added security feature to protect your account because an unauthorized individual is unlikely to supply the factors required to successfully gain access. However, the type of authentication you select can either help protect you or do just the opposite.
Two-Factor Authentication (2FA)
2FA may be accomplished by entering a one-time password (OTP) that is sent to or generated by a user’s mobile phone or could be in the form of a cryptographic token that is sent to the user through a security key attached to the device attempting to log in.
It has become rather clear in recent years that OTPs sent through SMS messages are not secure. In fact, even Congress has noticed the vulnerabilities associated with the delivery of OTPs, which is done through Signaling System Seven (SS7). SS7 is used by wireless carriers globally to ensure their networks interoperate. While the functionality of SS7 is meant to provide quality service with uninterrupted phone calls, country to country messaging, etc., the same system can be used maliciously to eavesdrop, geographically track, and hack individuals.
Despite many security professionals advising against phone-based authentication, many individuals and organizations continue to operate using this method for 2FA. Unfortunately, some of those organizations are learning the hard way that phone-based authentication really is a vulnerability waiting to be exploited.
Reddit Breach – Employees Did Have 2FA enabled
Reddit recently learned the security flaws of phone-based 2FA when some employee accounts were breached as a result of the type of authentication they were using for their 2FA, which was SMS-based (using the OTP method).
On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
The hackers that broke into Reddit’s systems got away with some current email addresses and accessed a 2007 backup database, which contained old login credentials. While that may not sound like much, login credentials were inappropriately accessed, which could cause some serious trouble for individuals who created a Reddit account in 2007 and have not updated their passwords, or who reused them across various platforms.
Although having some form of 2FA is better than having none at all, the Reddit hack serves as a huge reminder that phone-based authentication lacks one major feature; true security.
Token-Based Authentication – The Safer Approach
Tokens are more secure than other authentication methods such as SMS-based authentication because the token itself doesn’t store any sensitive information. This is made possible because tokens can be used to replace a user’s actual credentials. The token acts as a placeholder for a user’s credentials that way the credentials cannot be compromised as they travel between the server, web application, and user’s browser.
Whether or not you’re using 2FA, it is important to maintain healthy password practices. Don’t reuse passwords across various systems, update your passwords periodically, keep them complex or use a passphrase, and don’t share them with others. Remember, passwords are the keys to your online doors; do your best to protect your assets.