How safe is two-factor authentication?

“Hackers were able to breach my password, and could even get through two-factor authentication, which I have had enabled since last year, to break into my account. The malicious actors proceeded to change the recovery phone number to an unknown number and the recovery email address to the same hacked email address so I could not get back in,” a victim of a cyber attack recently lamented in an online forum.

This individual’s experience is far from unique. Scores of others report similar breaches or attempts to infiltrate their email accounts and networks, highlighting a growing problem despite the use of supposedly secure two-factor (2FA) authentication method.  

• Also read: Cyber security: Identify first what needs to be protected?

This method is one of the key housekeeping norms that cybersecurity experts strongly advocate. It offers an additional layer of security over and above the regular password, making it difficult for hackers to break into the accounts.

Once activated, users are asked to authenticate the login process by keying in an OTP (one-time password) sent automatically to an alternative email account or phone number or through an authentication app.  

The idea is – since the hacker in question doesn’t have access to the OTP, hackers should not be able to breach the account even if they succeed in breaking the primary password.  

But cybersecurity experts say hackers have found ways to overcome this hurdle. They are using social engineering methods to infect the phones with malicious software to launch phishing attacks. Some hackers are also using simple ways such as making a phone call to the victim and tricking them into revealing the OTPs.  

“Social engineering can be incredibly tricky, especially with the use of OTP bots that can mimic real calls from representatives of legitimate services. To stay on guard, it’s crucial to remain vigilant and follow best security practices. Through continuous research and innovation, Kaspersky provides cutting-edge security solutions to safeguard digital lives,” Olga Svistunova, a security expert at Kaspersky, says.  

An OTP bot is a tool used by scammers to intercept OTPs through social engineering techniques. Attackers usually attempt to obtain the victim’s login credentials through phishing or data leaks, then log in to the victim’s account, triggering an OTP to be sent to the victim’s phone.  

“After that, the OTP bot calls the victim, pretending to be a representative from a trusted organisation, and uses a pre-scripted dialogue to persuade the victim to share the OTP. Finally, the attacker receives the OTP through the bot and uses it to gain access to the victim’s account,” she says.  

While 2FA is a valuable security measure, its current implementations can be cumbersome and disruptive. “Traditional 2FA methods often require users to interrupt their workflow to authenticate repeatedly,” Jay Prakash, Chief Executive Officer and Co-Founder of Silence Laboratories, says.

“This can lead to frustration and, ironically, may even compromise security if users become lax due to ‘push fatigue,” he points out.

Moreover, OTP-based 2FA methods are inherently vulnerable. SIM swap attacks, where a hacker transfers a victim’s phone number to a SIM card under their control, can intercept OTPs. Flaws in the SS7 telecom signaling protocol also expose OTPs to interception.  

“These vulnerabilities have led to numerous compromises of bank accounts and critical data-storage. These messages can be intercepted midway,” he says.  

• Also read: GenAI has potential to enhance cybersecurity practices, says chief security strategist

He suggests that algorithms need to check that the login device and the 2FA device are in proximity to each other during requests for 2FA approval.  

“Fundamentally, any remote login attempts should be avoided to counter push fatigue,” he observes.  

Here are some tips on how to stay safe:

• Avoid opening links you receive in suspicious email messages. If you need to sign in to your account with the organisation, type in the address manually or use a bookmark.
• Make sure the website address is correct and contains no typos before you enter your credentials there. Use Whois to check on the website: if it was registered recently, chances are this is a scam site.  
• Do not pronounce or punch in the one-time code while you’re on the phone, no matter how convincing the caller sounds. Real banks and other companies never use this method to verify the identity of their clients.