If you use one of three popular genetics and genealogy services, you’ll soon have to set up two-factor authentication (2FA) on your account. With 2FA enabled, you’ll need to enter a code sent via text, email or generated by an app on your phone to complete the login process.
Hackers target 23andMe
23andMe, Ancestry, and MyHeritage are all making the move to mandatory 2FA for users of their DNA services after data stolen from 23andMe was posted online. The data appears to have been obtained via a credential stuffing attack, which occurs when hackers use passwords leaked in other breaches to break into user accounts.
Credential stuffing attacks like the one that targeted 23andMe are one reason security professionals have been warning people not to reuse their passwords for years. But according to a Google poll from 2019, 65% of US adults still reuse at least some of their passwords.
This makes mandating 2FA a smart move by the genetics and genealogy services. With 2FA enabled, credential stuffing attacks will fail as hackers need more than just a username and password to access an account.
However, not all forms of 2FA are equally secure. So, let’s look at what 23andMe, Ancestry, and MyHeritage offer and see how they stack up.
23andMe gives users the choice of receiving 2FA codes via email or using an authenticator app to generate them. Ancestry allows users to receive 2FA codes via email or SMS. Finally, MyHeritage supports 2FA using an authenticator app.
Unfortunately, this means none of the companies support the most secure form of 2FA, which is a security key. However, authenticator apps, offered by 23andMe and MyHeritage, are a solid option from a security perspective. There can be a bit of a learning curve if you have not used them before, but they are straightforward once you get the hang of them. You can check out my guide to authenticator apps if you want to learn more.
Having codes sent via SMS or email are less secure methods of 2FA compared to using an authenticator app or security key. Email based 2FA is a risk if the site you use it on also allows your password to be reset via email. If a hacker breaks into your email account, they can then reset your password to the site in question and access the 2FA codes they need to log in.
SMS based 2FA is also not secure because it is vulnerable to SIM swap attacks. In a SIM-swap, hackers convince customer service agents at your cell phone carrier to transfer your phone number to a device they control. That means the hackers will receive any 2FA codes sent to you via text. And, as many services allow you to do a password reset via SMS as well, hackers can take over those accounts just by SIM-swapping your number.
So, if you use Ancestry and only have the options of email or SMS based 2FA, what should you choose?
If you ensure your email account is locked down with a strong, unique password and a secure form of 2FA, e.g. an authenticator or security key, there’s less need to worry about a hacker compromising your inbox. You can then feel relatively safe enabling email based 2FA.
If you prefer getting your codes via text, there is another option. Ancestry accepts Google Voice numbers for 2FA, so you could use a Google Voice number instead of your regular cell phone number for 2FA purposes. Using a strong password and an authenticator app or security key for your Google account will make it much harder for attackers to steal your Google Voice number compared to your cell number. You can then use SMS based 2FA with less risk. However, there are other reasons to avoid SMS based 2FA.
Users should also remember that no form of 2FA is bulletproof. All the 2FA options offered by 23andMe, Ancestry and MyHeritage are vulnerable to phishing attacks. Plus, malware can steal session cookies that allow hackers to log in to a victim’s account without entering a password or 2FA code.
Mandating 2FA is a smart move by 23andMe, Ancestry and MyHeritage that will prevent future credential stuffing attacks. 23andMe and MyHeritage both support authenticator apps for 2FA, which are a solid option from a security standpoint. Unfortunately, Ancestry only offers SMS or email based 2FA, which are not as secure. However, even these forms of 2FA make life much harder for would-be hackers!