2-factor authentication (2FA) provides essential protection for your online accounts. Without it, you might wake up one day to find your accounts hacked and your money stolen.
In this post, I’ll explain what 2FA is and why you need it, before pointing out some of its limitations. Let’s dive in!
What is 2FA?
2FA adds an extra step to the login process for your online accounts. Once enabled, you’ll need to prove your identity in a second way after you’ve entered your username and password.
Some of the most common ways to verify your identity include entering a code sent via text message or generated by an authenticator app on your phone. Other methods include tapping a button on a usb-like device called a security key or approving a push notification sent to your phone.
Why do you need 2FA?
If you use strong passwords, you might wonder why you still need 2FA. The answer is that it’s not that difficult for the bad guys to get their hands on your passwords, even strong ones. And without 2FA, there’s nothing standing between those bad guys and your accounts.
Let’s look at two common ways hackers can pilfer your passwords: data breaches and phishing attacks.
Data breaches
If a site suffers a data breach, your password may end up posted online, making it easily accessible to cybercriminals. This not only puts your account at the breached site in danger, it puts other accounts where you use the same password at risk, too. That’s because hackers know people often reuse their passwords and so test leaked credentials out on other sites to see if they can gain access to more accounts.
This happened to my husband earlier this year. His Amazon account was protected with a password he had reused on other sites. One of those sites had a data breach, which we later found out by checking haveibeenpwned.com. The hackers then tried his credentials on other sites and successfully gained access to his Amazon account. They then ran up hundreds of dollars worth of fraudulent charges on his credit card, which took us weeks to resolve.
Phishing
Imagine this scenario. You get an email telling you someone logged into your Gmail account from a foreign country. The email instructs you to click a link to change your password, so in a panic you click it and are brought to what looks like Gmail’s login page. You enter your username and password and hit the “login” button, but realize too late that the URL of the login page wasn’t right. Unfortunately, you’ve just been phished, and now hackers have your password.
John Podesta, chairman of Hillary Clinton’s presidential campaign, found himself the victim of a similar phishing attack back in 2016. The hackers successfully tricked him into giving up his password, stole his sensitive emails and then sent them to WikiLeaks. WikiLeaks then released them one month before the US elections.
How 2FA protects you
With 2FA turned on, a hacker needs more than your password to access your account. So even if attackers find your password in a data breach or trick you into handing it over in a phishing attack, they won’t be able to log in unless they also complete the second authentication step.
As this second authentication step requires your phone or security key, it will be very difficult (though not impossible!) for hackers to complete it successfully.
Limitations of 2FA
As important as turning on 2FA is, it’s also important to realize that it does not make your accounts unhackable.
Linus Media Group found this out the hard way earlier this year when their Linus Tech Tips, TechLinked and Techquickie YouTube channels were hijacked and used to promote cryptocurrency scams.
The hackers took over the channels by tricking an employee into downloading malware disguised as a sponsorship offer. The malware stole session cookies, which are pieces of data saved on your computer that keep you logged in to your accounts. This allowed the hackers to clone the employee’s browser and gain access to accounts they were already logged in to without needing to enter a password or complete 2FA.
Sophisticated phishing attacks using tools like Evilginx can also steal session cookies, providing cybercriminals with another way to access your accounts without your password or 2FA.
Certain forms of 2FA are also vulnerable to specific attacks. SIM-swap attacks, where hackers steal your phone number, threaten SMS-based 2FA, since hackers can then receive any 2FA codes sent to you via text. That’s one reason security experts no longer recommend you use SMS-based 2FA.
Accounts protected by 2FA push notifications are also vulnerable to 2FA fatigue attacks, sometimes called prompt or push bombing. During such an attack, cybercriminals repeatedly attempt to log in to your account, generating a constant stream of push notifications in the hopes you’ll accidentally approve one of them. That’s how hacking collective Lapsus$ broke into big companies like Samsung and Nvidia last year and stole their data.
But don’t think there’s no point in turning on 2FA just because it’s not perfect. 2FA makes it much harder for hackers to gain access to your accounts and will keep them far more secure than if you don’t bother to turn it on.
The takeaway
As cybercriminals can get your passwords from data breaches and phishing attacks, protecting your accounts with 2FA is vital if you want to keep them safe. And while 2FA won’t make your accounts unhackable, it will make life much harder for would-be hackers!
