Two Factor Authentication (2FA) is not enough

When we’re explaining how ThisData’s Login Intelligence API monitors user logins for suspicious activity, we often get the same question in response. It goes a little something like this:

Me: “ThisData provides an extra layer of security around user logins. You know that ‘Was this you?’ email you get from Facebook or Google when you sign in from a new device or a different country? Well, we offer that service to companies that want to add an extra layer of security to their app.”

Them: “Oh right, I get it, that’s really cool. But we have 2FA enabled – doesn’t that cover us?”

Just in case you aren’t familiar with exactly what 2FA is:

Two-Factor Authentication, or 2FA as it is abbreviated, adds an extra step to your basic login to make your account more secure. How it works is you log in as usual with a username and password – your password is your single factor of authentication. With 2FA enabled you are then required to enter a second factor to authenticate your identity – usually a token or code that is sent out to the phone number registered on your account, via SMS”

Right, so that all sounds secure. What’s the problem?

The problems with 2FA

User participation. This is the biggest hurdle to overcome, and then monitor. Enabling 2FA adds friction to the login process; it’s one more thing that the user has to do. And even if they initially turn it on, how long will the novelty last? Another point to consider is that the users who continue to have 2FA enabled are probably going to be your most tech savvy – the people already taking precautions with strong passwords, password managers, and VPNs. It’s your less tech savvy users that are your highest risk, and they’re the ones who will decide that the extra 2FA step is not worth the hassle.

But if you’ve managed to pass the first hurdle of getting your users buy-in to enable 2FA, and do it on every single login, then it’s true that using 2FA is more secure than logging in without it. But is it enough?

2FA is hackable. By enabling 2FA you are probably going to deflect the attention of your run-of-the-mill hacker who will move on to an easier target. Nice one! But don’t get too excited because 2FA has been hacked before. (Just read about the RSA SecurID token hack or Mat Honan’s personal experience.)

These are fringe cases, for sure. But we already know that 95% of all attacks on enterprise networks are the result of successful spear phishing. What spear phishing means is that a hacker has gained the trust of a user (usually through fraudulent emails) and the user has handed over personal information such as login details, credit card info, etc. It’s not too much of a stretch for hackers these days to gain control of your actual physical device (your phone – this video is proof of just how easy it is) and once a hacker has a user’s email address, password and 2FA code, they can then go about resetting all of that person’s passwords for all of the apps they use. You know what else they will do? Turn off 2FA. With 2FA disabled they are free to log in and wreak havoc on that person’s accounts.

How can you be more secure? So, back to the conversation above that we so often have with people, and the exact reason that ThisData’s Login Intelligence product exists. When 2FA has been disabled by a user who just can’t be bothered anymore, or by a hacker who’s up to no good, that’s when you need to rest assured in the knowledge that no matter what, all of your user logins are being monitored for any suspicious activity. Any login that doesn’t fit in with a user’s behaviour profile – a different IP address, country, or device – will be red-flagged and that user’s session can be shut down immediately to minimize potential damage.

Accept that a breach will occur. Now focus on how fast you can respond.’ – Rich Chetwynd.