Cybersecurity Tip: Is two-factor authentication enough?It may be time to stop using popular two-factor authentication methods and consider this alternative. Read through these cybersecurity tips from our October 2018 issue of The RynohHorn to find out why two-factor authentication may be falling behind.

Content contributed by Rynoh Director of Security & Product Development, Matt Field


FACT #1: Simply having a unique and strong password for all online accounts is just not good enough.l

At this point on the cyber awareness timeline, it is well known that two-factor authentication (2FA) makes online accounts more difficult to hack, and therefore has been widely adopted as standard online security practice.

FACT #2: 2FA is an extra layer of security and a second step for signing into online accounts.

The first authentication step is a username and a password, and the second step could be as simple as a security question. The most popular method is either a message sent to a mobile phone via text message (SMS) or created by an app on a mobile phone.

With two-factor authentication enabled, even if malicious hackers steal your passwords, they won’t be able to sign in. Or will they?
FACT #3: It may be time to stop using common 2FA methods.

Although SMS is currently the most popular method of 2FA, it isn’t the most secure method of 2FA. Malicious hackers are getting better at phishing two-factor codes. They can perform a SIM card swap attack or steal text messages by exploiting known flaws in mobile networks to intercept text messages sent to a specific number on the popular Signaling System No.7 (SS7) phone routing system. Surprise! Malicious hackers have been known to purchase access to SS7 networks for relatively small amounts of money.

FACT #4: Considering the known issues regarding SMS, a better option for the second step of authentication is using a physical token such as a security key.

Security keys are the best way to make phishing virtually impossible. With this method of 2FA, a malicious hacker would have to steal a password and then physically steal the security key in order to hack into an account. Worth noting, the security advantages provided by security keys are the reason tech giant Google has launched its Advanced Protection Program designed to safeguard the personal Google Accounts of anyone at risk of targeted attacks such as journalists, activists, and business leaders. Enrollment in the program requires the purchase, use, and registration of these physical devices.

FACT #5: The most secure way to generate codes for accessing online accounts is via Universal 2nd Factor Keys (U2F).

The U2F keys can use Bluetooth, USB, or NFC connections and they cost anywhere between $15 and $50. It is recommended that users only purchase Fast IDentity Online (FIDO) Certified keys.

In closing, is two-factor authentication enough? It can be. While U2F keys provide are the most secure method and offer a nice balance of security and usability, they are still not quite as convenient as text messaging. Just keep in mind that using any two-factor authentication is better than none. It may take a few extra seconds to sign in, but it’s a small price to pay for security.