For years, two-factor authentication has been the most important advice in personal cybersecurity — one that consumer tech companies were surprisingly slow to recognize. The movement seemed to coalesce in 2012, after journalist Mat Honan saw hackers compromise his Twitter, Amazon, and iCloud accounts, an incident he later detailed in Wired. At the time, few companies offered easy forms of two-factor, leaving limited options for users worried about a Honan-style hack. The result was a massive public campaign that demanded companies to adopt the feature, presenting two-factor as a simple, effective way to block account takeovers.
Five years later, the advice is starting to wear thin. Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.
For much of the last five years, the center of the campaign for two-factor has been twofactorauth.org, a site run by Carl Rosengren that’s dedicated to naming and shaming any product that doesn’t offer two-factor. At a glance, it can tell you which sites offer more than just a password login, and offers you an easy way to tweet at companies that don’t. Today, the site sends out hundreds of thousands of shaming tweets a day.
The campaign seems to have worked; nearly every company now offers some form of two-factor. Netflix is the biggest holdout — “I feel like I should buy a cake or something when that happens,” Rosengren says. Late adopters like Amazon and BitBucket have caved to demands, and every single VPN or cryptocurrency product listed by the site offers two-factor. The only email services without it are obscure players like Migadu and Mail.com. There are still a few problem sectors like airlines and banks, but most services have gotten the message: consumers want two-factor. If you don’t offer it, they’ll find a service that does.
But victory has been messier than anyone expected. There are dozens of different varieties of two-factor now, expanding far beyond the site’s ability to catalog them. Some send verification codes over SMS text, while others use email or more hardened verification apps like Duo and Google Auth. For $18, you can get a special USB drive to serve as your second factor, supported by most major services. It’s one of the most secure options available, as long as you don’t lose it. Beyond hardware, services can deposit long strings of code that provide an effectively invisible second factor — provided no one intercepts it in transit. Some of these methods are easier to hack than others, but even sophisticated users often can’t tell you which is better. For a while, TwoFactorAuth tried to keep up with which services were better or worse. Eventually, there were just too many.
“If it’s hard for us to evaluate the hundreds of two-factor services,” Rosengren says, “I can’t begin to imagine how hard it would be for a consumer.”
The promise of two-factor began to unravel early on. By 2014, criminals targeting Bitcoin services were finding ways around the extra security, either by intercepting software tokens or more elaborate account-recovery schemes. In some cases, attackers went after phone carrier accounts directly, setting up last-minute call-forwarding arrangements to intercept codes in transit. Drawn by the possibility of thousand-dollar payouts, criminals were willing to go further than the average hacker. The attacks continue to be a real issue for Bitcoin users: just last month, entrepreneur Cody Brown lost $8,000 through a Verizon customer support hack.
Outside of Bitcoin, it’s become clear that most two-factor systems don’t stand up against sophisticated users. Documents published this month by The Intercept show Russian groups targeting US election officials had a ready-made plan for accounts with two-factor, harvesting confirmation codes using the same methods they used to grab passwords. In another case reported by Symbolic Software founder Nadim Kobeissi, a maliciously registered device let attackers break through a target’s two-factor protection even after the system had been reset.
In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.
Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account. At the same time, carriers have been among the slowest to adopt two-factor, with most preferring easily bypassed PINs or even flimsier security questions. With two networks controlling the bulk of the market, there’s been little incentive to compete on security.
At the same time, it’s proven difficult to kill off particular types of two-factor even after they’re shown to be insecure. The National Institute of Standards and Technology quietly withdrew support for SMS-based two-factor in August, pointing to the risk of interception or spoofing, but tech companies have been slow to respond. If anything, services are relying more on SMS as Twitter and PayPal look to tie accounts more closely to phone numbers. It’s less secure, but easier to use. As long as it’s two-factor, few account holders know the difference.
“We’ve seen a check-box approach,” says Marc Boroditsky, who builds two-factor systems for third-party companies at Twilio, “saying ‘now we have two-factor authentication so we’re okay. Move on.’”
The rush to check that box has led to usability problems as well as security problems. Boroditsky points to Apple’s iCloud system, which came under fire after easily guessed account-recovery questions enabled the mass theft of nude photos in 2014. Meanwhile, under a recent Apple policy, losing your Recovery Key and forgetting your password was enough to permanently lock a user out of their AppleID account, something that caused real problems for some users.
In some ways, the two problems feed into each other, with publicized hacks inspiring tighter and harder-to-use policies that drive more users back to standard logins, thus inspiring more hacks. “Look at how complicated and messy it is for, say, Apple,” Boroditsky says. “If they don’t take a much more comprehensive approach, they end up becoming responsible for downstream consequences.” (Apple did not respond to a request for comment.)
Google is one of the few services that lets you actively disallow weaker tokens like SMS, although it’s only available for G Suite enterprise customers. Under that system, an admin can set the two-factor policy for their whole organization, banning insecure tokens or forcing all the users on a given domain to use a specific login method. But that only works when there’s an administrator to set policies and talk users through any resulting problems. It’s not clear how you make a policy like that work for the billion people using standard Gmail — and so far, Google hasn’t been eager to try it out.
“One of the truths we’ve found is that people won’t accept more security than they think they need,” says Mark Risher, who manages Google’s identity systems, including two-factor products. “As a large-scale consumer internet provider, we want to find that right balance.”
None of this means two-factor is pointless, but it isn’t the silver bullet that it seemed to be in 2012. Adding an authentication code hardens the login page, but smart attackers will just find another angle of approach, whether it’s a carrier account, a preregistered device, or just a customer service department that’s a little too eager to reset the password. Those weak points are the real measure of how secure an account is, but they’re impossible to spot from the outside. The result is that, if you’re looking for the chat app that’s hardest to hijack, it’s hard for even sophisticated users to know what to look for.
As the industry moves beyond two-factor, security is only getting harder to size up. The new focus is on threat detection, drawing on dozens of ambient signals like device fingerprinting and on-page behavior to determine whether a given login warrants extra scrutiny. A suspicious enough string of logins might trigger an account freeze or require a phone call to customer service before the subject can proceed. “The problem is that one-size-fits-all doesn’t work,” says Boroditsky. “So going to a detection-vs.-prevention model is more likely to succeed in the long run.” It’s a good way to catch criminals, particularly for companies like Facebook and Google with world-class machine learning divisions and oceans of data for training algorithms, but it’s nearly impossible to judge from the outside.
The result pushes users back to an old status quo, before the iPhone or even the internet: enterprise admins are outgunning consumer offerings again, and security is something to be entrusted to experts in a lab somewhere. It’s not bad news, necessarily: threat detection makes accounts safer, just like two-factor. But unlike two-factor, there’s no way for users to tell if the system is working or if there’s a stronger system to push for.
That shift leaves users in a difficult place. “Get two-factor” is still good advice, but it’s not enough. Worse, it’s not clear how to fill the gap. What do you tell someone who’s worried about seeing the contents of their inbox published on WikiLeaks? There’s no simple fix for such a threat, no one step that will keep you protected. The surprising thing is that, for a few years, it seemed like there was.
Comments
Lesson of the day…. Nothing will ever be 100% secure. With enough time and will something can be compromised. Even if they fix 2fa standards, there will be a way in.
By Ruben Sierra on 07.10.17 9:46am
I’d argue that a "lesson" is one that suggests either you do certain behaviors more, or avoid certain behaviors. Yes, nothing will be 100% secure, but some things are much more secure than others.
The real lesson is that not all 2 factor authentication is the same, and you should think about the security of the log in process as you think about what data that site has.
By sing_electric on 07.10.17 10:19am
The lesson is that people need to stop worrying about "100% security" and realize there’s a point when it’s just going to have to be "good enough", and that’s all it really has to be unless you’re running a nuclear power plant out of your house. Even if a hacker gets in to your personal computer, which is not likely to happen because hackers don’t typically care much about you unless you’re Jennifer Lawrence or you’re exceedingly dumb with your security (ie. you actually like to click on links in obvious phishing emails), the worst they’re going to be able to do is steal your credit card or bank account info. And you are 100% not liable in cases like that unless you have a REALLY BAD bank. And in that case, I’d argue that the first thing you should do is to change banks rather than worrying about your online security.
It’s no different than security for your house. There’s no security system in the world that’s impenetrable; a determined thief is going to be able to get in if he/she really wants to for some reason. But a) most thieves aren’t going to go to that much trouble if they don’t know what’s in there, and b) if a thief does get in, that’s what you have insurance for. It’s not the end of the world. They’re not going to steal your precious family photos, they’re going to take your TV and Xbox and maybe your silverware if it’s real silver. All that stuff is easily replaced and you’ll even get the money back.
This quest for an impenetrable wall of security for all of our accounts is a lofty goal and one that should be continued by those who actually work in security, because that’s the only way for security to improve. But average people should just take some common sense precautions and then stop worrying so much.
By badasscat1 on 07.10.17 5:37pm
I kind of agree with this. It’s more important that you can recover your life after being hacked or whatever than to keep worrying about being hacked. Is your important data in more than two places? Are your photos and personal docs in the cloud or some over backup so that if you had to reformat your drive you could do so? Is all your money in one bank account? Etc…
The question is how prepared are you when something like this happens.
By albee on 07.11.17 3:08am
The risks here seem really overblown. The average person isn’t going to see their mobile phone account hacked so that someone can get into their Twitter account. Nor are their Bitcoin going to be stolen – they won’t know what Bitcoin is.
Oh, and I wish a carrier would offer SMS forwarding the UK, but I don’t think any do.
By Daveoc64 on 07.10.17 9:53am
That is not the point though is it? Just because the chances maybe slim for your phone getting hacked, doesn’t mean it shouldn’t be secure. It is actually pretty easy (If you know what you are doing) to trick a victim to put malware on a phone and get access to their texts, location, etc. It can be even easier if you write your own Malware.
(I have done this to myself for testing purposes. It is easy enough for concern).
By Ruben Sierra on 07.10.17 2:11pm
If it’s easy to trick someone into doing something, no amount of "security" is going to protect them.
But you’ve hit upon the real issue here. 99.9% of all people who personally get hacked got hacked because of something they themselves did. There’s no real problem with account security; the problem is with people’s behavior. No software or hardware is ever going to change that.
The other major form of hacking is of corporate networks, which has nothing whatsoever to do with two factor authentication or personal accounts. You can protect your personal accounts like Fort Knox and still end up having your info stolen because somebody broke into the Wal-Mart customer database.
By badasscat1 on 07.10.17 5:42pm
Wait a second.. Is Samsung Knox trying to be a wordplay on Fort Knox?? Or is it really obvious and I am the only one who didn’t see it?
By matus201 on 07.11.17 2:15pm
You might not remember a few years back (ok several years now) where people were having their ICQ accounts stolen simply because script kids wanted the "low" ICQ numbers as a status symbol.
Think about how many logins now can be tied to a Facebook account or even worse, what happens when you’re locked out of a Google account. Those are average people too.
By jrnichols on 07.10.17 3:20pm
The fact that this got 10 recs shows how ignorant people are of cyber security. A few months back MANY youtubers were getting hacked and it was all due to SMS 2 auth. And how was this compromised? Social engineering.
But don’t take MY word for it:
https://www.youtube.com/watch?v=caVEiitI2vg
https://twitter.com/JohnLegere/status/751490098240167937?ref_src=twsrc%5Etfw&ref_url=http%3A%2F%2Fohnotheydidnt.livejournal.com%2F102472732.html
By Alain-Christian on 07.11.17 2:35am
But that’s exactly my point. The average person is not a "YouTuber". They are not a pseudo-celebrity with over 4 million viewers.
These attacks are only worthwhile on large targets. They are not worth carrying out on the average person.
By Daveoc64 on 07.11.17 8:35am
Even an average person may have a paypal account.
I currently have a balance of about 25€ in there. It’s not a lot of money, but if you can get your mail to scale, it’s worth it.
By Bauke Schildt on 07.11.17 9:56am
Your suggested plan doesn’t get around any two factor authentication – which is what is being discussed here.
By Daveoc64 on 07.11.17 10:17am
And then you have people like THIS guy who practices security through obscurity… SMH
By Alain-Christian on 07.11.17 10:58am
No, I use a two factor authentication app for as many services as I can, but I’m not so zealously obsessed with theoretical attacks that I worry my Twitter account with few tweets and few followers is worth someone trying to steal my my mobile phone account in order to gain access to.
If you think not being a celebrity with 4 million YouTube subscribers is "security through obscurity", I’m surprised you post on a site like this with such low security…
By Daveoc64 on 07.11.17 12:01pm
Just because (you FEEL) you’re not a target doesn’t mean you should ignore best practices is all I’m saying.
Murphy’s Law.
By Alain-Christian on 07.12.17 2:07am
@Daveoc64 : I suspect your identity has never been compromised. Perhaps James Fallows isn’t an "average person" but this account of what happened when his wife’s Gmail account was hacked is harrowing: Hacked!
See also: 4 Scary Hacking Statistics You Probably Didn’t Know About
By Selden Deemer on 08.10.17 2:35pm
I’d like to look into that $18 USB Stick that was referenced, does anyone have a link to it?
By chainercygnus on 07.10.17 9:55am
https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/
From a company that specializes in the 2FA thing
By marcopolomint on 07.10.17 10:03am
The timing of this article makes sense, seeing as Natt wrote an article last month about setting it up. I was surprised to see that sms two-factor was never mentioned as being insecure in that article.
I just set up two-factor on most of my accounts a few days ago, and I wish their was just a one-button option in lastpass to set this up. When something like that comes along, a lot more people will start to use two-factor I feel. It just required too much research and navigating through a bunch of services sites to set all of my services up. I’d recommend everyone at least set up two factor with their most important services, like mail and file storage
By Salam Zebian on 07.10.17 10:05am
The other things about 2FA by SMS is that, if you go between different countries and are changing SIMs, the default SMS architecture means that your verification codes often end up in the ether and then expire, with few ways of going back into the system to set up an alternative number… you’re locked out. I understand why, but it’s very frustrating.
By marcopolomint on 07.10.17 10:05am
One way around this, if you’re in the US or Canada where Google Voice is available, is to use your Google Voice #. Obviously, this just means that your 2fa is no more secure than your Google Account, and it doesn’t help you if/when you’re logged out of Google, but it’s one option.
By sing_electric on 07.10.17 10:21am
Problem is that some providers won’t send (or can’t) SMS to GVoice numbers. Chase Bank is an example.
By Carl on 07.10.17 12:35pm
Here is the story how the russian law enforcement troops hijack SMS Telegram confirmation codes to get access to opposition leaders Telegram chats.
Shortly, they are just turning off SMS service for minutes need to get access to interested account.
Think about this when you use any account via SMS confirmation.
By yuy on 07.10.17 10:28am
Russell, you should check out/write about SQRL (https://www.grc.com/sqrl/sqrl.htm – terrible website, amazing tech). It’s like a password manager that also manages your identity for the website in a way that means that the website/service getting totally hacked cannot reveal anything about you, and you can’t ever have your identity stolen (outside of losing your master password)
In a nutshell (from the website):
By prittjr on 07.10.17 11:02am