It is crucial to consider the potential risks associated with using email as a form of two-factor authentication. It may be worth exploring alternative options that offer increased security.
What is Two-Factor Authentication?
Two-factor authentication increases the security of your online accounts by requiring an additional authentication factor in addition to a password. If you don’t know what two-factor authentication is or don’t have it enabled, I recommend you set it up for your online accounts. Two-factor authentication is an easy way to increase security and reduce the risk of your account getting compromised. For more information, see the UK Government’s top tips on staying secure online.
There are many different types of two-factor authentication, such as one-time code, fido device, SMS, and email. However, some are more secure than others.
Two-factor authentication relies on two different methods of authentication. For example:
Two different factors means that if one is compromised (e.g. someone guesses your password), they cannot log into your account.
Why is Email not a Secure Method?
There are several reasons why email, as a method of two factor authentication, should not be a secure second factor.
Compromised Email Account
If a malicious user gains access to your email account, they can perform a forgotten password action to gain a new password and then receive the two-factor code in the same email account. This means your online account can be taken over by just someone accessing your email account.
Plain Text Emails
Emails are usually sent as unencrypted text, meaning they could be intercepted and read by a third party. This could be by a man-in-the-middle attack or a compromised network. Receiving reset codes and links which are sent by email, could be intercepted, and used to compromise the online account. Using a different two-factor authentication method would mean a malicious user could reset a password but not bypass the second factor without compromising that device.
Email Overload
Another danger of considering email as two-factor authentication is that it relies on the user's behaviour and judgment. Users may not check their email regularly or may miss important messages due to spam filters or cluttered inboxes. Users may also click on malicious links or enter codes on fake websites that mimic the legitimate ones. Users may reuse the same email address and password for multiple online services, increasing the risk of credential stuffing attacks.
The Solution
The solution is simple, don’t use email as a second factor. Nearly all online accounts can use a more secure and robust method, such as fido device or one-time code. Fido devices could be something like Windows Hello, or a physical key, which generates cryptographic keys. A one-time code can be generated using apps such as the Microsoft or Google Authenticator apps, where a new code is generated every 30 seconds and is usually set up by scanning a QR code.
Using these devices and a strong password will significantly reduce the risk of your online account being compromised.
FAQs
Compromised Email Account
Is email 2 factor authentication safe? ›
2FA email vs SMS
The problem with using email as a 2FA delivery channel is that the first layer of security–a password–can usually be reset from an email account. That means if someone compromises your email inbox, they can take over all your online accounts using the 2FA codes they send themselves.
Can email be hacked with 2FA? ›
Most 2FA methods involve sending temporary codes via SMS or emails, but these can be easily intercepted by hackers through account takeover, SIM swapping, and/or MitM attacks.
What are the risks of email OTP? ›
Phishing And Social Engineering Attacks
Phishing tactics trick individuals into disclosing their OTPs. For example, an attacker sends a link to a fake website, and the recipient then enters the OTP while the former simultaneously enters the code into the genuine website, gaining full access.
What are the disadvantages of two-factor authentication? ›
Dependence on a second factor: E.g., if a smartphone is misplaced, the user will be blocked from their account. Flexibility: IT leads can choose which second factors to deploy. Resistance to change: If users are unfamiliar with 2FA, it could feel intrusive.
Can hackers bypass 2FA on Gmail? ›
In order to bypass the 2FA protection of your account, Tycoon 2FA attacks seek to redirect victims to a cloned account login page. Once the username and password have been entered, Tycoon 2FA then presents what appears to be a genuine 2FA challenge to confirm the identity of the user.
How does 2FA work with email? ›
What happens when you turn on two-step verification? Once you activate 2FA for your email, when you log in you will be asked to provide a second authentication factor in addition to your password: a six-digit one-time code generated by a separate app on your smartphone.
Why is 2FA not safe? ›
One of the main reasons why 2FA is no longer secure is that hackers have become increasingly sophisticated in their methods of attack. For example, phishing attacks have become more sophisticated, making it easier for hackers to obtain user credentials through deceptive email messages or fake login pages.
How do I secure my email with two-factor authentication? ›
Turn on 2-Step Verification
- Open your Google Account.
- In the navigation panel, select Security.
- Under “How you sign in to Google,” select 2-Step Verification. Get started.
- Follow the on-screen steps.
2FA doesn't prevent phishing or social engineering from being successful. 2FA is good. Everyone should use it when they can, but it isn't unbreakable. If you use or consider going to 2FA, Security Awareness Training has still got to be a big part of your overall security defense.
Email OTPs for password recovery prevents bad actors from attempting to hack into your account. Because they're sent to your email address, you'll be aware of any attempts to break into your account. Unless your email address is compromised, this is a fail-proof method of protecting your password-protected account.
Is SMS or email 2FA better? ›
You should use an authenticator app over SMS authentication because it is more secure and less likely to be intercepted by cybercriminals. Authenticator apps generate 2FA codes locally on a device, rather than sending them unencrypted over text message.
What are the security risks of using email? ›
Protecting Yourself Against the 7 Dangers of Email Security
- Email-borne viruses and malware. One of the key threats on email security is email-borne viruses and malware. ...
- Spam emails. Most likely the least damaging attack on the list is spam. ...
- Phishing and spoofing. ...
- Whaling. ...
- Thread hijacking. ...
- Ransomware. ...
- Human error.
Potential downsides to two-factor authentication
These include: Increased login time – Users must go through an extra step to login into an application, adding time to the login process.
What is the vulnerability of two-factor authentication? ›
Another common 2FA vulnerability is SIM swapping, which is a form of identity theft that involves transferring a user's phone number to a new SIM card controlled by a hacker. This way, the hacker can intercept any 2FA codes sent via SMS or phone call to the user's phone number, and use them to access their accounts.
What are the criticism of two-factor authentication? ›
Though requiring an extra identifier does deter some hackers from attacking systems defended with two-factor authentication, many others are willing to deal with the additional hurdle if they believe that the information stored within their targeted organization is worth the effort.
What is the safest two-factor authentication? ›
Security Keys
This is the most secure form of 2-step verification, and it protects against phishing threats. Depending on which security key you are using such as hardware, Titan, or your phone's built-in security key, users can set up their account so that devices detect the security key associated with your account.
How secure is Gmail 2FA? ›
2-step verification drastically reduces the chances of having the personal information in your Google account stolen by someone else. Why? Because hackers would have to not only get your password and your username, they'd have to get a hold of your phone.
Is email or phone 2FA better? ›
Email is more secure for two-factor authentication. There are known hacks of SMS. In fact ,it's better to not use SMS and use email or an authenticator such as Google Authenticator.
