Have you ever logged into an online account and then received a text message to confirm it was you actually logging in? It’s a common experience nowadays, especially with financial accounts but increasingly with many kinds of online accounts that have sensitive information.
This type of security is called two-factor authentication, because you need two kinds of verification to prove that it’s really you — not some bad guy — accessing the account. Two-factor authentication is one of the most widespread technologies used to secure your account, but at least one observer suggests that the tech has not been studied enough to know its weaknesses.
That lack of knowledge could mean your accounts aren’t as secure as they seem, potentially leaving your money vulnerable to hackers who can exploit loopholes in the process.
What is two-factor authentication?
Two-factor or multi-factor authentication is a way to verify that you are who you claim to be. Usually it combines a piece of information that you know, such as a password, with something that you have, such as a phone, a code card or a physical key that you must slide into your device.
Sometimes that second factor might involve identifying a pre-selected picture on a website or verifying account access by a voice phone call. Some financial sites require a login and password and then verify you based on your browser or device.
One of the first brokers to adopt two-factor authentication was Interactive Brokers, says Steve Sanders, EVP of Marketing and Product Development. The broker used a code card for many years, and now it offers a mobile authentication key that requires a PIN, fingerprint or facial recognition to operate.
Two-factor authentication has made financial accounts more secure, but it’s not clear by how much. Identity theft continues to be a huge problem, and while consumers may feel more secure using the multi-step process, not enough research has been done to study how effective it is.
So how secure is two-factor authentication?
“Two-factor authentication does not provide as much security as one might assume,” says Dr. Yinglian Xie, CEO of DataVisor.
Even the industry standard and best practice are still liable to hacking, according to experts. And some financial institutions are lax in how they implement their authentication, too.
To be implemented properly, such authentication must use a mix of different factor types, such as knowledge-based, biometric or a physical item, says Maxime Rousseau, chief information security officer at Personal Capital. Instead, some companies simply added security questions on top of the password requirement, which doesn’t afford the same security, he says.
“Industry-standard multi-factor authentication today typically combines a password and SMS code,” says Rousseau. But the leading organizations or higher-risk ones are moving from this standard to app-based codes to combat phone-hijacking attacks, he says.
SIM swapping, one of the most common ways hackers hijack mobile phones, has been on the rise, according to the FBI. In 2021, SIM swapping accounted for $68 million in losses. Of course, phones are one of the most popular verification methods.
“As mobile technologies become more vulnerable, two-factor authentication as a security measure is increasingly less effective,” says Dr. Xie.
But how ineffective? Dr. Josephine Wolff, a professor of cybersecurity policy at Tufts University, says there’s been little published on exactly how secure two-factor authentication is.
“It hasn’t been studied and tested as thoroughly as it could be,” says Wolff. “So we still don’t have a great grasp on the strengths and weaknesses of different types of second factors.”
However, in 2019 Google published a study that Wolff says made “big steps” to dissect the effectiveness of two-factor authentication. The study showed that, overall, device-based challenges (such as an SMS code) were much more effective than knowledge-based challenges (such as recalling your last sign-in location). SMS codes blocked 96 percent of bulk phishing attacks, according to the study.
And as for the safety of financial institutions, we simply don’t know, says Wolff. “Most sites don’t release any numbers about how often their users’ accounts are compromised, so we don’t really know who’s doing the best or worst job.”
A more recent 2022 Google study suggests that multi-factor authentication might not be as effective at protecting user information as institutions might hope. After mass-enrolling millions of users in the extra verification process, there was only a 50 percent decrease in accounts being compromised, Google found. Still, the extra verification initiative wasn’t totally ineffective.
Potential loopholes for hackers
“While no security system is foolproof, adding multi-factor authentication is a smart way to reduce the risk of account takeover,” says Gary Zimmerman, CEO of MaxMyInterest. But some types of two-factor authentication are weaker than others, he says.
For example, if you use your email’s login and password for a financial account, hackers could easily access both, since they can verify your identity through email. It’s like giving thieves the keys to your front door and hoping they don’t discover the keys work for your safe, too.
Breaking some types of two-factor authentication is not uncommon, says Dr. Wolff. Hackers can design fraudulent websites that look nearly identical to the real ones. Then purporting to be from a bank or broker, they email people that their account is about to expire or they’re missing data. But the email instead sends the customer to the fake site, which fraudulently captures any login information being phished from them.
The hacker enters this information on the real bank site, generating a text message with a one-time code to the user. Unsuspectingly, the user then enters that code on the fake website, and the hacker enters it on the real site, gaining access to the account.
Such an imperfection doesn’t mean we should abandon two-factor authentication, Wolff says. Rather, “we should study it rigorously and figure out how it can be implemented most effectively.”
Despite annoyance, consumers value security technology on financial accounts
Account security is not helped by the fact that some consumers can find two-factor authentication annoying. A 2017 survey of cybersecurity professionals by SecurAuth Corporation found that 74 percent whose organizations use two-factor authentication receive complaints from users about the process.
Still, many would trade an occasional nuisance when signing in to ensure that their identity and account information remain secure. Duo Labs reported that 93 percent of respondents in 2021 consider financial accounts to be of high concern for protection against unauthorized access.
“The best approach is one that requires the fewest steps and the fastest authentication, while still keeping financial accounts as secure as possible,” says Sanders of Interactive Brokers.
Consumers may view these security steps as annoying, but they’ve become the norm and aren’t going away. In 2021, 79 percent of respondents to the Duo Labs survey said they used two-factor authentication — only 53 percent said the same in 2019.
How consumers can stay secure when online
Although two-factor authentication is not perfect, consumers should look to adopt this new standard because it helps protect their money and their identity.
“While it may feel inconvenient to have to go through multi-factor authentication to access your accounts, know that the websites and financial institutions are implementing it for your benefit,” says Zimmerman of MaxMyInterest.
So circumventing procedures created to protect your account is not recommended, even if logging in does become a bit more cumbersome.
In the meantime, security professionals will continue working toward authentication that is less intrusive while still maintaining security.
Dr. Xie explains one vision of such a process called zero-factor authentication. It uses your “digital DNA” — your various online behaviors such as devices and activities — to verify your identity. “With AI, the reality of zero-factor authentication is closer than we think.”
Some of the oldest advice is still some of the best: Don’t share your passwords, and create distinct passwords for each of your accounts.
But if you want to take security a step further, Wolff suggests going with a physical device such as a security key as a second factor for high-value accounts. She also recommends using a password manager that can store and create complex and unique passwords. LastPass is one popular password manager app that’s free and available for computers or mobile devices.
Bottom line
Two-factor authentication is valuable even if it’s not foolproof. As the pros study which techniques are the most secure, consumers should expect to see new types of security emerge over time.
But the bad guys will still be looking for ways to go up, around or through the digital fence to get to your money. So consumers should carefully follow best practices for protecting their financial information to eliminate — or at least mitigate — their risk.
