Information Security News mailing list archives
Two-Factor Authentication Might Not Keep You Safe
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 28 Jan 2019 07:52:00 +0000 (UTC)
https://www.nytimes.com/2019/01/27/opinion/2fa-cyberattacks-security.html By Josephine Wolff Jan. 27, 2019 Here's how two-factor authentication is supposed to work: You log in to your bank account or email inbox, and after correctly entering your password, you are prompted to confirm the login through an app on your cellphone, a one-time code sent to you via text message or email, a physical YubiKey device or even a phone call. That app, text message, email, YubiKey or phone call is your "second factor," intended to ensure that even if the person trying to log in isn't really you, he or she still can't gain access to your accounts without access to your phone or YubiKey. You might find two-factor authentication mildly irritating, and there's a chance you might not even notice the extra step in the login process anymore. Regardless, you probably feel a certain comfort in the idea that at least your money or your inbox is well protected. But like so many other commonly accepted best practices in computer security, we actually know very little about how well two-factor authentication works. In December, Amnesty International released a report describing an easy-to-apply technique being used to compromise accounts protected by two-factor authentication. The hackers whom Amnesty International investigated, who were targeting accounts belonging to individuals in the Middle East and North Africa, set up phishing pages that captured not only users' passwords but also the one-time authentication codes generated by their two-factor services. -=- Josephine Wolff https://twitter.com/josephinecwolff is an assistant professor at the Rochester Institute of Technology and the author of "You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches." -- Subscribe to InfoSec News https://www.infosecnews.org/subscribe-to-infosec-news/ https://twitter.com/infosecnews_
Current thread:
- Two-Factor Authentication Might Not Keep You Safe InfoSec News (Jan 27)