Two-Factor Authentication Might Not Keep You Safe

[InfoSec News <alerts () infosecnews org>]

https://www.nytimes.com/2019/01/27/opinion/2fa-cyberattacks-security.html

By Josephine Wolff
Jan. 27, 2019

Here's how two-factor authentication is supposed to work: You log in to your
bank account or email inbox, and after correctly entering your password, you are
prompted to confirm the login through an app on your cellphone, a one-time code
sent to you via text message or email, a physical YubiKey device or even a phone
call. That app, text message, email, YubiKey or phone call is your "second
factor," intended to ensure that even if the person trying to log in isn't
really you, he or she still can't gain access to your accounts without access to
your phone or YubiKey.

You might find two-factor authentication mildly irritating, and there's a chance
you might not even notice the extra step in the login process anymore.
Regardless, you probably feel a certain comfort in the idea that at least your
money or your inbox is well protected. But like so many other commonly accepted
best practices in computer security, we actually know very little about how well
two-factor authentication works.

In December, Amnesty International released a report describing an easy-to-apply
technique being used to compromise accounts protected by two-factor
authentication. The hackers whom Amnesty International investigated, who were
targeting accounts belonging to individuals in the Middle East and North Africa,
set up phishing pages that captured not only users' passwords but also the
one-time authentication codes generated by their two-factor services.

-=-

Josephine Wolff https://twitter.com/josephinecwolff is an assistant professor at
the Rochester Institute of Technology and the author of "You'll See This Message
When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity
Breaches."



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_