I could also title this post “Sensationalism in Cyber Security Journalism.”
I recently read a Motherboard article: We Were Warned About Flaws in the Mobile Data Backbone for Years. Now 2FA Is Screwed.
Unfortunately for those of us who want to educate and spread the truth, Motherboard decided to go with an overly sensationalist and misleading title. Two-Factor Authentication (2FA) is not dead. Only one form that is commonly used based on low-cost and convenience is doomed.
The article explains why a flaw in the underlying telephone system, Signaling System 7 (SS7), allows attackers to redirect your text messages and intercept the SMS code sent to your phone in many common 2FA programs. There is nothing incorrect about the existence of that flaw and how it undermines any service or company who has chosen to use SMS as a second-factor in their authentication. The article even references a different method for that second-factor when it states “Twitter does let users sign in with a code from Google Authenticator, an app on your smartphone that provides a more robust form of two-factor authentication.” Unfortunately, though, many will just read the headline and assume that all 2FA is pointless and that security as a whole is doomed. 2FA has been around for a while, though, and it will survive this minor hiccup to the overall concept.
As the article alludes, there are other forms of 2FA.
- If you’ve ever worked in a larger corporate, government, or financial organization, you will likely have used an RSA token as your second factor. These are great for organizations with large and robust infrastructures, but impractical for smaller ones.
- As the article references, apps like Google Authenticator are also an option. Several services uses Google Authenticator as a second factor for their authentication. Microsoft provides a similar app for its services. There are also third-party apps that other services will use. Those other apps include Authy and Duo.
- And the YubiKey is a hardware based 2FA solution for both individuals and companies that is supported by several online services and can even be used to login to your computer. Yubikey supports FIDO U2F (Universal Second Factor), which is working to standardize 2FA for more easy use across many services and platforms.
Each of these solutions has its strengths and weaknesses. Your choice will likely be made by the list of services that each supports, though. Look into your email, banking, and other services first to see which of these 2FA solutions are supported. Most of the app-based solutions can be used for no additional cost.
Two-Factor Authentication is alive and well, don’t be mislead. Only the cheap and easy version (SMS/text messages) should be discontinued. I wholeheartedly recommend that you enable 2FA for all of your sensitive business and personal online services that support it.
Want to learn more about 2FA and how you can use it in your business?
Contact us for a free consultation!