When it comes to securing consumer data in the cloud, two-factor authentication has been adopted by everyone from Amazon to Google. And why not? Two-factor authentication (2FA) is a great way to secure access to your data. However, there are always drawbacks and risks. Like every method of securing your data, it's not entirely foolproof.
While SMS messaging might seem like the most secure method, it's quickly becoming one of the easiest to crack for scammers. Don't get us wrong, SMS-based 2FA is very secure, but it's not completely hack-proof. Nothing is.
Let's go over a couple common vulnerabilities and some secure alternatives.
Just like spoofing a phone number, it's also possible to spoof SMS messages. Of course, it's not easy—but for a sophisticated hacker, it's not impossible.
A couple of years ago, a white hat hacker group called Positive Technologies demonstrated how easy it was to take control of a cryptocurrency wallet behind a Google Account protected by 2FA.
First, the hackers access Signaling System No. 7 (SS7), a system that cell networks use to send and receive messages, including SMS. From there, they intercept the SMS text messages sent to your phone and lock you out of your account by resetting your password with the authorization code.
It's pretty scary for a targeted attack, but that doesn't mean 2FA is an overall lousy security method. While SMS is vulnerable to attacks like these, there is a more effective method that doesn't require an SMS message: Authenticator apps.
Authenticator apps can be great alternatives to SMS messaging for 2FA, especially if you want an extra layer of protection. Authenticator apps are standalone applications that generate random numbers for end users.
While the apps are linked to specific accounts, they have all of the security features of SMS 2FA, but are less vulnerable. This is because the number generated is random and changes after a set interval of 30–60 seconds, depending on the app used.
Of course, this doesn't mean that your system is hack-proof. But, as long as you don't download any malicious software and keep your phone's software up to date, it's highly unlikely that your phone will be breached.
Discrete applications are generally more secure than SMS-based 2FA methods. Another way to ensure greater 2FA security is with specialized hardware such as YubiKeys.
YubiKeys are physical devices that unlock your account. They are like key fobs, but they are used for credential verification and account authentication. Many hardware-based 2FA devices like YubiKeys easily plug into USB ports to operate.
Hardware-based 2FA is one of the most secure ways to ensure account security. However, if you lose your hardware, you may also lose your account. Alternatively, you may be subject to lengthy phone calls with vendors to reauthenticate and regain access.
So, which 2FA method should you use? That's entirely up to you and mostly dependent on your use case. If you feel like your data is incredibly sensitive, it's hard not to recommend going straight for hardware-based solutions. However, if there's a bit of wiggle room—and if the user experience is important to you—application-based 2FA is an easier, more cost-effective option. Even SMS-based solutions will work if you're not concerned about elaborate hacking schemes.
Hypershift is a consulting organization focused on SaaS, subscription software, and cloud technologies. Our goal is to help organizations navigate their shift toward subscription software models, and our mission is to ensure best-in-class security, support, and management to optimize enterprise-level cloud strategies.