What Makes Two-Factor Authentication Flawed?

Two-factor authentication has become more commonplace in sensitive environments such as in banking, payment processing, social media, and other platforms where you share a lot of personal information that you definitely don’t want anyone else to get their hands on. It’s been a very powerful way to make sure that you’re the only person with access to your data, but there’s some bad news: it’s flawed. Not everything is bad news, however. It seems that some companies are working on making a new form of authentication that accounts for some of these flaws.

twofactor-token

The gist of it is this: If you have to use something besides just a user-name and password to get into an account, you’re most likely using two-factor authentication to get into it.

Most often you’ll see this happen when you log into a banking app or use an app like Uber for the first time. It usually comes in the form of an SMS confirmation to make sure that you’re the owner of the phone number that was registered with the account.

Some banks will give you a digital token generator (much like Google’s Authenticator app) that generates a series of numbers every minute or so that you must use to log into your account.

Other applications use a clever automatic detection system that calls your phone number and picks up when the call enters to tell that you own your phone.

In some instances, two-factor authentication could even involve biometrics, like a fingerprint or your face. Some of these methods are used in lieu of a password for doing certain things like unlocking your phone.

All of these methods were invented to accurately prove that you are you.

The biggest flaw of modern-day authentication methods is that they do not take into account the fact that human beings are using them. We always find new and creative ways of misusing our data, and no security measure that exists today can really compensate for that.

In many cases we fall for social engineering schemes that get us to give away crucial information to people attempting to access our accounts.

There’s also the risk of theft. If someone steals your phone, they now have a way to receive confirmation SMS messages. If someone steals your token, they can authenticate your bank account.

Fingerprints? They are also vulnerable. So is facial recognition.

twofactor-lock

In the autumn of 2017 a group of mobile carriers in the United States announced that they will release a new form of authentication that should address all the flaws listed above. While this all might sound hunky dory, there aren’t a whole lot of details on exactly how this new authentication method would work.

The group, known as the Mobile Authentication Taskforce, said that their new method would “reduce mobile identity risks by analyzing data and activity patterns on a mobile network to predict, with a high degree of certainty, whether the user is who they say they are.”

This sounds a bit like they would track movements and data patterns from mobile users and use that to create a “fingerprint” of their identity. If there’s too much of a deviation from this pattern (e.g. your phone is suddenly in London and doesn’t log into the websites you typically log into), then it would be safe to presume the identity of the user has been compromised.

While this might sound exciting to some, it certainly causes concern in others who are concerned about privacy and their ability to have control over their data. Many folks might not be comfortable with their mobile carriers tracking their every movement and all of the data that they send over the Web. And what if a government wants to subpoena records of this data?

What side are you on? Do you believe that the MAT’s new authentication method is a step forward in stopping hackers, or are the privacy concerns enough to turn you off to the idea? Tell us what you think in a comment!

9 comments

  1. The title of this article and the article itself is incorrect because of the flawed logic it uses and its implications. That it proposes that two-factor authentication is flawed, i.e., does not work, is akin to saying that since I have a car security system but someone broke into the car means the car security does not work. Not correct. The car security system works for what it was designed to do but that does not guarantee that no one will break into the car.

    Should we *not* have two-factor authenticaion because it’s not perfect? No. I worked with online security software and there is no one-size-fits-all approach to securing our transmissions and storage of data. Good security is a multi-layered, multi-faceted architecture that uses multiple methods of validating identity. For example, passwords have not been done away with because they are not sufficient by themselves. They are used as *part* of a system of ways to validate users but still continue to be used.

    As criminals figure out more ways to steal information, computer security developers develop more safeguards and methods to safe guard private information. It is an un-ending war.

    • Because something is currently the best possible method for authentication (although I would argue that biometric authentication is superfluous) doesn’t mean that it isn’t flawed.

      With all due respect and esteem, at no point was there any mention of the idea that two-factor authentication “did not work”. Without it, systems would be more vulnerable than they would with it. That, in essence, demonstrates that it is a working model for cybersecurity.

      However, there are newer developments coming along that might push two-factor authentication back down, and I’d like to add that it has some pitfalls of its own in terms of privacy. In the end, two-factor authentication might actually be better than another method that sacrifices security. This was the point of the piece.

      Yes, the war against hackers will never end, but we don’t get anywhere without first pointing out flaws in the system and providing details on how it is being mitigated. So far, there aren’t a whole lot of details out there from the carriers that decided to undertake the project. They haven’t even named their authentication method. So it might just be a bit of hot air combined with some privacy-limiting techniques that some people might not feel comfortable with.

  2. Well, I totally agree with kscmint.! The war between security and hacking is an unending war alright.
    The finger print identity can be easily broken if someone cut off your finger … This is not a joke of course but in this way the security is over. So there isn’t any system which can have the perfect security because all ends up in the human factor. If the people are well informed to use a security system , you can minimize the chance of getting hacked.
    I say a lot of times this : ” A new hacker is born every time , when the administrators get lazy..”

    One more thing concerning the article.. If someone stills your token generator or your phone which have the digital token then he cannot get in to your account because he/she has to know your user name and password also.!!! If of course can obtain both of them then he must have found a way to brake into the server witch servers the login passwords so here we are talking about a major security problem in the bank’s server for example. Having all the login passwords are not so worried because he/she has to have the tokens too to brake in to the users accounts…and so one. It is very difficult to obtain both at the same time. So the 2-factor authentication protocol is not so flowed …!

  3. kscmint couldn’t have been more “spot on” with his reply. Bars on the windows won’t totally prevent your place from being robbed. Several other systems must also be in place and even then – there is no absolute guarantee. This is why the security person in an organization is the holder of a job that never ends with implementing a piece of the security puzzle. There is the constant education and re-education of the “human element” of the security system.

    To comment on the author’s request for our opinion as to the privacy concerns – – I think it would take a massive amount of convincing for the CSO of any institution to allow a third party to perform such data mining of user activity in order to create an algorithm that would be able to “predict” whether the user is in fact the correct user. I like science fiction as much as the next guy but this sounds just a bit too Orwellian for me.

  4. Every system that involves humans is flawed. Ultimately no matter what authentication method is used, it will involve humans and they will screw up.

    If you loose your phone and do not report it stolen or better yet disable it using something like “Find my Phone” then you are responsible for the break in.

    Security is only as good as its weakest link – i.e. – humans.

      • This is, in essence, what many developers are doing now. By removing the human element from some internal IT processes in businesses, you eliminate some weak points in the infrastructure.

        • I was being sarcastic. Although after having worked in IT for many years, 15 as a developer/troubleshooter, I came to the conclusion that our systems would be safe and secure if it wasn’t for the users. The damn humans screw up everything! :-)

  5. Having a business know you is nice in many regards. I understand the premise if you go to another country and do not log into your normal sites there is probably a problem. I would like to see people defended by the same use of their patterns, that is truly innocent by way of their is nothing in their history to show they would do x.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.

Sponsored Stories