When it comes to securing our accounts, it’s better twice than once. For this reason, companies such as Apple, Google or Microsoft offer to activate the two-factor authentication (also called 2FA) which integrates additional protection to your account. How does it work? Once your password is entered (first identification), a code is sent to your phone. You receive this code by SMS from the company that owns the website you are trying to connect to. The code is valid for a limited time and you must enter it on your device (second identification) to confirm that it is really you and not an attempt to fraudulently access your account.

Why use Two-Factor authentication?

Today, phishing attempts or password theft are numerous. Even if you choose your password carefully and change it regularly (see: www.montechnicien.com/top-20-worst-passwords-2017), you are not fully protected against piracy. A third party, a virus or a malware can discover and use your password without your knowledge. With two-factor authentication, the person will not be able to make it through the second step and access your account if he/she doesn’t have security information.

However, is this dual identification always 100% reliable and enough?

Double identification is undoubtedly better than a unique identification. However, it does not guarantee foolproof protection and can easily be breached, as Amnesty International has demonstrated last year in it’s safety report. Since the second identification is usually sent by SMS, it is possible to divert this message in different ways: theft of smartphone, SIM card theft or interception of messages by hackers. A few days ago, early 2019, a new tool named Modlishka, created by a Polish researcher, showed how easy it is to ignore connection operations for accounts protected by two-factor authentication. Therefore, the level of security is not enough.

So, how to reduce the risks?

Stay alert: cybercriminals sometimes encourage services like Gmail to send two-factor authentication codes that refer to phishing sites. Be vigilant! Always check the source of the sms or email that contains your identification code.

Favour other forms of two-factor authentication: As mentioned above, SMS messages constitutes a real weakness for two-factor authentication because of the great possibility to intercept messages. My Technician recommends that you use other 2FA authentication methods that do not require SMS to be sent, as for example, applications that generate 2FA codes, such as Authy, RSA SoftID or a password manager such as LastPass or Dashlane. You can also use more sophisticated methods for authentication, such as biometric (e. g. fingerprint autthentication) or behavioral (e. g. recognition of typing dynamics on the computer keyboard) for example).

Two-factor authentication is certainly much more reliable than a simple authentication, but it is not a guarantee of maximum security. In 2019, technological advances will make it possible to put into practice new, more modern and more reliable authentication systems.