The standard password just doesn’t cut it these days. And in most cases, we’re probably better off using something else—especially when you consider that many use the same codes for all of their accounts.
Two-factor authentication (2FA) is often the first port of call when looking at alternative ways to keep online profiles safe. But while 2FA offers an extra layer of security, it’s not the bulletproof solution that many people think it is.
So why isn’t 2FA as secure as you first thought? What security risks still exist despite you using additional verification?
What Is Two-Factor Authentication?
As you might have guessed from the name, 2FA refers to having two levels of authentication for your online accounts. At the base level, you’ll generally have your password (and note that these have to be secure and memorable passwords).
After your password, you’ll need to verify your identity in another way. Common methods used for this include:
- Sending codes via SMS.
- Fingerprint or facial recognition.
- Verifying via a push notification.
What Security Risks Does 2FA Still Pose?
The idea behind 2FA is simple. Anyone can get a hold of your password, but only you have access to the next level of authentication.
Unfortunately, that’s not always the case; here are five risks you need to beware of.
1. SIM Swapping
Despite what the name suggests, SIM swapping does not involve you taking your phone’s SIM card out and putting it in a criminal’s device. Instead, what usually happens is the attacker will call your mobile network provider and pretend to be you. Then, they try to get your number added onto their SIM card instead.
To successfully complete a SIM swap, the person trying to steal your identity will need to know something associated with your account—such as your password (which should never be shared in full anyway) or answers to your secret questions.
After “verifying” this information, the attacker will hope that the person on the other end has fallen for their trick. If they have, your number is now in the hands of the criminal—meaning they can use 2FA to get into your account.
2. Someone Can Get Hold of Your Device
Sometimes, cybercriminals might not need to go to lengths as far as SIM swapping. It’s entirely possible that you might leave your phone somewhere or that someone could steal it from you.
When a criminal has a hold of your phone, there’s every chance that they’ll manage to get into your device. Once they’re there, they can use it to get into your accounts using 2FA.
If you’ve lost your device, you must take steps to limit the damage. Call your network provider to have your SIM canceled, and do the same with any bank cards and similar that could be stored on your phone.
It’s also important to erase your smartphone’s data remotely if you know you can't get it back. The process varies depending on whether you’ve got an Android device or an iPhone.
3. Man-in-the-Middle (MITM) Attacks
Whenever you share information online, you’re never 100 percent secure—even if you use 2FA. Many hackers use MITM attacks to steal your information after you’ve shared this.
A MITM attack involves the criminal getting into the path of your data transfer and pretending that they’re both parties. One particular problem with this tactic is that often, you won’t know what’s going on.
Fortunately, you can protect yourself against MITM attacks in several ways. Using a secure Virtual Private Network (VPN) will help encrypt your information, meaning a would-be hacker is wasting their time trying to get a hold of it.
You can also protect yourself against a MITM attack by not using public Wi-Fi. Many networks aren’t secure, and gathering your information is much easier for a criminal. Instead, only use secure wireless networks, such as your home or office Wi-Fi.
4. Logging Into Phishing Websites
Phishing is one of the oldest internet threats. However, the reason hackers still use the method is that it’s often effective. While you might have no problems noticing a phishing email, identifying websites of this kind is a little more complicated.
Often, phishing websites will look similar—if not identical—to the site you’re trying to visit. If you use them and submit personal information, such as your banking details, criminals can take those and commit all sorts of chaos.
Although phishing websites are more difficult to spot, you can look for a few subtle signs to protect yourself. These include:
- The URL is slightly different (for example: a .co domain, when the official one is .com).
- The web page’s design doesn’t look right.
- Spelling errors.
If you find yourself on a phishing website, leave the page as soon as you notice. You can mitigate your risk before browsing by checking if a website is safe to use.
5. You Might Lose Your Credentials
Almost all of us have gone through the annoying process of needing to change a password after forgetting it. And while you might think that 2FA will eliminate (or at least minimize) those problems, this isn’t always the case.
Even if you use 2FA, you could still lose your credentials. For example, you might need to update your number after buying a new phone.
If you don’t update your 2FA details as soon as you lose access, you risk having someone else grab them and enter your account. Always ensure that your phone numbers, email addresses, and anything else you use are always updated.
Don’t Rely Solely on Two-Factor Authentication for Security
If this has scared you into not using 2FA, that's certainly not the intention. Using additional layers of security for your account is essential, and 2FA is one of the most effective methods for fending off attackers.
At the same time, it’s crucial not to look at this method as a one-stop shop for online security. 2FA isn’t foolproof, and your details might still fall into the wrong hands if you’re not careful.
Identify risks while browsing online, keep your information up-to-date, and inform who you need to if something goes wrong or your circumstances change. By doing all of these, you’ll keep yourself safe online.