Skip to main content
  1. Home
  2. Computing
  3. Features

Two-factor security is the best lock for your digital life, but it’s not perfect

By

Netcrypt
Netcrypt
Two-factor authentication has become something of an online security buzzword over the last few years. Most of us have logged into one service or another only to be presented with a message urging us to implement this form of our protection on an account.

But two-factor authentication isn’t some silver bullet capable of stopping hackers in their tracks. It’s a useful countermeasure to have among your defenses, but ultimately, it’s no substitute for a working knowledge of the biggest threats we face online.

Recommended Videos

Activate two-factor authentication wherever the opportunity is offered up — but don’t make the mistake of relying on its protection if you don’t understand what it can and cannot defend against. As 2016 proved, the keeping data secure is complex, and overconfidence can leave you open to attack.

Related

Are you who you say you are?

At its core, two-factor authentication is all about checking credentials. It’s a way of making sure that someone is who they claim to be, by verifying two distinct types of evidence. This kind of system has been around for years.

If you don’t understand the basics of computer security, you shouldn’t be allowed to bank on the Internet.

Chip-and-PIN credit card payments are perhaps the most ubiquitous example; they rely on the user having a physical card in their possession, and knowledge of their PIN. While a thief could feasibly steal a card and learn the PIN, it’s not easy to manage both.

There was a time, not so long ago, when financial transactions were the only reason people would have to authenticate their identity on a regular basis. Today, anyone that uses the internet has an array of accounts that they wouldn’t want just anyone to have access to, for a variety of reasons.

The financial industry managed to implement two-factor authentication very easily, because the only hardware that needed to be distributed was a bank card. Distributing a similar system for everyday websites is nearly impossible, so two-factor is enabled through other means. And those methods have flaws of their own.

User experience

“I am really sick of all the convenient things in life suddenly become too cumbersome to use,” reads a comment posted to a 2005 SlashDot article about the imminent rise of two-factor authentication in relation to online banking. “I would really, really hate to have a hard token to carry around.”

“Politicians have no idea what impact this has on the real world,” agreed a second, lamenting the threat of users being forced to purchase extra hardware. “If you don’t understand the basics of computer security, you shouldn’t be allowed to bank on the Internet,” added another commenter.

Today, complaints like these seem positively foolish, but in 2005 users were more considered about the cost and annoyance of carrying some form of two-factor token. User response can prove even more negative when something less important than banking is protected. In 2012, a class action lawsuit was filed against game developer Blizzard Entertainment after the company introduced an authenticator peripheral designed to defend users’ Battle.net accounts, per a report from the BBC.

LastPass
LastPass

Efforts to implement this kind of two-factor authentication had been in place since the 1980s, when Security Dynamics Technologies patented a “method and apparatus for positively identifying an individual.” By the 2000s, the infrastructure and manufacturing ability was in place for organizations ranging from financial institutions to video game publishers to enforce their own means of two-factor authentication.

Unfortunately, users decided not to co-operate. Whether the second factor of authentication was as simple as an LCD screen that delivered a unique code, or as complex as a fingerprint scanner, the idea of having yet another piece of physical hardware — and potentially one for every different service that required a unique log-in — was unappealing to the masses.

It’s possible to imagine an alternative history where two-factor never caught on because of this problem. Fortunately for us, Apple introduced the iPhone, and Google introduced Android. Smartphones put a device capable of two-factor authentication into the hands of billions worldwide, resolving the convenience issue that users complained about in 2005.

Smartphones are convenient, but have their own risks

The ubiquitous nature of smartphones has allowed sites and services to remove the hassle from the two-factor authentication process. “The ones that use your cellphone tend to be very easy to use, very low impact,” said security expert and Harvard fellow Bruce Schneier, speaking to Digital Trends earlier this month. “Because it’s something that you have already. It’s not something new that you have to carry around with you.”

It’s possible to imagine an alternative history where two-factor never caught on.

In certain scenarios, this approach can offer definite benefits. For instance, if you’re logging into a service from a new computer, you might be asked to input a code sent to a trusted device as well as your standard password. This is a good example of how to use two-factor authentication; someone else could have stolen your password and tried to log in to the associated account from their system — but unless they’ve already stolen your phone, they won’t be able to gain access.

However, there are threats that this kind of protection simply can’t handle. In 2005, Schneier wrote that “two-factor authentication isn’t our savior” in a blog post delving into its weaknesses.

He went on to describe how a man-in-the-middle attack could hoodwink the user into thinking that they’re on a legitimate website, and convince them to offer up both forms of authentication to a phony log-in screen. He also notes that a Trojan could be used to piggyback off a legitimate log-in that was carried out using two forms of authentication. There’s also the problem of centralizing security on a single device; most people use a smartphone-enabled two-factor for multiple websites. If that phone is stolen and compromised, all those sites are at risk.

Knowledge is power

“When you’re logging into your account, two-factor is great,” said Schneier. “My university, Harvard, uses it, my company uses it. Lots of people have adopted it, and it’s very useful. But what I was writing about then, the problem was it was looked at as a panacea, it’ll solve everything. Of course, we know it doesn’t.”

Financial gain is always going to motivate malicious hackers to cultivate new techniques for accessing other people’s accounts. As long as there’s a benefit to possessing someone else’s credentials, we’re going to see hacking evolve continually.

“There are a lot of different threats, and a lot of different security mechanisms,” Schneier explained. “There’s not just one threat, not just one mechanism, there are many threats and many mechanisms.”

The best defense is a continuous stream of new and improved countermeasures. If we continue to change and update the methods we use to keep our accounts secure, we make things harder for anyone trying to gain access without permission.

Unfortunately, the attackers have the initiative. It took years for two-factor authentication to become accepted by the masses. As new forms of protection become available, we as users need to commit to take advantage of them. And that puts us right back on the Slashdot forums, circa-2005. We all once again become users complaining about convenience, instead of worrying about security.

It’s difficult to ignore how commonplace large-scale hacks have become, and there’s no sign that this form of criminality is going to die off. There is no defense that’s 100 percent capable of blocking any kind of attack; criminals will always find a way to exploit even the smallest weakness. Although it’s not easy, the best way to stay safe online is to be aware of the threats, and aware of what can be done to safeguard against those threats.

Online security is like paying for insurance, or going to the dentist. It doesn’t seem that important, until it is. It’s not enough to simply opt-in to the forms of protection we’re offered by various sites and services. Knowing what kind of attacks these protections defend us from — and what they don’t — is the only way to take charge of your own security.

Editors' Recommendations

Topics
Brad Jones
Brad Jones
Former Digital Trends Contributor
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Dell’s XPS 13 for $599 deal is back, and who knows for how long
The Dell XPS 13 in front of a window.

Dell almost always has great laptop deals and for a little while now, it’s been selling an older model of the Dell XPS 13 for just $599. That deal continues today but we’re really not sure how long it’s going to stick around for. It feels like it must be ending very soon. The laptop usually costs $799 so you’re saving $200 but overall, this is a fantastic deal for the hardware involved. If you’re keen to learn more before the deal ends, keep reading.

Why you should buy the Dell XPS 13
Dell is one of the best laptop brands out there so you simply can’t go wrong with purchasing from it. With this model, you get a 12th-generation Intel Core i5-1230U processor along with 8GB of memory and 256GB of SSD storage. There’s also a 13.4-inch full HD+ screen with 1920 x 1200 resolution, 500 nits of brightness, and anti-glare properties. That’s fairly standard stuff at this price but it’s the build quality of the Dell XPS 13 which makes it stand out so much.

Read more
M4 vs. M3: How much better are Apple’s latest chips?
An official rendering of the Apple M4 chip.

Apple has announced the M4 chip, its successor to the M3 that’s currently found in a bunch of Macs and iPads. The M3 is an excellent chip and a real leap above the M2 that came before it, so the question is whether the M4 can manage a similar feat.

Right now, the M4 is only in the iPad Pro, and that means information about how good it is and what it does is rather limited. But if you’re interested in finding out more, you’re in luck, as we’ve gathered up everything we know about Apple’s M4 chip and compared it side by side with the M3. If you want to learn more about Apple’s next chip -- and how it compares to the M3 -- read on.
Where can you find these chips?

Read more
iMac deals: New, renewed and refurbished iMac computers
Apple iMac with Retina 5K Display review close

If you're in the Apple ecosystem and need a desktop computer rather than something like a MacBook, then you'll want to go for the Apple iMac, which is one of the best all-in-one computers on the market. There are quite a few screen sizes and specs to pick from, and if you're willing to go for a renewed option, you can get some older yet still powerful iMacs for a great price with desktop deals. Even if you aren't, there are still some great Apple deals you can take advantage of to save yourself some money, which is why we went out and scoured the internet for the best deals we could find. If you need something portable, check out MacBook deals. For extra savings, check out refurbished MacBook deals.
Apple 21.5-inch iMac (2018) Renewed -- $409, was $460

Even cheaper than any of the MacBook deals going on, this Apple 21.5-inch iMac (2018) might be a few years old but it offers plenty of juice for the price. That's the beauty behind many iMacs -- they last a long time thanks to offering reliable hardware and the benefits of MacOS, which tends to mean they stay fast for awhile. In the case of the 2018 21.5-inch iMac, you get a 2.7GHz Quad-Core Intel Core i5 processor paired up with 16GB of memory which is a great set of specs for ensuring you can get plenty of work done.

Read more