“True” 2 Factor Auth vs “Fake” 2FA

Multi-Factor Authentication is becoming commonplace in almost all of the services that we use on a daily basis. Multi-Factor Auth could comprise of 3 things

  1. Something you know
    • a password, PIN, or personal question (name of pet, street you grew up on, etc). This factor is the easiest to beat.
  2. Something you have
    • ID Card, hardware token, a code generated by an algorithm only you use. The most common is using an app like Google’s Authenticator which syncs with the 2FA server to generate a 6 digit code.
  3. Something you are
    • Biometrics like facial recognition, fingerprints, voice recognition. It can also include behavioral analysis like keystroke dynamics or mouse entropy. Biometrics have come a long way in authentication but are still susceptible to false negatives (type 1 failure) and false positives (type 2 failure)

Knowledge factors (passwords, PINs, etc) have been used to identify people for centuries, and as we move closer to a connected future, remembering multiple secure passwords becomes more and more difficult. I suggest that everyone use a password manager but that is still only a single factor of authentication. Many services now require two factor authentication like a software token generated by an app, which increases security exponentially.

Most people also don’t realize that some of the best 2FA systems are completely invisible to the user. The best example of this is your debit card! The two factors used are something you have (your card) and something you know (your PIN).

So why do I mention “Fake” 2FA? Some services use two versions of the same factor and call it 2FA, when really its two-step authentication. I won’t name specific services, but a very popular site requires your username and password (something you know) and then sends a text with a 6 digit code to your phone. While that may seem like a “something you have” since your phone is a physical object, from a security perspective its still part of the “something you know”. This is because they key for authentication isn’t the phone itself, but information stored on the phone.

How is that different from an authenticator app? The authenticator apps are required to be tied to a device. If you get a new phone, you have to reset all of your authentication codes to be able to use 2FA again. I learned this the hard way this weekend after I got the iPhone X and had to spend a few hours resetting all of my 2FA.

If we’re being completely honest, the 2-step authentication is secure enough to stop most attackers, but if you call it 2FA to someone who works in InfoSec, you’ll see a vein pop in their forehead as they refrain from correcting you.

3 thoughts on ““True” 2 Factor Auth vs “Fake” 2FA

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.