Two-factor authentication helps but isn't as secure as you might expect
Passcodes from SMS or authenticator apps are better than passwords alone, but hackers can exploit their weaknesses.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Editor's note: In recognition of World Password Day, CNET is republishing a selection of our stories on improving and replacing passwords.
You've probably heard this security advice: protect your accounts by using two-factor authentication. You'll make life hard for hackers, so the reasoning goes, if you pair a password with a code sent by text message or generated by an app like Google Authenticator.
Here's the problem: It can be easily bypassed. Just ask Twitter Chief Executive Jack Dorsey. Hackers gained access to Dorsey's Twitter account using a SIM swap attack that involves fooling a carrier into switching mobile service to a new phone.
For a broader look, check CNET's coverage this week about password problems, some fixes like hardware security keys and password managers that you can start using today, reasons why some old password-picking rules are now obsolete and a cautionary tale about what can go wrong with a password manager.
Banks, social networks and other online services are moving to two-factor authentication to stem a torrent of hacks and data theft. More than 555 million passwords have been exposed through data breaches. Even if yours isn't on the list, the fact that so many of us reuse passwords -- even alleged hackers themselves -- means you're likely more vulnerable than you think.
Don't get me wrong. Two-factor authentication is helpful. It's an important part of a broader approach called multifactor authentication that makes logging in more of a hassle but also makes it vastly more secure. Like the name suggests, the technique relies on combining multiple factors that embody different qualities. For example, a password is something you know and a security key is something you have. A fingerprint or face scan is simply part of you.
Authentication code interception
Code-based two-factor authentication, however, doesn't improve security as much as you'd hope. That's because the code is just something you know, like your password, even if it has a short shelf life. If it's swiped, so is your security.
Hackers can create fake websites to intercept your information, for example using software called Modlishka, written by a security researcher who wants to show how seriously susceptible websites are to attack. It automates the hacking process, but there's nothing stopping attackers from writing or using other tools.
Here's how an attack works. An email or text message lures you to the fake website, which hackers can automatically copy from the originals in real time to create convincing fakes. There, you type in login details and the code you got by SMS or an authenticator app. The hacker then enters those details into the real website to get access to your account.
SIM swapping attacks
Then there's the SIM swap attack that got Twitter's Dorsey. A hacker impersonates you, convincing an employee at a carrier like Verizon or AT&T to switch your phone service to the hacker's phone. Each phone has a discrete chip -- a subscriber identity module, or SIM -- that identifies it to the network. By moving your account to a hacker's SIM card, the hacker can read your messages, including all your authentication codes sent by SMS.
Don't dump two-factor authentication just because it isn't perfect. It's still vastly better than a password alone and more resistant to large-scale hack attempts. But definitely consider stronger protections, like hardware security keys, for sensitive accounts. Facebook, Google, Twitter, Dropbox, GitHub, Microsoft and others support that technology today.