Two-factor authentication helps but isn't as secure as you might expect

Passcodes from SMS or authenticator apps are better than passwords alone, but hackers can exploit their weaknesses.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
3 min read
Brett Pearce/CNET

Editor's note: In recognition of World Password Day, CNET is republishing a selection of our stories on improving and replacing passwords.

You've probably heard this security advice: protect your accounts by using two-factor authentication. You'll make life hard for hackers, so the reasoning goes, if you pair a password with a code sent by text message or generated by an app like Google Authenticator. 

Here's the problem: It can be easily bypassed. Just ask Twitter Chief Executive Jack Dorsey. Hackers gained access to Dorsey's Twitter account using a SIM swap attack that involves fooling a carrier into switching mobile service to a new phone.

For a broader look, check CNET's coverage this week about password problems, some fixes like hardware security keys and password managers that you can start using today, reasons why some old password-picking rules are now obsolete and a cautionary tale about what can go wrong with a password manager.

Banks, social networks and other online services are moving to two-factor authentication to stem a torrent of hacks and data theft. More than 555 million passwords have been exposed through data breaches. Even if yours isn't on the list, the fact that so many of us reuse passwords -- even alleged hackers themselves -- means you're likely more vulnerable than you think.

Don't get me wrong. Two-factor authentication is helpful. It's an important part of a broader approach called multifactor authentication that makes logging in more of a hassle but also makes it vastly more secure. Like the name suggests, the technique relies on combining multiple factors that embody different qualities. For example, a password is something you know and a security key is something you have. A fingerprint or face scan is simply part of you.

Authentication code interception

Code-based two-factor authentication, however, doesn't improve security as much as you'd hope. That's because the code is just something you know, like your password, even if it has a short shelf life. If it's swiped, so is your security.

Watch this: In a world of bad passwords, a security key could be your new best friend

Hackers can create fake websites to intercept your information, for example using software called Modlishka, written by a security researcher who wants to show how seriously susceptible websites are to attack. It automates the hacking process, but there's nothing stopping attackers from writing or using other tools.

Here's how an attack works. An email or text message lures you to the fake website, which hackers can automatically copy from the originals in real time to create convincing fakes. There, you type in login details and the code you got by SMS or an authenticator app. The hacker then enters those details into the real website to get access to your account.

SIM swapping attacks

Then there's the SIM swap attack that got Twitter's Dorsey. A hacker impersonates you, convincing an employee at a carrier like Verizon or AT&T to switch your phone service to the hacker's phone. Each phone has a discrete chip -- a subscriber identity module, or SIM -- that identifies it to the network. By moving your account to a hacker's SIM card, the hacker can read your messages, including all your authentication codes sent by SMS.

Don't dump two-factor authentication just because it isn't perfect. It's still vastly better than a password alone and more resistant to large-scale hack attempts. But definitely consider stronger protections, like hardware security keys, for sensitive accounts. Facebook, Google, Twitter, Dropbox, GitHub, Microsoft and others support that technology today.