Two-factor authentication helps but isn't as secure as you might expect
Passcodes from SMS or authenticator apps are better than passwords alone, but hackers can exploit their weaknesses.
Stephen Shanklandprincipal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertiseprocessors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, scienceCredentials
I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Editor's note: In recognition of World Password Day, CNET is republishing a selection of our stories on improving and replacing passwords.
You've probably heard this security advice: protect your accounts by using two-factor authentication. You'll make life hard for hackers, so the reasoning goes, if you pair a password with a code sent by text message or generated by an app like Google Authenticator.
Don't get me wrong. Two-factor authentication is helpful. It's an important part of a broader approach called multifactor authentication that makes logging in more of a hassle but also makes it vastly more secure. Like the name suggests, the technique relies on combining multiple factors that embody different qualities. For example, a password is something you know and a security key is something you have. A fingerprint or face scan is simply part of you.
Authentication code interception
Code-based two-factor authentication, however, doesn't improve security as much as you'd hope. That's because the code is just something you know, like your password, even if it has a short shelf life. If it's swiped, so is your security.
Watch this: In a world of bad passwords, a security key could be your new best friend
Hackers can create fake websites to intercept your information, for example using software called Modlishka, written by a security researcher who wants to show how seriously susceptible websites are to attack. It automates the hacking process, but there's nothing stopping attackers from writing or using other tools.
Here's how an attack works. An email or text message lures you to the fake website, which hackers can automatically copy from the originals in real time to create convincing fakes. There, you type in login details and the code you got by SMS or an authenticator app. The hacker then enters those details into the real website to get access to your account.
SIM swapping attacks
Then there's the SIM swap attack that got Twitter's Dorsey. A hacker impersonates you, convincing an employee at a carrier like Verizon or AT&T to switch your phone service to the hacker's phone. Each phone has a discrete chip -- a subscriber identity module, or SIM -- that identifies it to the network. By moving your account to a hacker's SIM card, the hacker can read your messages, including all your authentication codes sent by SMS.
Don't dump two-factor authentication just because it isn't perfect. It's still vastly better than a password alone and more resistant to large-scale hack attempts. But definitely consider stronger protections, like hardware security keys, for sensitive accounts. Facebook, Google, Twitter, Dropbox, GitHub, Microsoft and others support that technology today.