News, Articles, Tutorials, Thoughts, & Ramblings...

Is 2FA Useless?

Is 2FA Useless?

Researchers at Google have noticed that the frequency of phishing attacks crafted around 2FA has increased drastically. These new attacks are designed to “re-route” SMS (text message) based authentication codes to the attacker without the victim’s knowledge.

Most organizations require only a username and password combination, which by today’s standard; is obsolete. Because of this, organizations are working to implement 2FA to combat successful phishing attempts. The downside, however; is that organizations are falling on the industry standard which is also quickly becoming obsolete. This industry standard couples the username and password combination with a text message “pin” verification that the user must enter in order fully authenticate and gain access.

Now, attackers are adding in bugs that allow them to quickly capture login credentials, SMS pin, and anything else that may be required. They are doing this by carefully crafting “password reset” pages that mirror the ones a users organization would use.

So how do you stay safe? What can you do? Thankfully, most Software as a Service providers, such as; Microsoft Office 365, Zoho One, etc…, allow for multiple forms of 2FA. These platforms connect to services like Google Authenticate or Authy and allow for temporary authentication codes for user access. Some software also offers voice confirmation phone calls. Check with your Software as a Service provider/s to see what forms of 2FA they offer.

If you can’t use 2FA, be sure to use good password hygiene by using randomly generated character passwords, or word-phrase passwords. And make sure to change your passwords in an interval similar to this:

Extremely Critical Security Passwords (Bank Accounts, Medical Records)

-30-60 Days

High Level (Social Media, Paid Accounts)

-60-90 Days

Mid Level (Enterprise/Domain, Databases)

-90-120 Days

Low Level (Software, In-Game, etc..)

-180 Days