The two-factor authentication mechanism is used to add an extra layer of security to online accounts that usually requires two things, viz a login password and a one-time verification code. Some form of 2FA is provided by nearly all major web services throughout the world.
One-time code generation methods:
SMS verification- You receive an SMS message containing a randomly generated one-time verification code which you’ll have to enter while logging in. Most people have their cell phones with them at all times, so this method is quite convenient.
Google Authenticator– App generated codes do not require a cellular network, the time limited codes are stored only on the device, making it much more secure, such that someone trying to intercept text messages won’t know the codes.
There are various other implementations of the service such as physical authentication keys and e-mail-based systems. The question that remains, is 2FA really as safe as people are made to believe?
Reddit, the social media company with a base of 40 million users disclosed having suffered a data breach in June 2018 giving read-only access to a huge amount of data. Reddit employees recently published a blog post saying that a hacker broke into their system and was able to gain access to data such as user emails, source code, internal files and all the content way back from 2007 including salted, hashed passwords as well as public and private messages. On an investigation of the situation, Reddit learned that the main attack was via SMS intercept. The conclusion drawn was that SMS-based 2FA is not nearly as secure as organizations hope. Methods such as SIM swap and intercepting cellular networks can easily be exploited by attackers to gain access to the secure one-time codes.
The level of security provided by 2FA is usually exaggerated. If you don’t have access to your mobile phone or you misplace the physical authentication key, you are essentially locked out of your own account. The recovery options provided usually contradict the point of 2FA, but if you can reset your account without the one-time verification codes, then so can a malicious user trying to hack into your account.
Most organizations consider the use of two-factor authentication a secure means of verifying their users, however, the brutal reality is that two-factor authentication can be bypassed using various methods such as brute force attacks, conventional session management or using third-party login mechanisms such as Oauth.
Despite all of its vulnerabilities, two-factor authentication still remains the best approach to secure user accounts in conventional web applications. However, that is not to say that the attacks occurred in the past and other disadvantages should not be considered. Various two-factor authentication bypasses may become evident from time to time and different techniques may be administered in such attacks, the only way is that web developers make sure that common bypass methods are dormant and they keep iterating their approach to test two factor authentication so that it is easy to predict the movement of an attacker.