When 2FA Is Not Enough: How Multi-Factor Security Enhances Data Safety for Businesses

When it comes to the safety of consumers and businesses online, installing strong security measures are the top priority. As you may know, traditional usernames and passwords have become more susceptible to theft and attacks.  No question that distrust for enterprises managing private consumer data is at an all-time high.  Data breaches, most recently Labcorp, affecting 7.7 million patients, continues to frustrate the masses. 

In fact, a 2017 report found there were 81% confirmed hacks due to weak or stolen passwords. This is why more and more companies began adopting two-factor authentication (2FA) as their first line of defense against cyber-insecurity.

The question is, “How well does 2FA work?”

Two-Factor Authentication and Its Flaws

Two-factor authentication adds a layer of security beyond username-password authentication by sending a generated code (usually via SMS). You may have encountered this while signing into your email account, social media accounts, or when making money transfers using a mobile app.

This system combines something you know (i.e. your password) with something you have, like a smartphone. For example, when logging into your email or bank account, you first need to enter your password (first factor). Then, if you’re logging in from a new device, you will likely receive a one-time code (second factor)—either through an app, email, or SMS—to confirm that you’re authorized to access your account. It might be a little annoying, but it’s a way to ensure your accounts are better protected.

But going back to the pressing question, How well does 2FA work?

Well, it’s no match against strong-willed hackers.

There have been serious cases where two-factor authentication provided only a thin layer of security vulnerable to attacks. In 2018, a hacker intercepted Reddit’s systems and gained access to valuable data, including internal files, source code, and user emails. They believed they had robust security measures as they stand behind strong SMS-based two-factor authentication. But to their disbelief, the brute attack was executed via SMS intercept.

Furthermore, the Deloitte breach back in 2017 demonstrated that even a single unsecured account with administrative access can be used by hackers to infiltrate your whole system. And hackers can employ a myriad of other techniques like pharming, phishing, and social engineering (like this scene from the 2013 film Now You See Me).

The moral of the story? Don’t rely completely on SMS-based two-factor authentication as it’s not as strong as people might think—especially in the hands of a skillful and determined hacker.

4 Ways How SMS-based 2FA Can Be Compromised

The National Institute of Standards and Technology (NIST) expressed its extreme disapproval for SMS-based two-factor authentication. The weaknesses of this authentication method bear a resemblance to those used for hacking passwords.

  1. SMS can be intercepted/redirected
  2. The generated codes can be “swiped” if they pop-up in lock-screen notifications
  3. The algorithms used to generate the “pins” can be deciphered
  4. The generated codes can be “phished” using social engineering

This makes you think: what’s a more superior and ironclad option for a security system? Perhaps including a third factor, specifically multi-factor authentication (MFA) can make the difference.

Why is MFA Important?

As it appears, if two-factor authentication isn’t enough to protect your sensitive data from thieves, attackers, and other security breaches, then add MFA. MFA can be anything that addresses “who you are”, like biometrics. You can achieve this using multi-factor authentication.

Multi-factor authentication (MFA) is a far superior and ironclad option for a security system for it requires more than one credential. The authentication method combines elements, such as generated SMS codes, biometrics, facial recognition, and iris scanning, for effective and secure authentication. Bottom line, MFA makes it extra difficult for attackers to penetrate your company’s data security and infrastructure.

There are five features that can be used as part of MFA. A combination of at least three factors is required to create a secure cyber solution. The features are as follows:

  • Knowledge: The things you know, such as a password or PIN.
  • Possession: The things you have, such as a badge or smartphone.
  • Inheritance: The things you are, such as your biometric data.
  • Location: The places you are in; your whereabouts.
  • Time: Tracking where you are, generally used with location.
  • Context: The things you do based on behavioral patterns and device patterns.

Adaptive authentication, a type of MFA, takes context into account to recognize suspicious behaviors. For instance, when a user tries to log in to an account late at night from a suspicious location not usual for the user, the MFA system may tighten its security by requesting other forms of credentials (e.g., a fingerprint scan or an authenticator-based mobile app).

Enhance Your Data Security

Two-factor authentication established an early foundation for cybersecurity that improved on passwords, but it can only do so much. A more logical solution for strengthening data security is to require more pieces of credentials to access an account—which is exactly what multi-factor authentication offers.

Survey shows that about 38% of large organizations are using multi-factor authentication. While every company is different, there’s no reason why you wouldn’t want yours to utilize stringent security measures. Investing in biometrics technology requires capital  investment but pales in comparison to the financial cost to a company due to a data breach or hack.