Not using 2FA? You’re asking to be hacked


In recent years, we have observed a surge in the number of data breaches that exposed an impressive amount of personal data that flooded the cybercrime underground. The availability of such data online allows threat actors to conduct a broad range of attacks, from phishing campaigns to identity theft.

Today, the most common authentication form is still based on login credentials (username and password), but the adoption of weak passwords and the bad habit to reuse them among different web services exposes users to multiple attacks.

However, for additional security, you should use an authentication process that requires more than one factor of authentication to prove your identity.

What is two-factor authentication?

In a multi-factor authentication scheme, it is possible to use the following factors:

  • Something you have, such as such a security token or a smart card.
  • Something you know, like a password or a PIN code.
  • Something you are, such as your biometric characteristics.

A two-factor authentication (2FA) scheme combines two of the above factors. An example of 2FA is represented by the authentication to an ATM that requests you to provide a PIN (something you know knows) and your payment card (something you have).

Fortunately, most popular online services already implement 2FA authentication, but their users have to simply enable it.

The adoption of a 2FA allows you to protect your resources even when one of the above factors is compromised. An attacker that possesses your password could not access your account if they aren’t able to provide the second factor, such as a payment card.

Different types of 2FA

It's important to highlight that some 2FA methods are more secure than others.

For example, 2FA authentication based on SMS messages and passwords is considered less secure than a scheme that uses a code generated by an authenticator app running on a mobile phone and a password.

SMS messages could be easily intercepted by malware installed on the victim’s device or can be obtained by an attacker that is able to carry out a SIM swapping attack on the victim. The choice of 2FA type is influenced by multiple factors such as efficiency, usability, and costs.

Research conducted by Duo Security has shown that 19% of government agencies use hardware authentication tokens due to high-sensitive data they manage.

An alternative 2FA scheme relies on the use of the user’s mobile devices. This option drastically reduces the cost of the overall solutions. For example, according to Google, the use of its authenticator can protect an account from up to 100% of automated attacks.

Other solutions leverage phone calls to the user to deliver authorization codes. For this reason, the authentication is called voice-based 2FA. This solution is suggested when the clients have old phones that do not support mobile applications. Unfortunately, the level of security implemented by voice-based 2FA is very low.

Other 2FA authentication forms are available online, such as biometric 2FA or 2FA based on push notifications. The former uses the user’s physical unique characteristics as an authentication factor. These include fingerprints, veins and retina patterns, and facial recognition. The latter uses push notifications sent to the user when they attempt to access the system. In this case, the user has to approve the operation from their mobile device.

The sad statistics of 2FA usage

According to researchers from Duo Security, mobile push notifications were the most common authentication method in 2019, reaching 68% of use.

Unfortunately, the use of multi-factor authentication is still low within private businesses, according to a research conducted by LastPass: only 26% of companies in the United States in 2019 were using multi-factor authentication. This data is disconcerting because private businesses are more exposed to cyber-attacks.

The situation has not improved over the time, as confirmed by Twitter in the platform’s transparency report.

The social network platform revealed that in the second half of 2020 only 2.3% of active Twitter accounts had at least one 2FA method enabled. The good news is that the company observed an increase of 9.1% in the number of users that had at least one 2FA method enabled between July and December 2020.

“In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks. Authentication apps avoid the SIM-hijacking risk, but are still susceptible to phishing attacks. Security keys are the newest and most secure form of 2FA since they include built-in protections from phishing attacks,” states Twitter.

Most Twitter users preferred authentication codes sent via SMS as authentication factor.

This is the choice of over 79% of accounts with 2FA enabled. Only 0.5% of the users use the most secure 2FA method based on security keys.

“Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter,” Twitter added.

With all that being said, I recommend you enable 2FA authentication for every service that implements it. And, in case you have multiple choices, software-based 2FA authentication could ensure a high level of security.