Cookie theft, real-time phishing and MFA fatigue attacks threaten multi-factor authentication, which has long been considered unassailable.
Two-factor authentication is many times more secure than classic login method with a username and password. But people rarely think about what might happen if they lose access to their authenticator app.
In professional IT environments, everyone knows by now that modern two-factor authentication (2FA) offers more security than classic login based only on a combination of username and password. However, two-factor authentication carries a significant risk that not everyone is aware of: What happens if the authenticator used fails or is no longer available? Are you prepared for the worst case?
What distinguishes 2FA from classic login
First, let's take a quick look at the basics of the authentication process. With a classic login, entering the correct username and password is sufficient to successfully log in to a company resource. Here, the password is the single security factor. However, this can be stolen, guessed or hacked and then misused for unauthorized access.
Two-factor authentication, on the other hand, requires two independent factors for registration. These two factors are generally:
- Something the user knows (for example, their password or a PIN).
- Something the user owns (for example, their mobile phone with a pre-configured authenticator app that creates a time-based one-time password).
An attacker might steal the credentials but cannot reach the additional device required for authentication. Therefore, they can’t log in as someone else. But this could end up becoming a problem for you – if you lose access to your authenticator for whatever reason.
What 2FA data you should back up
2FA providers are quite familiar with the problem of accidental lockout. Oftentimes, after setting up two-factor authentication, they also offer a backup of the key or the option of setting up another 2FA method. You can use them as an alternative registration method in an emergency.
For example, Google provides backup codes for such cases, you should store these 10 codes in a protected place that you can access at any time. A password manager such as KeePass or LastPass can be used as a storage location. Microsoft only provides a single recovery code, which you should also back up as soon as you can. The Redmond technology group has also implemented another security measure to annoy hackers and, unfortunately, legitimate users who want to access their account again: You'll need to wait around 30 days for Microsoft to release your account again.
How to properly set up two-factor authentication
Activating two-factor authentication via the security settings of a Google account, for example, is very easy to do. Google provides the users with a QR code, which contains a secret, Base32-encoded key for calculating the one-time passwords. Set up the account, for example with the NCP Authenticator App simply by scanning the QR code with your smartphone camera.
Then return to your Google Account, go to the Security section and click the Backup Codes link. Print the list out or store it in a protected place. If you do not do this and later lose access to your 2FA method, you can only have the password reset by Google. However, this takes several days. During this time, you will not have access to your account and may lose an important message.
If your provider offers alternative methods for two-factor authentication, you should usually enable them as well. The most common alternative is to send an SMS with a one-time code to your mobile phone number. This is basically a good backup method that works reliably. However, it is considered less secure, as it is technically possible to redirect SMS to other devices. For sensitive data, you should therefore refrain from doing so. Some providers, such as PayPal, do not yet offer dedicated recovery codes. In this case, only SMS can be used as an alternative method for your 2FA.
What are the risks of two-factor authentication?
In summary, the improved security of modern two-factor authentication also poses some risks to the user:
- Account lockout: Without access to your Authenticator app, you will no longer be able to access certain company resources because you will not be able to generate the one-time password required for authentication, the TOTP code. Business data and functions are then no longer accessible until you restore access.
- Complicated recovery processes: To restore access to your accounts, you usually have to go through a lengthy process. This includes, for example, contacting customer service, answering security questions or other procedures to verify your identity.
- Hidden security risks: There is also a comparatively low risk that someone who gains access to your authenticator app will access the linked accounts with your 2FA codes. This risk can be reduced by additional security measures, such as access restrictions for your smartphone and the authenticator app used. It is also possible to lock the device remotely in case of loss or to delete the data.
However, in view of these risks, to refrain from two-factor authentication would be grossly negligent. We recommend that users should regularly check whether they have activated the secure 2FA login for all services and applications. In our blog post “How 2FA works with time-based one-time passwords” you will find an overview of the most important companies and online services that already support modern two-factor authentication.