Two-Factor Authentication (2FA)
- Last Updated: November 6, 2023
Two Factor Authentication, 2FA, is an additional layer of security that you can add to your digital accounts to prevent unauthorized access.
A username and password may be enough for those accounts of little value for hackers or scammers, e.g., online bookshops or gym membership access.
But 2FA is a must to protect your most valuable digital assets.
Table of Contents
Important notice: Do your research.
Our content is intended to be used and must be used for informational purposes only. It is not intended to provide investment, financial, accounting, legal, tax, or other professional advice.
It is essential to research and verify any information you find on this website or any other website.
Two-Factor Authentication (2FA) Quiz
Has this quiz been of value to you?
If the answer is yes and you think that it will be of value to someone else, please share it:
Why Passwords Are Not Enough
A password is a combination of numbers, letters, and symbols that should be difficult to guess but easy to remember.
And here lies the problem because, in many cases, the passwords are not complex enough, they are predictable, and they are reused for many accounts.
The Hive Systems password table gives a very clear overview of how safe your passwords are based on their complexity.
But, even if your password is very complex, it may have been part of a data breach.
A data breach occurs when a website or service that stores users’ usernames, passwords, and personal information, get breached due to a hack or a data leak.
If your re-used username and password have been part of a data breach, your accounts may be at risk.
– Digital safety knowledge –
It doesn’t matter how long and complex your password is, because only a unique password per account will keep you safe from data breaches.
Unless you add a layer of security to your accounts, like Two Factor Authentication.
You can use the Have I Been Pawned website to check if your email account has been part of a data breach.
2FA Types
There are three independent factors used for authentication:
– Something you know (knowledge): for example, password or PIN.
– Something that you have (possession): for example, a hardware token or a mobile device with a 2FA app installed on it.
– Some that you are (inheritance): for example, biometric data or fingerprints.
– Digital safety knowledge –
Two-factor authentication is based on the concept that a user must provide at least two independent evidence pieces to prove the identity.
If one factor is compromised, the user account is secure as long as the second factor is not also compromised.
There are three types of 2FA, and you must know their characteristics, strengths, and weaknesses.
Because not all two-factor authentication methods are considered safe to protect financial assets.
2FA Type 1: SMS Notifications
With SMS notifications, a SIM card is used, something you have (possession), as a 2FA method.
And here, you must be clear that the 2FA method is the SIM card within your mobile phone, not the device.
When an application uses a SIM card as a 2FA method, e.g., a crypto exchange, you get a text message with an OTC (One Time Code) or a TOTC (Temporary One Time Code) that will verify that you are a legitimate user.
But, SMS notifications are NOT advisable as a single 2FA for financial assets.
And this is because SIM SWAPS scams are used to hijack SIM cards.
To an extent, it is acceptable that an SMS notification is used as one of the methods used to verify an action (e.g., login) or transaction (e.g., crypto transfer) as a part of MFA (Multi-Factor Authentication).
So, even in the case of a SIM swap, the user account is protected by something else that only the user should have (possession), which is a mobile phone with the registered 2FA authenticator app and access to a registered email address.
See below an example of authentication that does require from the user a SMS, email and 2FA verification numbers.
SIM Card Lock - Theft and Phishing Protection?
A SIM card lock provides added security.
The SIM card lock is a PIN that you must enter during phone startup, even if you switch the SIM card to a different phone.
This ensures that your SIM card can’t be used on your phone or any other without entering the SIM unlock PIN. Even if your phone is stolen, the thief won’t be able to use the device with a locked SIM card. They won’t be able to place calls, access your mobile data, or send text messages without knowing the SIM card’s PIN.
Unfortunately, activating the SIM card lock will not protect against SIM phishing or SIM swapping.
Scammers collect your personal information from social media and other accounts and they use this information to deceive your carrier into transferring your number to their spare SIM card.
So, having a SIM lock will not prevent from an attacker with good social engineering skills from deceiving a gullible customer support agent and having you SIM swapped.
2FA Type 2: Authentication Apps
Nowadays, most crypto holders use a 2FA app to access their non-custodial wallets and make any transaction.
Using a 2FA Authenticator app is a VERY GOOD PRACTICE. Many hacks due to poor passwords or data breaches could have been avoided if the victims had used 2FA.
But can it still be considered good practice if you have a 2FA app installed on your mobile phone? On which you also receive emails and on which you have also installed your crypto wallets?
Not to speak about having the mobile phone protected by a weak pin or password, or not having your email client or 2FA app protected by a password or biometrics…
If your mobile phone is lost or stolen, someone can have everything that is needed to access your crypto wallets.
– Crypto safety good practice –
It you are considering to use a 2FA app installed to a mobile device, you must make sure that the device is well protected against intrusions and malicious software.
And chose a safe and proven 2FA provider:
PROS:
– The app can be protected with a pin or biometric authentication.
– Microsoft security. A large and well-established organization.
– Cloud backups (only advisable for users with wide safety knowledge and that follow good practices)
– Search feature, which is useful for users with many accounts
CONS:
– Not the best option for Android or iPhone users due to account backup limitations.
PROS:
– It supports most of the applications and services (e.g. crypto exchanges)
– Very easy to set up and use.
– The app can be protected with a pin or biometric authentication.
– You can easily export your accounts to another device, e.g., a backup mobile phone.
– Google security. A large and well-established organization.
CONS:
– Basic features (but this should not be a concern for most users – Keep It Simple).
– No online backup (which is not advisable anyway, so this is a very minor downside).
PROS:
– It supports crypto wallets.
– Secure cloud backups.
– Cross platforms (Windows, Mac, Android, and Apple devices).
– The app can be protected with a pin or biometric authentication.
CONS:
– Not open source
– 100 free authentications per month, with a very small feed for any additional authentication.
– Requires a phone number to set up a new account.
How Hackers Bypass Two-Factor Authentication
While authenticator apps are a very good way to add a layer of protection to your accounts, they are not 100% hackers or scammer-proof.
The good news is that by knowing how the methods they use to bypass 2FA you can avoid their hacks or scam attempts.
Method 1: Bypassing 2FA with Social Engineering
If a hacker has gained access to your system and deemed you to be a valuable target, some social engineering methods can be used to get access to a valid 2FA code.
For example, the hacker may try to send a compelling SMS message asking you to provide a 2FA code. Be aware that scammers are quite imaginative and try to use urgency or fear to compel you to provide the code.
You must know that some hackers and scammers have even tried to bypass 2FA by delivering a package to the victim’s location and asking for the 2FA code as a delivery verification code. The victim thinks that the code is needed to receive the package when in reality the code is used to break into one of the victim’s accounts.
It works as follows:
– One of the attackers will deliver the package and ask the victim for a 2FA code for identity verification (or some other similar excuse). For example: ‘Mr.X, in a few second you will get an SMS message with a code. Please provide the code so we can verify your identity.’
– Once the victim provides the code, the attacker will pretend to check the code when in reality he or she will be texting the code to an accomplice.
– The accomplice will be sitting at a computer, with the victim’s account (e.g., bank account) already unlocked (because they already had your username and password) and use the 2FA SMS code that the victim just provided as a final step to unlock the account.
– The attackers may even try to send a second 2FA SMS code to be able to change the 2FA authentication method (e,g., from SMS to Authenticar App) so they can make several transactions while keeping the victim both unaware and locked away.
Method 2: Bypassing 2FA with Open Authorization (Auth)
OAuth is a framework that provides applications with limited access to a user’s data without giving away the password.
Any website that allows you to delegate access via OAuth can also be used by an attacker as part of an OAuth phishing campaign (consent phishing). With consent phishing, the attacker pretends to be a legitimate Oath app and messages the victim asking them to grant access.
For example, imagine a third-party video editing app that offers a feature to connect with your YouTube account to upload edited videos.
This app uses OAuth for authorization. However, the app’s OAuth implementation has security flaws or misconfigurations.
An attacker identifies these vulnerabilities and creates a malicious version of the video editing app, which looks like the legitimate one. Then, the attacker will entice users to download the malicious app and authorize their YouTube accounts.
Once users authorize the malicious app, it leverages the OAuth vulnerabilities to gain access to users’ YouTube accounts. The attacker can now upload or delete videos, change settings, or even impersonate the user without requiring the user’s 2FA codes.
Method 3: Bypassing 2FA with Brute Force
Bypassing 2FA with Brute Force” is a method where attackers attempt to gain access to an account protected by Two-Factor Authentication (2FA) by systematically trying all possible combinations of authentication codes until the correct one is found.
This method involves using automated tools or scripts to guess the codes.
When 2FA is implemented correctly, the 2FA authentication server prevents this type of attack by only allowing a small number of incorrect OTP codes per user.
Method 4: Bypassing 2FA with Backup Codes
Bypassing Two-Factor Authentication (2FA) with Backup Codes refers to a method used by attackers to gain access to an account or system protected by 2FA by exploiting the backup codes provided by the 2FA system.
Safeguard backup codes in a secure and offline location. Do not store them on the same device as your primary 2FA method.
Method 5: Bypassing 2FA with Session Cookie or Man-In-The-Middle
Session cookies are small pieces of data stored on your device when you log in to a website or application. They are used to maintain your authenticated session, allowing you to access your account without repeatedly entering your username and password.
A Man-In-The-Middle (MITM) attack occurs when an attacker intercepts communication between two parties, such as you and a website. The attacker secretly intercepts, relays, or alters the data exchanged between the two parties without their knowledge.
– An attacker may initiate a Man-In-The-Middle attack when a user logs in to a secure website protected by 2FA.
– When you enter your username and password, the legitimate website generates a session cookie after successfully authenticating you.
– In a Man-In-The-Middle scenario, the attacker intercepts this session cookie. They may use various techniques, like eavesdropping on an unsecured Wi-Fi network or through phishing attacks, to obtain the cookie.
– The attacker can then use this intercepted session cookie to access your account without needing your 2FA code or other authentication methods. The website recognizes the session cookie as legitimate and grants access.
How to prevent become a victim of MITM attacks:
– Always use websites that employ HTTPS to encrypt data in transit, making it more difficult for attackers to intercept session cookies.
– Avoid using public or unsecured Wi-Fi networks for accessing sensitive accounts. Stick to trusted and secure networks whenever possible.
– Always log out of your accounts when you’re done. Logging out will invalidate the session cookie and require you to enter your credentials and 2FA code again when you return.
– Be cautious about clicking on links and verify that the website’s URL is correct, especially if you’re asked to log in unexpectedly.
2FA Type 3: Hardware Tokens
Hardware tokens are also called hardware keys or security keys.
Hardware tokens are maybe the safest way to keep your cryptocurrency and crypto assets safe.
Not only are they something that you have (possession), but also many of them require your biometrics (something you are – inheritance) to access them.
Before purchasing a hardware token, ensure it works with all the applications you want to protect. It is not worth buying a cheaper option if it can only cover part of your crypto accounts.
Yubi keys are the most popular security keys in the market, but, if the price is a problem for you, there are some other alternatives that you could consider.
PROS:
– Easy setup process.
– Multiple models.
– Durable construction.
– Compact.
– Biometric (depending on the model).
CONS:
– Higher prize than other hardware tokens.
PROS:
– Aluminum alloy cover that protects the USB connector while not in use.
– Mobile Bluetooth compatible
– Affordable price
– Works with macOS, Linux, and Chrome
CONS:
– Only works with websites that support U2F (Universal Second Factor)
– Does not support mail client
Man-in-the-Middle (MitM) Attacks Prevention with Hardware Keys
As explained by the Yubico man-in-the-middle web page, security keys that use FIDO U2F can protect from MitM attacks.
There are phishing attacks that prompt users to enter their security credentials on a phishing website.
But with security keys, user login is bound to the origin, meaning that authentication will fail on a fake site since it has no prior credentials set up to authenticate.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA), requires the user to provide more than two types of authentication.
For example, a six-digit code that is sent by SMS 2FA plus six digits code that is sent by email plus six digits code from an authenticator app.
This way, even if the password and 2FA become compromised, a third factor will protect the account from attackers.
Strong and unique passwords for each one of your accounts plus two-factor authentication can be considered strong protection when paired with digital safety and security knowledge and good practices.
But if you think that your knowledge and experience, or your situation, puts you at risk of being targeted by hackers and scammers, you may need to consider applying multi-factor authentication to your digital accounts.
2FA Frequently Asked Questions
The questions from other people are windows to knowledge that maybe we need, but we never consider we missed.
What are biometrics?
Biometrics are physical characteristics that can be used to identify individuals. For example, fingerprint mapping, facial recognition, voice,…
What will happen if my mobile phone is stolen? Will someone be able to use the 2FA app and get access to my crypto?
If access to your phone is only possible by a safe pin or biometrics, your 2FA accounts should be secure.
If access to your phone is only possible by a safe pin or biometrics, and a different secure pin or biometrics protects your 2FA, your 2FA accounts are very safe.
The best practice would be to have access to your phone protected by a safe PIN and the 2FA protected by biometrics.
If your phone is NOT protected by a safe PIN or biometrics OR your 2FA is NOT protected by a safe PIN and biometrics, your 2FA accounts are NOT safe.
What are 2FA app recovery codes?
If the device where your 2FA app is installed gets damaged, stolen, or broken:
– If you have the 2FA recovery codes, you can reinstall the 2FA app to a new device and recover your 2FA accounts.
– If you don’t have 2FA recovery codes, you will lose temporary or permanent access to the accounts where you have 2FA enabled. The good news is that because you are most probably using centralized accounts, e.g., crypto exchange, you can get the 2FA disabled once the service has verified your identity.
In any case, once you create a new 2FA account, a recovery code will be provided that you will need to store in a safe place.
– Crypto safety good practice-
Keep your 2FA account recovery codes stored in a safe place.
Or use a second device as a 2FA accounts backup, for example, a spare mobile phone.
Can a crypto account protected by 2FA be hacked?
Yes, 2FA can be hacked.
– If you have a 2FA application on your phone and it gets stolen, the robber may gain access to your 2FA if a strong password or biometrics does not protect your phone or application.
– Also, some malicious applications installed on your device can steal your 2FA data.
– Or, more common than people think, phishers who already have your crypto account username and password may trick you into providing the TOTP (Time-based One Time Password), so they can breach into your account. And, yes, it happens, and people fall for it…
– And while SMS base authentication may be the most common type of 2FA nowadays, it is also the most vulnerable. Once a hacker has your username and password, they will initiate a SIM swap attack to get over your SIM and receive the TOTP, which is the final step to getting access to your funds.
Phishers even use psychological techniques to convince people, even intelligent people, to provide the information they need or to perform specific actions that will grant them access to financial accounts.
What can you do to protect your crypto accounts? Increase you digital safety knowledge and follow digital safety good practices.
Has this post been of value to you?
If the answer is yes, and you think that it will be of value to someone else, please share it:
Thanks for sharing,
and promoting crypto safety and digital security.
Are you looking for additional information about the same or similar topics?
- More Post of the Same Category: Crypto Safety Good Practices
- More Posts with the Same Tags: online security
How To Keep Your Crypto Assets Safe
The more you know, the better you can prepare yourself to protect your crypto portfolio from hacks, scams, and accidents.
Cryptocurrency Wallet Seed Phrase
How to stay safe from phishing scams
And the more digital safety good practices you follow, the more secure your crypto assets will be.
Is there anything else that you would like to tell us:
– Is there any other topic of your interest that we should cover?
– Is there something we should be aware of?
Please fill out the form below or send us an email to feedback@cryptosafetyfirst.com