Many people are becoming aware of enhanced security measures taken by banking, internet, email and other institutions. Commonly known as “two-factor authentication” or 2FA, the user has a choice of receiving the one time PIN or password by text message or on an app loaded on the phone, known as an authenticator. Another less common format is a security token that can be kept with the user; the token generates a PIN number randomly usually every minute.
Having your email hacked or bank account drained can be daunting for anyone, but for those of us who travel having this happen while you are in a foreign country or on an airplane with not internet access poses another problem and can easily ruin a trip.
If I have 2FA enabled, I’m safe, right?
In short, no, or maybe. The answer is a bit complicated. It really depends on HOW you have enabled 2FA. If you use your text messaging or SMS to receive your code you are vulnerable. Why? Read on…
Why is 2FA via text messaging or SMS not secure?
To fully understand why we have to look a little deeper and explain how cellular networks work. Specifically we have to understand how cellular networks are connected and why they need to be connected. Because networks pass information such as text messages, billing information, roaming information and other data a connection called SS7 exists. This network has been vulnerable to hacks and outside access for a long time. Without getting very technical once someone has access to the SS7 network, your cellular movement, calls, and texts are easily accessible. The text messages sent and received are not encrypted over SS7, so a hacker can read them. If they have access to your messages, they can see any message, including PIN numbers from your bank, internet provider, email service, etc. For more information and an example watch the video below.
So what can I do to protect myself?
Fortunately, you can use an alternate form of 2FA authentication instead of text / SMS services. The Two Factor Authorization website shows many different services that offer 2FA for access and the ways they support 2FA. It is important to switch to a hardware or software token, as we have already learned that phone calls and text messages are easily hacked.
What is a hardware or software token?
Generally hardware and software tokens are devices that generate a unique PIN every 60 seconds or at least on certain intervals. A hardware token is usually small, similar in size to a USB drive or a credit card, and is something you carry with you. A software token is an app you download to your phone and the app displays the unique PIN.
- Google Authenticator is a software token. It is available for Android and iOS and you can learn more on ZDNet.
- Authy is another software token. There is more information on ZDNet.
- Hardware tokens are made by different manufacturers. RSA is a major player in the hardware token arena. Identity Automation also sells hardware tokens.
What is the future of 2FA?
The best form of 2FA would be automatic, and require no user authentication. Already some authenticator apps offer the ability to push a single button and allow access to the site you want to access. However; the next step would be automatic based on your surroundings. According to the Multi-Factor Authentication Wikipedia page:
Advances in research of two-factor authentication for mobile devices consider different methods in which a second factor can be implemented while not posing a hindrance to the user. With the continued use and improvements in the accuracy of mobile hardware such as GPS, microphone, and gyro/acceleromoter, the ability to use them as a second factor of authentication is becoming more trustworthy. For example, by recording the ambient noise of the user’s location from a mobile device and comparing it with the recording of the ambient noise from the computer in the same room on which the user is trying to authenticate, one is able to have an effective second factor of authentication. This also reduces the amount of time and effort needed to complete the process.”
Do yourself a favor and update your 2FA methods before your next trip. Safe travels.