Two-Factor Authentication—Not Broken Yet, But the Bad Guys Are Doing Their Worst


By: Barry Miller

If a cybersecurity gold standard exists, it is two-factor authentication (“2FA”).
Or it was.
As the name implies, 2FA is a two-level approach. Level one usually is a password. The second level is typically a random digital code (a “token”) created by or transmitted to a separate device. After entering their password, users then have to supply the token. Because the second-factor changes with every use, the assumption was that the only way to break 2FA would be to hack both levels—password and token.
Shortly before Christmas ZDNet reported that a group sponsored by the Chinese government managed to bypass 2FA in a “wave of attacks.” Government entities and providers in the aviation, healthcare, finance, insurance, and energy were the main targets. Their method bypassed 2FA not by intercepting the token sent to the user, but by creating another valid token.
This followed a November report from gPost that a whitehat hacker showed how Gmail’s 2FA could be vulnerable; and another December story that hackers were using an Android app advertised as a battery utility app to bypass 2FA to steal money from PayPal accounts.
All of which prompted threatpost to ask several security experts whether 2FA is broken. The consensus was that, while 2FA is not perfect, using it still is better than not using it. “Any sort of 2FA is still leaps and bounds better than no 2FA at all,” Jason Kichen told threatpost. Because so many entities still do not require 2FA, using it “means you’re a harder target than the user next to you.”
A second consensus among the threatpost experts is that even the best 2FA system will not compensate for failing to set and follow policies, and failing to train users.
Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Barry Miller at