For more than a decade, 2FA was relied upon as the best line of defense against account hijacking by password theft, brute force, phishing, or any other way of fraudulently getting hold of login information.
Although experts have been warning about the potential breaches of 2FA, most people believed that it would never happen. And, for the most part, it didn’t happen since most of the accounts didn’t adopt the 2FA.
These days, most accounts have a 2FA in place, which incentivized the attackers to develop strategies and technologies to circumvent most 2FA accounts.
Furthermore, the switch to SaaS applications and cloud-based work models which employ a single single-on has made user identity more attractive to attackers, due to higher gains.
Most people use 2FA and MFA (Multi-factor authentication) interchangeably. However, MFA refers to any system that uses more than one-factor authentication and therefore includes 2FA and 3FA within its meaning.
2FA is the most minimal form of MFA, using an existing password/username system along with an extra second factor which may include SMS-based tokens, authentication app push approval, and OTP (one-time password).
Passwords offer a reasonable level of security if they are not revealed. Having a second-factor authentication doesn’t necessarily strengthen your account protection, it just delays the time taken for a breach to happen.
With specialized attacks such as SQL injection, brute force, and phishing, attackers can easily get hold of the password. Similarly, with OTPs an attacker can authenticate a system if they get hold of the OTP. While a password offers protection for months, an OTP is invalidated after seconds. By using the right time window, attackers can even validate an app push approval as well.
For a long time, these offered good protection against attackers. However, with improvements in hacking technologies, hackers are easily able to bypass 2FA-protected accounts.
MFA fatigue and Adversary in the Middle (AiTM) are the 2 common ways the 2FA are bypassed.
MFA fatigue refers to the process of constantly bombarding your MFA app with push notifications. Users who might see this as a glitch will eventually cave in and approve the sign-in.
AiTM involves the use of a proxy between the communication channels (usually server and client) to get hold of sensitive data.
All of this goes on to show that the effectiveness of the current 2FA is diminishing. This would put users back to square one; with only passwords and usernames to protect users from data breaches.
Solution: Enter 3FA
The only solution to the diminishing efficacy of 2FA is the broad implementation of MFA; by 3FA. However, while adopting a new authentication factor, it must be made sure that it is immune from fake-authentications by attackers. Users can ensure this by introducing specific device authentication or hardware tokens.
Hardware tokens that are compatible with FIDO2 protocols enable authentication that is bound to a specific server and host, rendering its reuse impossible. Organizations can implement FIDO2 directly on the user’s system, without the need for specific hardware. This makes foreign device session creation by attackers virtually impossible.
It is now evident that 3FA is the only way for organizations to protect themselves from attackers, thereby marking the end of 2FA.
However, organizations are only starting to recognize and implement 3FA, so it’s still in the nascent stage. For this reason, many organizations are under-prepared for 3FA. Hopefully, as more organizations adopt 3FA, service providers will come up with the necessary resources required for its smooth performance.