For years, two-factor authentication has been the most important advice in personal cybersecurity — one that consumer tech companies were surprisingly slow to recognize. The movement seemed to coalesce in 2012, after journalist Mat Honan saw hackers compromise his Twitter, Amazon, and iCloud accounts, an incident he later detailed in Wired. At the time, few companies offered easy forms of two-factor, leaving limited options for users worried about a Honan-style hack. The result was a massive public campaign that demanded companies to adopt the feature, presenting two-factor as a simple, effective way to block account takeovers.
Five years later, the advice is starting to wear thin. Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.
For much of the last five years, the center of the campaign for two-factor has been twofactorauth.org, a site run by Carl Rosengren that’s dedicated to naming and shaming any product that doesn’t offer two-factor. At a glance, it can tell you which sites offer more than just a password login, and offers you an easy way to tweet at companies that don’t. Today, the site sends out hundreds of thousands of shaming tweets a day.
The campaign seems to have worked; nearly every company now offers some form of two-factor. Netflix is the biggest holdout — “I feel like I should buy a cake or something when that happens,” Rosengren says. Late adopters like Amazon and BitBucket have caved to demands, and every single VPN or cryptocurrency product listed by the site offers two-factor. The only email services without it are obscure players like Migadu and Mail.com. There are still a few problem sectors like airlines and banks, but most services have gotten the message: consumers want two-factor. If you don’t offer it, they’ll find a service that does.
But victory has been messier than anyone expected. There are dozens of different varieties of two-factor now, expanding far beyond the site’s ability to catalog them. Some send verification codes over SMS text, while others use email or more hardened verification apps like Duo and Google Auth. For $18, you can get a special USB drive to serve as your second factor, supported by most major services. It’s one of the most secure options available, as long as you don’t lose it. Beyond hardware, services can deposit long strings of code that provide an effectively invisible second factor — provided no one intercepts it in transit. Some of these methods are easier to hack than others, but even sophisticated users often can’t tell you which is better. For a while, TwoFactorAuth tried to keep up with which services were better or worse. Eventually, there were just too many.
“If it’s hard for us to evaluate the hundreds of two-factor services,” Rosengren says, “I can’t begin to imagine how hard it would be for a consumer.”
The promise of two-factor began to unravel early on. By 2014, criminals targeting Bitcoin services were finding ways around the extra security, either by intercepting software tokens or more elaborate account-recovery schemes. In some cases, attackers went after phone carrier accounts directly, setting up last-minute call-forwarding arrangements to intercept codes in transit. Drawn by the possibility of thousand-dollar payouts, criminals were willing to go further than the average hacker. The attacks continue to be a real issue for Bitcoin users: just last month, entrepreneur Cody Brown lost $8,000 through a Verizon customer support hack.
Outside of Bitcoin, it’s become clear that most two-factor systems don’t stand up against sophisticated users. Documents published this month by The Intercept show Russian groups targeting US election officials had a ready-made plan for accounts with two-factor, harvesting confirmation codes using the same methods they used to grab passwords. In another case reported by Cryptocat founder Nadim Kobeissi, a maliciously registered device let attackers break through a target’s two-factor protection even after the system had been reset.
In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.
Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account. At the same time, carriers have been among the slowest to adopt two-factor, with most preferring easily bypassed PINs or even flimsier security questions. With two networks controlling the bulk of the market, there’s been little incentive to compete on security.
At the same time, it’s proven difficult to kill off particular types of two-factor even after they’re shown to be insecure. The National Institute of Standards and Technology quietly withdrew support for SMS-based two-factor in August, pointing to the risk of interception or spoofing, but tech companies have been slow to respond. If anything, services are relying more on SMS as Twitter and PayPal look to tie accounts more closely to phone numbers. It’s less secure, but easier to use. As long as it’s two-factor, few account holders know the difference.
“We’ve seen a check-box approach,” says Marc Boroditsky, who builds two-factor systems for third-party companies at Twilio, “saying ‘now we have two-factor authentication so we’re okay. Move on.’”
The rush to check that box has led to usability problems as well as security problems. Boroditsky points to Apple’s iCloud system, which came under fire after easily guessed account-recovery questions enabled the mass theft of nude photos in 2014. Meanwhile, under a recent Apple policy, losing your Recovery Key and forgetting your password was enough to permanently lock a user out of their AppleID account, something that caused real problems for some users.
In some ways, the two problems feed into each other, with publicized hacks inspiring tighter and harder-to-use policies that drive more users back to standard logins, thus inspiring more hacks. “Look at how complicated and messy it is for, say, Apple,” Boroditsky says. “If they don’t take a much more comprehensive approach, they end up becoming responsible for downstream consequences.” (Apple did not respond to a request for comment.)
Google is one of the few services that lets you actively disallow weaker tokens like SMS, although it’s only available for G Suite enterprise customers. Under that system, an admin can set the two-factor policy for their whole organization, banning insecure tokens or forcing all the users on a given domain to use a specific login method. But that only works when there’s an administrator to set policies and talk users through any resulting problems. It’s not clear how you make a policy like that work for the billion people using standard Gmail — and so far, Google hasn’t been eager to try it out.
“One of the truths we’ve found is that people won’t accept more security than they think they need,” says Mark Risher, who manages Google’s identity systems, including two-factor products. “As a large-scale consumer internet provider, we want to find that right balance.”
None of this means two-factor is pointless, but it isn’t the silver bullet that it seemed to be in 2012. Adding an authentication code hardens the login page, but smart attackers will just find another angle of approach, whether it’s a carrier account, a preregistered device, or just a customer service department that’s a little too eager to reset the password. Those weak points are the real measure of how secure an account is, but they’re impossible to spot from the outside. The result is that, if you’re looking for the chat app that’s hardest to hijack, it’s hard for even sophisticated users to know what to look for.
As the industry moves beyond two-factor, security is only getting harder to size up. The new focus is on threat detection, drawing on dozens of ambient signals like device fingerprinting and on-page behavior to determine whether a given login warrants extra scrutiny. A suspicious enough string of logins might trigger an account freeze or require a phone call to customer service before the subject can proceed. “The problem is that one-size-fits-all doesn’t work,” says Boroditsky. “So going to a detection-vs.-prevention model is more likely to succeed in the long run.” It’s a good way to catch criminals, particularly for companies like Facebook and Google with world-class machine learning divisions and oceans of data for training algorithms, but it’s nearly impossible to judge from the outside.
The result pushes users back to an old status quo, before the iPhone or even the internet: enterprise admins are outgunning consumer offerings again, and security is something to be entrusted to experts in a lab somewhere. It’s not bad news, necessarily: threat detection makes accounts safer, just like two-factor. But unlike two-factor, there’s no way for users to tell if the system is working or if there’s a stronger system to push for.
That shift leaves users in a difficult place. “Get two-factor” is still good advice, but it’s not enough. Worse, it’s not clear how to fill the gap. What do you tell someone who’s worried about seeing the contents of their inbox published on WikiLeaks? There’s no simple fix for such a threat, no one step that will keep you protected. The surprising thing is that, for a few years, it seemed like there was.