Two-factor authentication may keep you safe from malicious cybercriminals, but a new study suggests that it can't keep you safe from yourself. A new research paper demonstrates that, as ever, human folly is much harder to patch than computer software. Even if a user has two-factor authentication activated on his or her email account, bypassing it is often as simple as just asking the user to forward the texted temporary code.
Three security researchers — Hossein Siadati, Toan Nguyen and Nasir Memon — at the New York University Polytechnic School of Engineering published a research paper entitled Verification Code Forwarding Attack on the subject. The concept was head-smackingly simple: If technological sleights of hand don't work, try social-engineering attacks instead.
For those who have never used two-factor authentication, it's a pretty simple process. You link a phone number to your email, social media or other online account. Whenever you try to log in, you receive a code via text message, which you then add to your username and password. Devices that you log in from regularly can be "remembered" by the account so that you don't have to use two-factor every time.
By requiring both a password and an SMS code, an attacker should be unable to access your information, unless he or she has also stolen your phone. (This is possible, and can actually render two-factor authentication disastrous instead of protective.)
The system cracks, however, when victims give away their SMS codes. Memon and his students recruited 20 subjects for an experiment, and then tried to reset the passwords on the subjects' Gmail accounts. Each of the subjects had two-factor authentication activated, which should have rendered Memon's efforts futile. However, the three researchers then texted the subjects, informing them that they needed to forward their SMS codes in order to access their accounts. Five of the 20 fell for it.
Even though two-factor authentication has never required forwarding codes via text message, and even though the forwarding request came from a different number than the number that sent the SMS code, one-quarter of respondents still gave away the information.
Granted, it's probably best to take the study with a grain of salt, since 20 people may not be representative of the overall population. But it's still disheartening to see a smart security measure foiled by such rudimentary tactics.
For the moment, using two-factor authentication is still much smarter than not using it. Just remember not to share your SMS codes with anyone — even people claiming to be representatives of the service you're trying to use.