Digital Fraud Wiki

Your source for the latest fraud intelligence, insights, research, and commentary.

Two-Factor Authentication (2FA)

By Array

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is a tool that organizations use to secure online accounts; it adds a layer of security on top of a username and password. Many organizations implement 2FA to prevent account takeover (ATO) and credential stuffing. However, fraudsters are finding ways to bypass 2FA security measures, and many users choose not to enable 2FA because it has a negative impact on user experience (UX).

2FA is a type of multi-factor authentication (MFA); a security system that validates user identity by requesting two or more forms of identification. Common forms of identification include passwords and PINs, physical possessions such as smartphones and credit cards, or biometric information such as fingerprints and voice.

When 2FA is enabled on an online account, the user must go through a second step to validate their identity when they log in. The second step could be a code sent via text, an authenticator app, or a physical device that needs to be plugged into the device.

What Should Companies Know About 2FA?

While 2FA is not a perfect system, it is significantly more secure than a password alone. However, many users dislike 2FA, and some do not bother enabling 2FA at all. A SecureAuth Corporation 2FA survey found that 74% of organizations that use 2FA receive complaints from users about it, and almost 10% of users say they “hate” 2FA. An additional concern is that if a user loses their phone, they will not be able to complete the 2FA process, and they will lose access to their accounts. Some websites and applications will not allow users to reset account passwords by email if they do not have access to their second factor of identification. If that second factor is your lost phone, it is then impossible to regain access to your accounts through password reset emails. Some websites and applications provide users a set of backup codes in case they lose their second factor of identification. However, if a user loses both their second factor and the backup codes, they will likely lose access to their account permanently. 

Another issue with 2FA is that, as mobile technologies become more vulnerable, 2FA as a security measure is increasingly less effective. For example, hackers have found ways to intercept SMS OTP codes and redirect texts to another device. If a bad actor hacks into or steals a user’s phone, they can impersonate the user and take over their accounts. Fraudsters are progressively targeting mobile phones- a device most users set as a 2FA mechanism. According to a Javelin Strategy & Research study, mobile phone account takeovers rose from 380K in 2017 to 679K in 2018.

2FA should not be treated as a definitive solution for protecting user accounts. Both organizations and their customers must adhere to safer data practices to protect accounts from hackers. Organizations must also start moving towards data-driven, frictionless identity validation and fraud prevention solutions. 

A zero-factor authentication (ZFA) approach holds promise for the future. With ZFA, user identification and validation are achieved through machine and human intelligence. Given that current authentication methods expose too many loopholes—including third-party apps, tokens, and APIs that can be leveraged by attackers—ZFA may prove to be a viable approach for addressing the UX limitations of TFA.

Protect Online Accounts with DataVisor

In an era in which massive data breaches are an everyday occurrence, and personal and financial details are bought and sold on the dark web for next to nothing, authentication strategies that depend on personal details cannot hope to be effective. The problems are compounded by scale—fraudsters now leverage bot armies to do their malicious bidding, and bot-powered account takeovers (ATOs) are costing industries millions every year. Once a fraudster gets through the authentication stage, the damage they can do is almost unlimited. The solution is to stop them before they ever get to the authentication stage. This is made possible through the integration of big data infrastructure, global intelligence, and advanced fraud algorithms, all of which combine to enable holistic data analysis and nuanced contextual detection capabilities. With a product like DataVisor’s dCube, organizations can see suspicious activity brewing before any attacks are launched, by correlating patterns and surfacing coordinated actions early in the attack timeline. In this way, potential attacks are defused, and accounts are protected. 

Additional References

Blog Post: The Worrisome Rise of Credential Stuffing

Source: Global survey reveals low adoption of multi-factor authentication for Office 365, VentureBeat

Source: 2019 Identity Fraud Study: Fraudsters Seek New Targets and Victims Bear the Brunt, Javelin Strategy & Research

Source: IT Decision Makers Reveal Two-Factor Authentication Dislike and Rise in Adaptive Authentication Adoption, Says SecureAuth Survey, Yahoo Finance

Source: The journey towards zero factor authentication, The Paypers


Additional Resources