Companies wanting to improve user security have frequently turned to 2nd Factor Authentication. Authentication is commonly viewed as confirming one of 5 factors; 2nd factor authentication simply means relying on a combination of two of these factors:

  1. A knowledge factor – something the user knows, such as a password, a PIN or some other type of shared secret.
  2. A possession factor – something the user has, such as an ID card, a security token, a smartphone or other mobile device.
  3. An inherence factor – something inherent in the user’s physical self (biometric factor).
  4. A location factor – usually the location from which an authentication attempt is being made.
  5. A time factor – restricts authentication to a specific time window.

2FA has been championed by companies like Amazon to b̶l̶a̶m̶e̶ ̶u̶s̶e̶r̶s̶ in response to publicized hacking of Ring cameras and Facebook, which requires users to provide their phone number i̶n̶c̶r̶e̶a̶s̶e̶ ̶t̶h̶e̶ ̶v̶a̶l̶u̶e̶ ̶o̶f̶ ̶t̶h̶e̶ ̶p̶e̶r̶s̶o̶n̶a̶l̶ ̶i̶n̶f̶o̶r̶m̶a̶t̶i̶o̶n̶ ̶t̶h̶e̶y̶ ̶c̶o̶l̶l̶e̶c̶t̶ to insure accounts represent actual people.  Security researcher Guarav Narmani just published a case study with a novel attack that also documents 5 other attacks which successfully bypassed common Two-Factor Authentication schemes.

2FA certainly increases the effort required to compromise an account but it simultaneously provides a false sense of security.  Actual security cannot be obtained with a post and response system because the attacker will inevitably figure out how to insert an exploit in the process.  Reliable Authentication requires out of bound confirmation loop which includes token digitally signed by all parties in the transaction.