Innovation | Technology

Two-factor authentication: when the best password isn’t enough

Verifying your log-in credentials via text message might seem safe, but SIM-hijacking hackers beg to differ. Here’s what you can do to protect yourself.

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

woman using mobile phone app for synchronizing data with netbook via bluetooth Verizon’s 2017 Data Breach Investigation Report found 81 per cent of hacking-related breaches leveraged either stolen and/or weak passwords (Shutterstock/GaudiLab)

It isn’t until somebody breaks into your house that you’re suddenly aware of home security. And if you’ve never had your log-in credentials stolen, you might not be focused on password security.

But stolen passwords are the most common avenues of attack for hackers. Verizon’s 2017 Data Breach Investigation Report found 81 per cent of hacking-related breaches leveraged either stolen and/or weak passwords. And even the highest-strength passwords are impossible to protect on their own—it’s why many have embraced two-factor authentication (2FA) as a second line of defense. 


One common way people verify their identities is through a text message, known as SMS verification.  Many websites will text you a temporary access code, which you then use to access your accounts. But hackers have learned to hijack SMS verification. The process involves an attacker calling the victim’s cell phone carrier to report the phone as lost or damaged. If the attacker can correctly answer a few security questions, the old SIM card is cancelled, and the number is ported to an attacker-controlled SIM.

“We are hearing more and more about this popping up,” said Dave Lewis, Global Advisory CISO at Duo Security. “It’s a technique called SIM swapping—it will actually send the text message back to the attacker’s phone, and by virtue of that, they could gain access to your accounts.”

Duo Mobile is among a number of popular authenticator apps, along with Google Authenticator and Authy. Authenticator apps use an algorithm to generate one-time use passwords instead of relying on SMS verification for two-factor authentication.


From your social media account to online banking, 2FA adds a second method of identity verification by requiring not just a password, but a second factor. The idea is to combine something that you know (such as your password) with something that you have (such as a code sent to your phone via SMS or app) or something that makes you who you are (such as your fingerprints or your voice).

Supported websites will allow apps like Duo Mobile to generate a one-time token that you enter on the website’s login page along with your credentials. By combining your password with one of these secondary factors, attackers can’t access your account even if they have your password. 

“Humans being humans, we have a tendency to reuse passwords,” Lewis said. “Not everybody has 800 different passwords.”

He points out that attackers will take usernames and passwords from compromised websites and run them against other sites, looking to see what they can gain access to. 

“If I get your username and password from some video game site, for example, and then take that and run it against your Amazon account or your financial institution, there’s a real possibility for some serious financial damage.

“Using something like 2FA would help obviate the risk in that case. The password would only be part of the puzzle—without the second factor, the attacker can’t really gain access to what they were hoping for.”


Fraud was a hot topic in 2018; from phone scams to spear phishing, scammers are getting more sophisticated. And cyber attacks can be particularly costly—learn to protect yourself and which resources are available to you before you have to pay up. You can also read more about how to protect your smartphone.