Two-factor authentication was back in the news on Thursday, with Facebook announcing its support of physical security keys for 2FA on mobile devices via a company blog post.
The post from Facebook offered a good reminder that, while 2FA is generally thought to make it harder for people to break into your accounts, it’s not as hard as you might think. This is why the world’s biggest social network decided to announce this new step: “Since 2017, we’ve encouraged people that are at high risk of being targeted by malicious hackers: politicians, public figures, journalists and human rights defenders. We strongly recommend that everyone considers using physical security keys to increase the security of their accounts, no matter what device they use.”
But in case that’s not enough to convince you that a hacker truly committed to defeating your 2FA can do so, a scary report from Vice — along with an anonymous author writing on Medium — should make this absolutely clear.
Don’t get us wrong: You should absolutely turn on 2FA for any accounts you have where this option is not currently selected. When this security setting is enabled, any login attempt on that account in the future from a new device will trigger a text message that comes to you. You would need to type in a code included in that text message for the login attempt to be successful, which you obviously wouldn’t type in if you suspected someone was trying to get into your account.
However, it’s the fact that the messages come in the form of an SMS text that’s problematic. “I didn’t expect it to be that quick,” the Vice writer notes, about how a hacker was able to intercept those SMS messages and reroute them, thanks to a text-based 2FA. “While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.”
It’s taken a while to get most people familiar with and using 2FA to secure their accounts, although too many still don’t. But I feel like more people than ever are at least aware of how important this option is — but, now, we’ve got to recognize that 2FA that relies on a physical key is the only way to go here, in terms of truly securing your data. The reason is that, as the Vice report shows, it’s easier to intercept text messages than for a hacker to get their hands on your actual mobile device and bypass any security you have on it like a passcode.