Can 2FA prevent breaches? Lessons learned from the SFO airport watering hole attack


In March 2020, two websites serving customers of San Francisco International Airport were hacked. The websites used first-factor authentication only and the cybercriminals had inserted code that allowed usernames and passwords to be stolen.

Passwords are flimsy. A quick phish or hack of an insecure database and your password is gone, stolen by a fraudster to use at will. And then there are the big enterprise breaches. If you have ever had a sextortion email, it will often be accompanied by a recognizable password you may once have used. If you go to the HaveIBeenPwned password checker, you can find out just how many of your passwords have been stolen.

To combat the less-than-secure nature of the humble password, the security industry invented the notion of two-factor authentication: add in a second credential on top of a password, and bingo, you have a second lock. Therefore, it is harder to open the door.

But is this true? Does two-factor authentication (2FA) prevent breaches?

Two-factor authentication: What is it good for?

The answer to the question, “does two-factor authentication prevent breaches,” is not a simple yes or no. It is an “It depends” kind of answer that often brings in implementation considerations.

One of the things that affect the success rate of 2FA in preventing breaches is the type of second factor used.

There are several commonly-used second-factor methods. These include:

  • SMS text codes
  • Time-Based One-Time Password (TOTP) (e.g., mobile authenticator app code)
  • Biometric (e.g., fingerprint on a mobile device)
  • FIDO security key (based on the FIDO standards)
  • Passphrase (using three varying characters)
  • Email code

Each has its own set of positives and negatives when it comes to preventing breaches. Some of the most popular second-factor credentials have become vulnerable because cybercriminals have focused on their (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Susan Morrow. Read the original post at: