When Two-Factor Authentication Goes Wrong

How frequently do you use Reddit to check the strangest and most brilliant news on the web?

Reddit has reported a data breach on user and employee passwords, exposing the weaknesses of two-factor authentication (2FA) based on text messages.

Reddit accepted its systems were breached, despite using the fail-safe two-factor authentication, with a spokesperson saying: “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.”

The site recommended moving to a token-based 2FA, encouraging all users and other websites to do likewise and avoid further breaches of this sort happening.

While numerous security firms advocate 2FA to protect your systems, the SMS authentication certainly needs further investigation if it is to be continued as a method attached to secure log-ins.

But let’s get the facts straight first:

What is two-factor authentication?

Two-factor authentication is a two-step verification process and is an extra layer of security that requires not only a password and username but also something that only that user has access to – usually things like an email address, unique password, the answer to a personal question or a mobile phone number.

Two-factor authentication, in any form, is much better than just single factor. However, of the various forms of authentication available, SMS is the most vulnerable to breach and exploit.

Many large companies, including multi-billion pound corporations and banks, still use SMS as a form of 2FA, as not everyone has access to a smart phone.

Unfortunately, there’s no real “fix” to the problem of SMS authentication as it’s not a weakness in the code per se – the message was intercepted as it sent.