Our previous article goes over 2FA/MFA and how it drastically cuts down the threat of automated authentication attacks. Despite the benefits, the adoption of 2FA is limited. The process of enabling and using 2FA creates extra steps for the user, which can be enough of a hassle that deters its use. Also, the most common forms of 2FA contain vulnerabilities that can be exploited by bad actors. Transparent 2FA aims to be an alternative to traditional 2FA that has answers to the issues mentioned.
Reluctance to Adopt 2FA
It has not become the norm to make 2FA mandatory. Many services do not provide this option. Only the minority of services that offer 2FA have made it mandatory. This is likely due to the fear that mandatory 2FA will deter some users from registering to the service. In some cases, such as 2FA by SMS, it may require the user to possess a mobile cell phone or other device which they may not have. Some users may even opt to disable 2FA because the extra steps every time they want to log in to a service becomes irritating. Security is compromised in order to increase accessibility.
Common forms of 2FA, such as by email or SMS, are known to be vulnerable. Email accounts with weak security practices are susceptible to automated authentication attacks and data breach exposures. The existence and abuse of SIM swapping allows messages going to your cellular device to be intercepted. These risks allow bad actors to potentially bypass 2FA. Even worse are services that allow you to reset your password through email or SMS, which means that only one factor needs to be bypassed rather than two or more.
Benefits of Transparent 2FA
Transparent 2FA (T2FA) has the potential to solve the issues of traditional 2FA. The difference between T2FA and 2FA is that in T2FA, there are no additional steps that the user has to take when logging in to their account. For example, SMS 2FA requires the user to input their username/password, and then input the code that is sent to their cellular device. With T2FA the user simply enters their username/password and gains access to their account, with all the benefits of 2FA. Hence the ‘transparent’ in T2FA; the second factor of authentication is invisible to the user.
The second factor in T2FA refers to a unique identifier. How this unique identifier is derived depends on the specific implementation of T2FA. For example, having a unique identifier based on the browser or device used would allow only that specific browser or device to access a T2FA enabled account. The user is not prompted with any additional steps when logging in, and the service silently checks if the T2FA requirements are met.
T2FA does not have the same disadvantages when it comes to 2FA’s vulnerability to email and SMS compromises. With email and SMS, the bad actor is able to compromise these factors without direct access to your device. With T2FA, the bad actor would need to have physical or remote access to the exact device that is permitted to authenticate into your account. Furthermore, proper implementations of T2FA will make it difficult to know the exact method that the unique identifier is derived from. The bad actor would need to know what device or software is required to access your account.
Hurdles for T2FA to Overcome
T2FA isn’t without its disadvantages. In some ways, the user experience of enabling and configuring T2FA for their account is more complicated than the initial configuration of regular 2FA. They would need to use the types of software or devices that is supported for a particular T2FA implementation, which may require additional software downloads.
There is also a need for a robust way to recover accounts should the user lose access to their device or software. Using traditional 2FA methods of account recovery (such as the ‘I forgot my password’ SMS/email) defeats the purpose of T2FA if it allows T2FA to be easily bypassed.
T2FA is also susceptible to plain text data breaches, as it is in many ways similar to having a second password on the account. If the bad actor is able to figure out how a particular service’s T2FA authentication process works, they could theoretically access the accounts exposed in these plain text data breaches. However, reputable companies should never store passwords in plain text in this day and age.