Two-Factor Authentication (2FA) has been recommended by cybersecurity experts as a line-of-defence to prevent incidents such as identity theft.
However, recent research by TNK2 External Advisor & Principal Researcher, Dr. Jay Jeong shows that hackers are able to bypass 2FA to gain access to a user’s device by using mirroring apps on the Android Play Store.
According to the article, one of the key requirements is a compromised Google account. This example highlights the use of a password manager which is able to limit the extent of the compromise. One of TNK2’s key human factor challenges that we are addressing through our cybersecurity training and awareness solutions such as CyEd and Upling is the lack of adoption of password managers. Using a password manager is able to secure your online accounts by generating unique and strong passwords for each account. Therefore, a breach of one service (such as your Microsoft) will not compromise another (such as your Google account) due to reused passwords.
Another factor at play is the widespread prevalence of SMS based 2FA which hasn’t been addressed at the organisational levels. While there have been many far secure MFA solutions available such as Google Authenticator or Duo or even physical keys such as Yubico, many organisations and online services (such as mygov.org.au) have provided SMS as the default and ‘only’ 2FA option for end-users.