2FA: Not All Factors Are Created Equal

Feb 28, 2019 | 6 minutes read

Tags: Security, Rant

This post originally appeared on

The security of a 2FA-protected account is much greater than the security of an account protected by only one factor — in theory. In practice, there is more nuance to it than that. For 2FA, you are trusting the server to enforce the 2FA and not be compromised by hackers or compelled by law enforcement to allow them access to your data; meanwhile a service can be configured to use your password in a way that protects even against hackers or law enforcement. Understanding this nuance requires a deeper understanding of how 2FA works and how it does (or doesn’t!) protect your accounts.

Demystifying How Two-Factor Authentication Works

[skip to next section if you already understand how 2FA works]

You’ve probably heard it a thousand times by now: “Use 2FA [Two-Factor Authentication] to secure your online accounts and data!” Without 2FA, logging into your bank’s website or your email requires only a single factor, your password. Using 2FA to log-in requires two factors, something you know (i.e. your password), and something you have, like a mobile phone. A password can be copied or read over your shoulder, and your phone can be stolen, but it’s extremely unlikely that an evil third party would be able to do both at the same time.

When you go to log-in to a site you’ve enabled 2FA on, you’ll be asked for your username and password as normal. If the site accepts your credentials, you’ll usually be taken to a different screen that asks you for a short numerical 2FA code. There are two common ways to receive these codes: SMS, and TOTP (Time-Based One Time Password). When you set up SMS-based 2FA, you give the site your phone number, and when you log-in the site will send you the 2FA code over SMS, where you’ll have a short time to enter it before it’s no longer valid. If TOTP is used, setting up 2FA involves scanning a QR Code on your phone using an authenticator app such as Google Authenticator. The QR code contains the name and location of the site, and a secret key that will be used to generate 2FA codes. When you need a code, the app will generate one based on the secret key and the current time (rounded to the minute or half-minute, usually), and when you enter it into the site the server will use its copy of the secret to generate its own code; codes are deterministic, so if you and the server have the same secret and the same time, they’ll match and you’ll be let in.

As an aside, the TOTP method is much more secure than SMS — It’s relatively easy to intercept SMS, and NIST recommends against using it if other options are available.

Can You Trust Two-Factor Authentication Services?

Up until this point we’ve discussed passwords and 2FA in the context of authentication, that is, proving to a server that you are who you say you are. You are trusting the server to not let anyone else into your account, but if the server is compromised by hackers or compelled by law enforcement to let them in, all your data can still be stolen. To prevent this, security conscious services use end-to-end encryption (sometimes called zero-knowledge privacy or zero-knowledge encryption), where data is encrypted by you, the client, in a way that even the server cannot understand or decrypt. This most commonly comes up in the case of password managers, where it’s extremely important that hackers not be able to access your password database. The way end-to-end encryption works in the context of a password manager is that your master password (the one you log-in with) is used to compute a long secret key that is in turn used to encrypt the vault; someone who doesn’t know your password can’t compute this key, and therefore cannot decrypt the vault and see your passwords. At least, that’s how good password managers work —if a password manager doesn’t use end-to-end encryption, then anyone who compromises the server can just read your passwords, and 2FA issues are the least of your problems.

So how does 2FA work in this context? When you go to log-in, the password manager service’s servers will request a code from you, and won’t send you the encrypted vault to decrypt if you can’t provide a valid code. Note the subtle difference between the way passwords work and the way the second factor works: you’re still relying on the server to enforce the second factor, even though the service is end-to-end encrypted. Your password secures your vault using math — even if the server itself is compromised, an attacker can’t bypass the need to know your password to unlock your vault because the client (i.e., you) performed the encryption that protects it. On the other hand, the second factor (TOTP or SMS) must be enforced by the server; anyone who compromises the server can simply tell it to not enforce the second factor.

Even if the server isn’t compromised, there are other methods of bypassing the second factor available. Malware could steal the password database off your disk, or even potentially read all your secrets out of your computer’s memory, as shown in research we recently published. Someone could phish or social engineer their way around your 2FA settings, or there could be a bug in the application that lets attackers simply bypass it entirely. Even if none of that happens, the government could simply demand access to your database from the password manager’s servers, or a rogue employee of the password manager service could walk out with a copy of your database. There are a lot of ways 2FA can be bypassed, many of which are extremely application-specific.

The Point

When you have a zero-knowledge encrypted service like a password manager, you have to treat it as though the password is the only authentication factor. You cannot use a weak password and assume that 2FA will protect you from compromise, because you can’t always rely on 2FA being enforced. Having said that, you should still use 2FA everywhere you can, including your password manager. It’s not much extra work and it’s a lot more secure. You should also definitely use a password manager to create and remember strong, unique passwords — don’t let this article or any other research scare you off.