Two-factor authentication in short "2FA" is now one of the safest login practices of the moment.
With biometric technology. It involves requiring a second code in addition to your password, when connecting from a device other than the one usually used. The second code is a syntax provided by the site that hosts the account. This code is sent to us either by email, or by text or via a physical security key. This second security measure has, as soon as it was released, strengthened its users' additional protection for their access to their platforms.
This article will also interest you: Passwords vs. Biometric Security
However, according to a recent study, dual-factor authentication is not as foolproof as it sounds. In a report on the safety of users of digital services, Amnesty International announced that this protection measure could be circumvented by hackers.
Amnesty International tells us that the strategy that circumvents this system is that of phishing.
Indeed the pirate proceeds in this way:
– It creates a fake site with the account elements it wants to hack.
– When the victim logs in, they enter all their login credentials (username and password).
– The hacker uses it to connect to the real site.
– The site will claim the validation code that will be sent to the victim.
– The victim enters the code on the fake site allowing the hacker to retrieve it.
– With the code recover, he has access to his victim's account.
This goes to the point that phishing is so dangerous. So Amnesty International recommends trying to redesign this access format with another safer technique. For example the use of these digital currencies (tokens) via Google authentificator.
This strategy was discovered by computer security researcher Kevin Mitnick.
When you want to log into your account. We use our login credentials (username and password) and security code that increases security.
Here's how to do it:
Our researcher uses phishing to retrieve his victim's login credentials as well as cookies from the session. It uses these references to connect to the real account without going through dual-factor authentication.
But he points out that this security flaw is not a flaw in the dual-factor security system, but of the system itself, especially the user. Clearly it will be recognized that in this case, as in many others, the security flaw is the user himself instead of the system. Because for dual-factor authentication to work properly, you have to be sure. Therefore, users should pay attention to the site they are visiting. Let them make sure that the link visited is the right link.
Now access an unlimited number of passwords: