The Verge’s Russell Brandom has a story about how two-factor authentication, good as it is, isn’t the security panacea that we might have hoped:
Five years later, the advice is starting to wear thin. Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.
Here’s the thing: cybersecurity is an ever-evolving arms race. As our security measures get better, hackers also up their game at circumventing them. Two-factor authentication really is the bare minimum any remotely vulnerable site should offer these days and, as the article points out, ones that rely on SMS codes should really be moving away from that. As Justin Williams’s story from last week demonstrates, that’s just not secure enough.