Two factor authentication prone to abuse: experts

By Imsha Iqbal 


Recycled mobile numbers pose a possible risk in terms of two-factor authentication (2FA) in Sri Lanka, warns cybersecurity consultants.

Speaking to The Morning Business, Information Technology Society Sri Lanka (ITSSL) Chairman Rajeev Yasiru Mathew said using alternative options to text messages for 2FA ensures potential cybersecurity.

He said sending a text message or SMS (short message service) does not provide adequate safety for the user, even though enabling 2FA is a safer decision when surfing the internet and even though it is a widespread practice by most netizens. 

The ITSSL Chairman stated: “Users can enable alternatives such as Google Authenticator or Microsoft Authenticator,” explaining that there are plenty of safe options for internet users when it comes to security verification in order to connect to the world wide web (www).   

The cybersecurity threat in using text messages as 2FA is that a third party can intercept the SMS from internet services providers (ISPs) since these have not been encrypted. 

Furthermore, Chairman Mathew highlighted that the riskiest threat comes from texts as a result of phone number recycling that occurs in Sri Lanka. He said: “Keep your mobile number updated on all the services you use, especially bank accounts, since nowadays banks also provide OTPs (one-time passwords) via text,” referring that the need to update the mobile number on the services is necessary since it also might put your bank account details at risk if the previously used mobile number that is registered with the bank has a new user at the time the OTP is sent.

He also requested the users to check whether these details have been updated at least once in six months or yearly as a safety measure in order to avoid falling victim to cyberattacks. 

Phone number recycling pertains to an ISP reassigning a particular mobile number upon disconnection or deactivation following a period of at least 90 days, to someone else.

In the context of text messages, authenticator services that are provided by world tech giants send the user an OTP that is valid for a very limited period of time, sometimes even one minute, and it is also encrypted. Therefore, no potential cyber threat is posed from a third party or even the service provider itself in this context. 

2FA, also known as two-factor verification or dual-factor authentication, provides the user two different security factors in order for the user to prove their identity prior to being allowed access via a new device or an online account such as for social media. 

Thus, the user has to enter their password, which is typically the first factor, and then verify their identity through a security token such as a text, email, or biometric factor such as a fingerprint or face scan, which is typically the second factor. 

Cybersecurity consultant Waidyalankara raised the aforementioned cybersecurity issue citing research that was recently conducted by the Department of Computer Science and Centre for Information Technology Policy of Princeton University, US.