2 Factor Authentication - Is It Enough?

in #security4 years ago (edited)

Even if you're new to the crypto-sphere, you're probably familiar with 2 Factor Authentication (2FA) offered on various platforms, including crypto-currency exchanges, used to help identify account owners. After your password, 2FA provides an additional layer of protection to verify if you are indeed who you say you are. On crypto-exchanges, 2FA is commonly required to initiated any transactions relating to your assets. This gives users a greater sense of security and confidence in managing their accounts.

But is this a false sense of security?

Before answering the question, let's first define 2FA .

2 Factor Authentication

Many of the world's most popular websites already use some form of 2FA security, however, it may go by another name. Twitter (login verification), Facebook (login approvals) and Google (2-step verification). Regardless of what it's called, 2FA is an accessible way to strengthen account security without having to get too technical.

According to the Electronic Frontier Foundation (EFF), 2FA comes in several forms:

A one-time verification code sent to you via SMS text message
A time-based one-time password (TOTP) generated by a dedicated app, like Google Authenticator and Authy
A download-able, print-able, hard-copy backup code
A hardware token, like a Yubikey


Google Authenticator is widely used throughout the internet providing users quick and easy 2FA services. Bittrex, Changelly and Coinbase are just a few examples of crypto-exchanges that provide users with the option to enable Google Authenticator 2FA.

While the EFF certainly advocates for the use of 2FA (in combination with a strong password), it also cautions that 2FA is not infallible and can be vulnerable to attack. For example, when receiving 2FA in SNS form it is possible that the texts, and the codes they contain, can be intercepted by telecom and by third parties.

Crypto Wallets

In a recent article titled Here's How Hackers can Hijack Your Online Bitcoin Wallet, the Hacker News reports that a long suspected 'critical issue' regarding Signal System 7 (SS7) may allow hackers to eavesdrop on phone conversations and intercept and view text messages which could be exploited on a large scale even with high level encryption on cellular networks.

Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.

However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims' bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.

The Hacker News

In addition to demonstrating the vulnerability of the telecom networks, white hat hackers also demonstrated how the SS7 exploit could be used to take control over online bitcoin wallets and drain them of their assets.


While demonstrating the attack, the Positive [white hat] researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target's phone number.

Just like in previous SS7 hacks, the Positive [white hat] researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.

From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim's Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.

Thankfully, these hacks were not executed by cyber-criminals but by white hat hackers who wanted to demonstrate the vulnerability of SS7 and 2FA, especially to raise awareness for crypto-currency investors and enthusiasts.

Aside form the SS7 issue, there are further weaknesses related to phones in general. Phone numbers are a weak point if a cyber-criminal obtains your number along with a few personal details.

All an attacker has to do is call your cell phone company’s customer service department and pretend to be you.
These are the kinds of details — for example, credit card number, last four digits of an SSN, and others — that regularly leak in big databases and are used for identity theft. The attacker can try to get your phone number moved to their phone.

How to Geek

A hacker can than disable 2FA or simply have the 2FA authenticator code sent to their phone via SMS or voice calls.
Similarly, 'account recovery' remains a difficult conundrum as websites/accounts desire to maintain customer satisfaction and do not wish to have customers locked out of their accounts. If said hacker knows enough about you and your habits it is possible for them to gain access to your accounts through 'account recovery', providing they have enough personal information. New passwords can be generated and sent by email, ultimately bypassing 2FA.


In light of the fact that 2FA could potentially be bypassed by exploiting the critical issues with SS7, there's not much that can be done to completely eliminate the threat at the individual level as the telecom industry needs to address these vulnerabilities in their networks. Unfortunately, it seems unlikely that that will happen as it would require a significant financial coordinated effort and financial burden to the network providers.

Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.

As a precaution suggested by The Hacker News:

Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.

If there's a silver lining here for my fellow Steemians, it is that Steem Wallets are some of the most secure funds in the crypto landscape and STEEM and SBD do not depend on 2FA and instead require the use of permission keys.

Permission Keys.png

Tip: Do not keep your private keys on your computer, store them offline where they cannot be hacked.

Tip2: Use your Posting Key to log into Steemit. This allows you to Vote, Post and Comment but does not give access to wallet transactions.

Furthermore, it seems logical that as the adoption 2FA becomes more mainstream, so too will there be an increase in attacks against the system. Some suggest that the next level of protection may come from 'biometrics', but for myself, I would prefer to put my trust in crypto-currency hardware wallets such as Trezor and Ledger Nano.

Of course, if you're accessing an exchange there is always going to be some risk involved but hopefully being aware of some of the ways in which your accounts can be compromised will allow you to make better decisions going forward.


[email protected]
[email protected]




As one of "those" people who isn't really up to speed with all the latest in technology and so on, I get rather concerned when reading articles/posts such as these.

"hackers this, hackers that and so on"

Not all that long ago I was reading posts about how some hackers ripped off some people investing in a new crypto currency..... I was left speechless for days on that topic.

However, what I do like, is when people like yourself explain things in ways that "us common folk" like me can understand and more so the fact that you explain what we can and should do to protect ourselves from those out there who would gladly take what doesn't belong to them.

In short:


Very important post - thanks

thank you for this detailed blog man! It's blogs like these that I want to read! Looking forward to your future posts!

Incredibly important in all things security: you're only as secure as the weakest link in your security chain.

I could have an air-gapped network with 2FA on everything, but if I allow employees to plug in any device they'd like into a USB port, all I have to do is drop a few Rubber Duckies in the parking lot and it's over.

2FA is not any different. The second factor can be compromised just like the first.

I always thought there should be an extra factor for resetting password, like a delay period while website attempts to notify the user via all provided contact information.
the delayed withdraw process in steemit seems to do that.
Thanks for the useful data, I had no idea 2FA can be hacked that easy and used as a weak point at the seam time.

I think one of the issues is that the websites need to strike a balance between those of us who are just plain forgetful, providing fast and convenient services while also providing security. I think there are services that are multiple-authentication that go a bit further that are available as well.

Great point on the delayed withdrawal or the Steemit powerdown. At first a lot of people think this is inconvenient but soon realize that it makes your Steem Wallet much more secure in the event someone attempts to steal your funds.

True, True, 👍 in most cases, those get hacked that are not careful with their security. they must learn from crypro currency community hot to do it.

I recently read about hackers calling phone companies and getting phone numbers transfrered to hacker phones. Peoples wallets got cleaned out that way.

My only problem is ignorance of exactly what's happening in the Cryto- hacking space

Very good article, 2FA is a very strong security and should be required to all accounts. But there isnt a 100% secure system.
Thanks for sharing

Thanks for your comment. Yeah, I'm not knocking 2FA, I use it too, and it does provide more security than only having a password. A friend of mine always mentions 2FA as if it is fool proof. Just reminding people to be vigilant.

Well, as cryptocurrencies are going mainstream, and they are being used more than ever, it will be a very big race between the security and the hacking groups

Absolutely, so it's important to all of us to stay on top of security issues. Thanks

Yes, it is. And the only way to do that, in my opinion, is to keep reading and learning everyday. :)

Which means there is a huge opportunity for 'coders and programmers' to create more and more ways for us to secure our coins; the future is exciting!

Yes, indeed :)

Many hacking attempts and successes are not reported but my guess is that its so crazy. I joined Bittrex just a month ago but lost Bitcoins

I agree, as they gain more popularity, hacking will definitely increase. I try to add as much security to my accounts as possible but I don't know if that will be enough.

Thanks for sharing this information @v4vapid and in terms of logging in I'm going to be sure to use my posting key in the future! The conspirasist within me wonders whether the hackers are in effect exploiting a deliberate flaw in the system? Indeed an impending legal requirement in the UK is for all technology to have a backdoor. In all honesty I don't know and I could be wrong, but it's a thought.

Certainly mandatory backdoors places everyone at a higher risk of having our accounts exploited and/or privacy invaded. You could make a case for the purpose of backdoors serving other purposes than 'keeping us safe', I'm sure of it.

Yes, I can't stress this enough. Use your Posting Key as much as possible!

Good relief to know that Steemit wallet is so secure! :) I didn't know the difference between the two types of password verification vs. Posting Key. Yay for all of your awesome knowledge you keep providing me.

It's definitely a good habit to get into to use your Posting Key here on Steemit, that way if someone does obtain your key somehow, the worst they can do is make votes for you!
I guess they could also make some bad comments but they Do Not have access to your wallet.

ahhh... yes I was like... what are all of these passwords for! So just to clarify, I should be able to use the Posting key as my password to get into my account as well?

Yes @karensuestudios, you can log into your account using your Private Posting Key. I always use the postings key, you can also claim rewards from your wallet but if you attempt to make any transactions, you will be asked to provide your Active Private Key. This is a good way to increase security for your steemit account. I also don't store my keys on my computer.
There are some good posts about permission keys. I'll ass a link here once i find the one i had in mind.

Last day I came across an article explaining how to send an encrypted memo here on steemit. You just have to put a '#' at the very beginning of your memo. It seemed to work for everyone except me. I got an error. It turned out that it was because I was logged with my posting key only instead of my master/owner key.

I was very surprised because this meant that everybody was using their master/owner key to log in maybe without even knowing it.

I would recommend using apps like Google Authenticator for 2FA and avoid SMS messages. Gmail also allows you to use a special hardware key to login into your account which is the most secure way by far. You can read more in my Steemit blog post:

Take care of your online security before getting into crypto

In my opinion if a hacker has enough motivation 2 3 4 5 FA would'nt be enough...

Yes it is.. at least your account will be safe

We should have ti use 2fa is very strong

Great information, something everyone should read.

extremely valuable information @v4vapid, i am thinking that 2FA is quite strong security but after reading your post i understand it that 2FA can also be break by hackers, i think the private wallet or official wallet to hold coins is more safer than online wallet, thanks for sharing

almost seems like a never ending story tbh; soon as one thing comes out to secure us, we need more! .... I hope this all gets worked out in the next few years!

good info..thanks...resteemed it

Very useful news, thanks for sharing. @v4vapid

Thank you for sharing, very useful news for me, although I do not know crypto any further, but I have two different accounts about crypto that is bitcoin and poloniex.

Nice info, but i think it's better to avoid online wallet and use desktop/mobile wallet on clean device rather than bother with 2FA, secure connection & secure browser.

Hey @v4vapid, interesting post man! Thanks for sharing. So is the SS7 weakness relieved when you scan a QR-code from your screen to do the transfer of the secret? (Assuming of course your pc is still under your control)

Nothing is safe and everything can be hacked that's why the only thing we need is luck!

then there is this perspective! lol .... i know how you feel; it's as if the hackers are always figuring it out; no matter what the promises are; it's what Hackers do; they Hack.... we should always expect them.

This post is full of information. Thank you for this post.

Such a useful, USEFUL post! Crypto holders need to be as focused on securing their holdings as they are gaining earnings. Thanks!!! Following.

Congratulations @v4vapid, this post is the forth most rewarded post (based on pending payouts) in the last 12 hours written by a Hero account holder (accounts that hold between 10 and 100 Mega Vests). The total number of posts by Hero account holders during this period was 292 and the total pending payments to posts in this category was $4469.93. To see the full list of highest paid posts across all accounts categories, click here.

If you do not wish to receive these messages in future, please reply stop to this comment.

♥ I really liked your post, well written. I invite you to come on my page and mark "like" or leave a comment in the posts. Did you like it and you subscribe to me? Thank you! :))

Good master

Rule 1. Never assume an organization is safe even a bank. Always give as little personal information as possible. Barclays bank sent my pin and login to the wrong address.
Rule 2. Have a different strong password for each web site.
Rule 3. If you store passwords on your machine make sure you self encrypt. eg. if you have a password "Steem123Steem" write down as tSeem123Steem
create a method only you would know.
Rule 4. Don't use the same method that everyone else is using or the same lock that everyone else uses.

Governments, Police, Inteligence agencies,

and Corporations will always try and blame you for being hacked, because your a soft target. 99.99 percent of the time its their fault. The information leak has come them

I enjoyed reading the post of yours, @v4vapid!
It's really nice to learn more about 2FA. I have just upvoted it!

2 factor authencification ur account key on ur pocket

safety is necessary for an app ...
to ensure security

Well, now one exchange did a great job as they released SMS verification as an option on 2FA. For me SMS codes are convenient for us traders. No hassle downloading app also Authenticator apps depend on a shared secret that both the app and the server need to store. This “seed” is combined with the time to generate the 2FA code. Anyone can crack the app or the server and recover the secret. Whereas SMS codes are just random values sent by the server, so there is no one who could predict the next code in sequence. I find this news here https://twitter.com/GenovesePierina/status/1064506032293068801

Extremely valuable information! The security must be one of the most important aspect to consider when entering in the cryptocurrencies world! My page is focused on introducing the cryptocurrencies to brazilians, using a easy-to-understand and friendly language, if you mind to check it would help us to keep up producing content! https://steemit.com/@moedeiro and https://www.instagram.com/moedeiro/?hl=pt-br

I use two factor but the best to have your coins save is using the wallet of the official coin because in the exchanges you have the probability of loss your money easily

Now 2FA is also risky.if you use text as two-FA.Cause hacker can also declear the 2-FA if it is ued as text.
Go to this link for more info https://www.theverge.com/platform/amp/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin @v4vapid

Hi Namaste, I from India I come to know you from @geetarao comments,so I had followed you .I am still new in this community, trying to know gradually, before 4 months I didn't even heard the name of steemit. I come to know that you are a great personality who always wanted to help the needy, so please if you don't mind please help me to build a great networking so that I can achieve good results. Thanks for the great post from which we newbis can be benefited greatly. Wish you a very good time, Happy steeming.

Thanks for the article. I wish Google Authenticator was a bit better designed though. It became very impractical, as I have like 10+ different 2FA codes, all the texts are huge and take a lot of space and scrolling.
Microsoft also has their own Authenticator, but for some stupid reason, they can't scan QR codes... Only a manual input - very clever... :D

nice post please vote my post

I've always believed in 2-step authentication, but neither is it safe, lol. I always login with the main password here in steemit, I'll try to change it.

Very useful news, thanks

a very good post

Nice article. I was recently conned in a very simple way. I was copying my address on Bittrex , a bot changed my address and made me send Bitcoins to an unknown address.

Thanks for the heads up :) I am very interested in investing some cash into bitcoin but I am an absolute novice. Im looking out for a trustworthy and reliable crypto wallet so your post has given me some good advice. keep up the good work. Peace and love to you and yours

thanks for your post and show us the security measures that we have to use to handle crypto wallets. thanks a lot

Thank for your post! In my opinion, some hackers are trying to increase the phishing attack by email because, sometimes, the users don't notice immediately the difference between similar sintax (for example bittrex.com or bittirex.com). In this case my advice is to store your secure links in the favourite browser bar, so you can be sure that the links remain secure. Another advice, look always at the correct URL sintax for the presence of the protocol HTTPS!

This post was very informative thank you for sharing
you have my upvote
Keep smiling, reading, writing and voting!!!

worrying for some one new to this area its a steep learning curve

My friend was hacked even with 2fa

I don't trust anything except my hardware wallets.. Trezor and Ledger Nano S!

And I thought that 2FA certainly reliable protection: (

2FA is still much better than not having 2FA, I'm simply pointing out that we should not assume that it is 100% secure.

Hello friend! I am a newcomer in steemit family... Just 1months before I came up to this family... Coming here I feel personaly helpful in many cases, specially I were very eager to know the different people of different parts of the world, how they think, how they live, how they spends their time etc.... Friend, I enjoyed very much of you the good people's company in my every moments...and able to collect many information of unknown things... I want to stay here for long time... But I think it is not so easy to exist here easily... This type of post can be helpful to know to steemit world fully... I expect through my writings I want help, support and guidance from you all... If you will read my comment then please let me to know how could I success here...Happy time ahead!

Follow=Follow + 5 upvotes
Please follow me and say hello in the comment, in response I will follow you back and give you 5 upvotes. win win.

Deal is a Deal.

Very interesting points and good tips. Security is going to become a huge concern as more and more people get involved with cyrpto currencies that may not be compute savvy.

very important notice tips for our security.
thanks for sharing it 0
follower me plz and visit my blog @hafidg

Good to know, thanks. Well nothing is 100% secure. I guess we have to get used to it.

Thanks for posting.

thanks for the information. what your news is useful for us all ..