November 7, 2020

Is email for 2FA secure?

Watch out for 2FA by email: It gives a false sense of security.

Is email for 2FA secure?

Growing MFA Adoption

One of the things that I love to see becoming mainstream over the last couple of years is the use of multi-factor authentication (MFA, more commonly 2FA for two-factor authentication) .

The size and scope of data breaches that are highlighted by the likes of Troy Hunt and his service have i been pwned seems to finally be breaking through to public consciousness. While MFA doesn’t directly help, the frailty of short easy-to-remember passwords is becoming apparent to many, and more and more service providers are giving users the option to use MFA.

Common MFA Methods

There are a few main types of MFA that I encounter regularly:

  • Email
  • Text Message
  • One-Time Password (OTP)

Generally I think OTP is the most secure of the three: as long as the device generating the OTP is not accessible by the attacker, it is a difficult attack vector. Some service providers (like banks) may provide a physical device, and many services support time-based OTP, often generated in a smartphone app like 1Password or Microsoft Authenticator.

Mobile is probably the easiest for the average user right now, as most people have a mobile number. However, this method has been vulnerable to compromise, and not considered secure.

The least secure, I believe, is email. Let me explain.

Why Email is not Secure for 2FA

The problem is simple, really.

Emails are quite public bits of information. We give them out to hundreds if not thousands of services, they all know how to get in our inbox, if they want to.

Because email is ubiquitous, it is the identifier around which many manage their passwords, too: if you want to reset your password, you enter your email and get a magic link. I dislike this security flow, too, but that's another blog.

What happens when the password to your email inbox is compromised? You use a long, complex password that nobody could guess in 100 years for your email, right?

If your email is compromised, your password is compromised, and more than likely your other passwords and emails are compromised, too.

So when you go to log in to Groceries-R-Us, you put in your email and password and... what's this? They've sent you a verification code too your email, just to make sure it's you.

Mr. Robot grabs the verification code from your email and confirms its you. Mr. Robot is thankful for the free groceries!

Email for 2FA is a Placebo, use something else

The situation above demonstrates clearly that the verification code you get in your email is a placebo: it is designed for you, the user, to feel better about the service that is "verifying" who you are. It says, "see, we take security seriously!".

Quite the opposite. A service that is concerned about security will allow (or even require) you to use multiple independent sources of verification. By independent I mean that the one source must not be affected or related in any way to another.

What does this look like?

Earlier, I mentioned 1Password. One of the features of 1Password is that it supports time-based one-time passwords (OTP), a system where two separate systems decide based on several mathematical factors (a private key, an algorithm, a starting time for calculations, and an intterval) what the resulting value is.

When I got to log into Facebook, I almost never have to put in my password. It stores data in my browser that identifies who I am—and the way most of use use the web, we're also logged into our email, too. Facebook assumes that my email is open, and that whoever is useing this browser has access to it, and therefore my password is meaningless.

What Facebook does often promp me for is my OTP token, those six little numbers that change every thirty seconds, or so. That number is not generated in my browser or stored in my browser; it changes too often to be useful as such. Facebook knows that if I am Aaron (as my browser tells is I am), I will have access to that generated. number, no matter when it asks.

There is one drawback: I need to have the OTP generator with me any time I may want to access a service where I've turned it on. In reality, I nearly always have my phone with me, and the OTP codes are even available on my Apple Watch if I so choose.

In Conclusion

Watch out for two-factor verification by email. While it does not hurt technically, I think that it actually does harm the users of a service by providing a false sense of security, and thus may leace consumers in a worse place than where they started.

At the end of the day, we all must be diligent with email and passwords. Never ever ever reuse a password. Use a password manager, and let it make impossible passwords that you don't need to remember. Make sure that your accounts are secured with multiple independent methods, don't let everything "fall back" to email. Buy a YubiKey if you need to, it's a worthy investment.