Lighthouse Blog

  • Lighthouse Blog
  • Your Password Was Hacked. Should You Be Worried? Not if You Use U2F

Your Password Was Hacked. Should You Be Worried? Not if You Use U2F

Your Password Was Hacked. Should You Be Worried? Not if You Use U2F

A few weeks ago I wrote an article warning about how phishing scams can compromise your online account passwords. I also mentioned that one of the best ways to avoid falling victim to these types of attacks is to enable Two-factor Authentication (2FA) on your accounts. While this is good advice you should be aware that not all 2FA systems are created equal.

Take SMS-based 2FA. This is a type of Two-Factor Authentication in which the website or application you are logging into sends you a code via SMS (text message) to your phone when you first try to login.  The idea is that you enter the code in the website or application you are logging onto as a secondary form of authentication. Since our phones are devices we carry with us almost constantly, it is a good way to verify that we are actually the ones attempting to login. After all, your password could have been hacked, but what are the chances that a hacker will have both your password and your phone?

As it turns out, the chances are not as astronomical as you might think. Brian Krebs recently wrote an article on his blog where he details a scheme being run out of Florida in which a criminal ring was cloning cellphone SIM cards and intercepting SMS two-factor codes in order to gain access to users’ accounts. It was reported that this scheme netted the group more than $670,000 in ill-gotten gains. While the ring was broken up by police in Pasco County, FL on July 18th, it is by no means an isolated incident. Just a week earlier police arrested 20-year old Joel Ortiz, a college student in California accused of being part of a similar ring that allegedly stole more than $5 million using this same technique.

In both cases, police found that the criminals were paying cellphone company store employees to illegally clone SIM cards for them. Once the thieves have some information on you, they can easily discover your phone number and then it’s just a matter of bribing the employees of a cellphone store who aren’t exactly getting rich selling phones.

In these cases, individuals had taken the extra security measure of enabling Two-Factor on their accounts, but still got hacked. So all is lost right? Not exactly. There are 2FA systems that are much more secure than SMS and near impossible to circumvent. One such system is called Universal Second-Factor (U2F). It is more commonly known as a “hardware key”. Although hardware keys as authentication devices have been around for years the reason they aren’t more widely used is two-fold.

First, not all authentication systems currently support U2F. Google, for example, supports U2F when logging into any Google Services. LinkedIn, however, currently only supports SMS-based 2FA. Secondly, many people value their convenience over their security. When logging on to a system requiring a hardware key you must enter your password and then connect the hardware key to the computer (or mobile device) you are using to login to the system. This means that you must carry your hardware key with you at all times. You may not think this an inconvenience (until the first time you forget your key at home and need to login to your computer at the office).

As a result, by a factor of 10:1 the overwhelming majority of 2FA users prefer the easier SMS method than hardware keys. Part of this inconvenience can be mitigated by using smartphone-based authenticator apps like Google Authenticator or Authy. You can see a more in-depth list of these types of apps at PCWorld

The main reason I am focusing more on hardware keys even though they are less common is because you can’t argue with results. In July 2018 Business Insider reported that Google has used the Yubikey U2F device for over a year and in that time there has not been a single takeover of any account within the company. This is an astounding statistic given Google’s profile as a hack target.

There are many different manufacturers of U2F devices. Manufacturers can choose to make devices with different interfaces USB-A, USB-C, NFC, BLE, etc. The devices themselves can also support different features.

Some like the basic "Security Key by Yubico" only support U2F (note: Yubico has more feature-filled variants)


Others like the Feitian ePass support U2F as well as other authentication methods such as OATH, HOTP and CCID.


Brad Hill over at GitHub created a repo where he compiled reviews of the more well known U2F keys. It's a good place to start if you want to know which device might work best for you.

So now that you have this information what can you do with it? The answer to that depends on which online accounts you consider vital to your day-to-day and how secure you want those accounts to be?

Not all services currently support Two-Factor authentication or the FIDO-U2F standard needed for using hardware keys; however, many of the more ubiquitous services are already on board.

Decide which key and feature set is best for you and initially buy two keys. I say two because if you register just one key and lose it while it's attached to your key-chain it may prove time consuming to restore access to your accounts. If you registered a second key (kept in a safe place at home) you can easily regain access to your accounts.

Whatever solution you choose 2FA should be a part of it, even if it's just SMS. To re-purpose an old saying for the age we live in: Two Factors are better than one.

Related Posts
Analytics Choosing Smarter Analysis Over Routine Reports Can Improve Security Intelligence
Security Managing and Securing Devices Begins With Knowing That They’re There