One hundred percent security for an account is never guaranteed – so why bother to set up two factor authentication at all? The answer is pretty obvious: Two factor authentication adds an additional step to the identification process, or a sort of second hurdle that unauthorized persons must first overcome. As a result, almost all common phishing attacks fail.
With phishing, internet criminals try to send links to prepared websites via fake e-mails that will then be used to access passwords, PINs or TANs. The e-mails appear to come from an authentic mailing list, bank, or online shop, and generally ask for a change in one of the authentication factors – supposedly for security purposes. In reality, they just want access to your given password, PIN, or TAN.
An example is the phishing attack on John Podesta, the campaign manager for Hillary Clinton: According to media reports, Podesta – and various other US politicians – received fake e-mails in March 2016. These allegedly came from Google, and told their prominent victims that a foreign IP address from the Ukraine was trying to gain access to their e-mail account and they should change their password immediately. Clicking on the link contained in the e-mail sent them to a fake website. The URL of the website had been abbreviated and veiled, and the layout of the page copied Google.
Fraudulent masks like this are largely successful: Of the 108 members of the Clinton campaign who received the e-mail, 20 clicked on the link, and the rate for the Democratic Party’s National Committee was 4 out of 16. If the targeted Google accounts had been secured with a two factor authentication, then the attackers couldn’t have started without the obtained passwords. The second factor for a successful hack would have been missing: A unique security code, which would have been sent exclusively to the mobile phone of the authorized person.
So why is this method not more widely used? Setting up two factor authentication on Google is neither particularly complex nor lengthy. You don’t even need to recall the automatically generated security code every time you log in, since you can permanently mark a device as trustworthy. The following video from Google demonstrates how the setup works: