It is crucial to consider the potential risks associated with using email as a form of two-factor authentication. It may be worth exploring alternative options that offer increased security.
What is Two-Factor Authentication?
Two-factor authentication increases the security of your online accounts by requiring an additional authentication factor in addition to a password. If you don’t know what two-factor authentication is or don’t have it enabled, I recommend you set it up for your online accounts. Two-factor authentication is an easy way to increase security and reduce the risk of your account getting compromised. For more information, see the UK Government’s top tips on staying secure online.
There are many different types of two-factor authentication, such as one-time code, fido device, SMS, and email. However, some are more secure than others.
Two-factor authentication relies on two different methods of authentication.
For example:
- Something you know (e.g. a password)
- Something you have (e.g. an app on your phone or access to your email)
Two different factors means that if one is compromised (e.g. someone guesses your password), they cannot log into your account.
Why is Email not a Secure Method?
There are several reasons why email, as a method of two factor authentication, should not be a secure second factor.
Compromised Email Account
If a malicious user gains access to your email account, they can perform a forgotten password action to gain a new password and then receive the two-factor code in the same email account. This means your online account can be taken over by just someone accessing your email account.
Plain Text Emails
Emails are usually sent as unencrypted text, meaning they could be intercepted and read by a third party. This could be by a man-in-the-middle attack or a compromised network. Receiving reset codes and links which are sent by email, could be intercepted, and used to compromise the online account. Using a different two-factor authentication method would mean a malicious user could reset a password but not bypass the second factor without compromising that device.
Email Overload
Another danger of considering email as two-factor authentication is that it relies on the user's behaviour and judgment. Users may not check their email regularly or may miss important messages due to spam filters or cluttered inboxes. Users may also click on malicious links or enter codes on fake websites that mimic the legitimate ones. Users may reuse the same email address and password for multiple online services, increasing the risk of credential stuffing attacks.
The Solution
The solution is simple, don’t use email as a second factor. Nearly all online accounts can use a more secure and robust method, such as fido device or one-time code. Fido devices could be something like Windows Hello, or a physical key, which generates cryptographic keys. A one-time code can be generated using apps such as the Microsoft or Google Authenticator apps, where a new code is generated every 30 seconds and is usually set up by scanning a QR code.
Using these devices and a strong password will significantly reduce the risk of your online account being compromised.