Signing up for an extra layer of protection besides your password – such as a pass code, push notification or security question – has long been an obvious way to secure your online bank or investing account.
iStock-1788265199
But with sophisticated cyberattacks ever more common, online-security experts warn that some types of two-factor authentication, or 2FA, are better than others.
Generally, choosing to receive a one-time code as an SMS on your phone or as an e-mail is regarded as less secure compared with relying on authenticator apps that generate time-sensitive numerical strings.
Financial institutions often make it mandatory for clients to enroll in some form of two-step verification. But SMS-based 2FA remains pervasive even among banking giants, while companies rarely nudge clients toward more secure authenticator apps, according to reporting by The Globe and Mail.
Ryan Noon, co-founder and chairperson of San Francisco-based cybersecurity company Material Security, emphasized that any form for two-step verification is better than relying on a single set of login credentials.
Scammers are impersonating finance experts to steal millions – and the real ones are struggling to stop it
With people often reusing the same few passwords for different sites, there’s a good chance at least one of their secret words is already exposed to hackers, he said.
“Just assume that the bad guys have your password.”
Still, SMS- and e-mail-based 2FA are vulnerable to a variety of well-known attacks, said Trevor Hilligoss, senior vice-president at SpyCloud Labs, a security company based in Austin, Tex.
Getting verification codes via text notoriously opens the door to what’s known as SIM-swap attacks, when a fraudster impersonates a customer with their telecom company to take over their phone number and gain access to the customer’s accounts.
Cybercriminals can also intercept both text messages and e-mails.
Authenticator apps, on the other hand, generate codes directly on users’ devices, without sending data over networks. The fact that the codes regenerate quickly – usually every 30 seconds – also makes it harder for criminals to steal them.
Mr. Hilligoss cautioned that there are ways in which fraudsters can gain even the information produced by authenticator apps or bypass the two-step verification process entirely.
For even stronger protection, you can use information stored on a security key – a physical device, such as a USB drive − as your added layer of verification, he said.
Another cutting-edge option to secure your account are passkeys, sets of two mathematical values, one kept on your device and one stored on the website or app you are accessing. Google and Microsoft, for example, now support this login method.
But passkeys have yet to be widely adopted, and holding on to a physical device key is generally only recommended if you’re facing a particularly high security risk.
As a more common option fit for everyday use, app-based 2FA is a good compromise, Mr. Hilligoss said.
Yet, in a sample of 11 banks and digital brokers examined by The Globe, all but one relied on two-step verification based on SMS as a main option to check users’ identity. And only two institutions said they encourage clients to use authenticator apps.
Scammers are using AI to create convincing deepfakes, and authorities are using it to catch them
Financial institutions are often leery of pushing more secure authentication options for fear of aggravating clients, said David Shipley, the chief executive officer of cybersecurity software company Beauceron Security Inc., based in Fredericton, N.B.
“They are terrified of inconveniencing their customers and losing a customer to the other bank that’s easier to work with. They would rather deal with the known costs that they understand, that often increasingly now are customers’ costs or losses, than introduce this kind of change,” Mr. Shipley said.
Some financial institutions are run on such old technology that it can be difficult to bring in new security features, he added.
Mr. Shipley said banking regulators could play a role in pushing the adoption of app-based multifactor authentication by financial institutions.
“If everyone is forced to adopt the same standard on the same timeline, then they don’t lose, and you take away that competitive pressure,” he said.
© Copyright 2025 The Globe and Mail Inc. All rights reserved.
Comments are closed.