“Two factor Authentication” – a Silver Bullet for data security?

13th August 2020 Media Law

The most common way to secure our data online is with a password. We are continually advised not to use the same password for different accounts and the requirements for different characters within a password can sometimes feel like over-kill.

However, no matter how complex you make your password this is still single-factor authentication. This means that you only need one category of identification credentials to gain access to whatever the password is protecting.

There are three primary methods by which a computer can identify you:

  • Something you know: such as a password or a PIN number
  • Something you are: such as biometric data like fingerprint or face ID
  • Something you have: such as a bank card or a mobile phone.

Two factor authentication is simply the use of two methods of identification verification to secure your personal data. For example, using a bank card at an ATM is two factor authentication: it combines something you know, your PIN number with something you have, your bank card.

Two factor authentication helps to prevent unauthorised access to your online services and offers additional security to single factor authentication. It creates an additional hurdle for any criminal seeking to impersonate a user and gain access to protected data.

More and more online services and applications are forcing customers to use two factor authentication. Take for example online banking apps. In order to first open the application you will either be required to provide a password (something you know) or biometric data such as FaceID on your mobile phone (something you are). Once in the application and actioning a transaction, many banks now use a ‘one-time password’ (“OTP”). These are unique passwords that are only valid for a single login session and for a defined short period of time. This password will be sent to the mobile number registered with the account. You simply type in the OTP sent to you via SMS and this approves the transaction. The use of an OTP uses the factor of something you have, your mobile phone, and without the phone you are unable to approve a transaction. 

However, despite being a step up from just a password, two factor authentication is not perfect. The use of two factor authentication is made redundant if a hacker is able to gain control of your mobile number using social engineering. In the case of sim swap fraud a hacker rings up a customer service representative of a mobile phone provider. The hacker pretends to be you and asks that your mobile number is transferred from one sim card (the one in your phone) to another sim card (the one in the hacker’s phone). Once this has been done the hacker now has control of your mobile number. In the example of the mobile banking app above this can be fatal. The hacker can use the mobile number to authenticate themselves as you by saying that you have forgotten your password and asking that an OTP is sent to the mobile number registered with the account. Once in your account with this new password, they can authorise payments as they will be the ones to receive the OTP and not you.

Another issue to consider is the use of biometric identifiers. If a hack takes place and credentials are stolen, this obviously creates risk and usually requires a password change. However, if biometric information is involved, how do you change your finger-print or face? The obligation on organisations to keep customers’ biometric data safe is obviously crucial. 

If you have fallen foul of sim swap fraud or other data breaches involving your mobile phone, JMW can provide legal advice to help you seek justice please do get in touch.

We're Social

Amy Smethurst is a Paralegal located in Manchesterin our Media Law department

View other posts by Amy Smethurst

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest