Two-step Authentication Isn’t Bulletproof. Here’s Why.

You know that annoying page that asks you to set up two-factor authentication when you log in to your Gmail? Well, Google is on to something and you should probably do it.

So what is two-factor authentication? (And why does it have such a long name?) Well, it’s the latest and greatest way to keep hackers out of your online accounts. And unfortunately the words are just long.

The most common way to implement two-factor authentication is by linking your account to a cell phone number. You’ll receive a text with a one-time passcode. Depending on the site, this passcode will either be required each time you log into an account or it’ll be used to verify the account holder if you forget your password. This adds an additional level of security and can make it harder for hackers to access your information.

But that’s not the only from of two-factor authentication. Biometrics has also made its public debut in the form of a fingerprint log-in with the latest iPhones. Retinas, voice, and heart patterns are also considered biometric two-factor authenticators.

Many sites currently offer this additional layer of security, like Google, Apple, Twitter and Facebook. But with Instagram as the latest to announce the switch to this long-overdue security enhancement, many are beginning to discover its vulnerabilities as well.

Here are three reasons to stay vigilant about your accounts, even when you have two-factor authentication enabled:

SMS authentication can be compromised

Especially true with banking apps, malicious software installed on PCs prompts malware downloads when passcodes are sent to a phone. This allows cybercriminals to view your password and SMS passcode, thereby granting them total access to your online bank account.

Account recovery acts as a loop-hole

Account recovery bypasses the two-factor authentication system, which provides hackers with a simple loop-hole. When you want to reset your password, you are usually sent a temporary password via email. We’ve all been there. When this happens, cybercriminals can gain access to your account by swiping this temporary passcode before you do.

Phishing emails still happen

A skillfully composed phishing email is all it takes to gain information from vulnerable users, and two-factor authentication is not immune to this simple threat. Malicious software installed on vulnerable devices can capture passwords and information that allow it to bypass the authentication steps. For example, when online users rely on security questions as the “next step” after entering a password, phishers can send an email requesting a user to verify their security questions. In the process, the phishers can take these questions and use them for themselves.

There are plenty more reasons to always stay aware of your online presence, but these three are the most common ways around the trusted two-factor authentication security blanket most of us live under. So always monitor your bank accounts and digital footprint to make sure you aren’t caught unaware as the victim of a cybercriminal.