Blog / Account takeover

Why 2FA isn’t a silver bullet for account takeover

Multi-factor and two-factor authentication are a widely used security measure designed to prevent account takeover. But there are very real gaps and limitations in their effectiveness – which fraudsters can actually exploit.

24 June 2024

Why 2FA isn’t a silver bullet for account takeover

Fraudsters using stolen login credentials to gain unauthorized access to customer accounts is a huge threat to business. Once in, these bad actors can exploit your customers’ financial information for their own benefit or simply sell the account on.

Ravelin's latest fraud survey found that merchants rank two-factor authentication (2FA) at the top of fraud prevention tools. We do this merchant survey every year, and 2FA has in fact consistently been a popular answer.

Indeed, 2FA is often the go-to method in the fight against account takeovers (ATO). And many cybersecurity professionals and online merchants consider 2FA to be the “silver bullet” to prevent account takeovers.

Yes, 2FA provides a valuable extra layer of security but it’s far from bulletproof.

In this article, we'll discuss the shortcomings of relying on a single layer of security against account takeover. And explain why it’s so important that you think about account security beyond login.

Which tools do you find the most effective for fighting fraud?

Why are merchants relying on 2FA for account takeover?

Before we focus on the gaps, let’s take a moment to focus on the strengths of 2FA and understand why it is so popular with merchants.

The core principle of 2FA is additional information must be provided to complete a login – usually a passcode accessed via email, phone or authentication app.

Essentially, a customer will need to enter their password as usual and then a second authentication factor.
Even if a fraudster has breached these credentials for an account, they won't necessarily have access to the victim’s email account or device. So they would be blocked from accessing the account.

In this scenario, 2FA may be enough to deter opportunistic fraudsters.

Another reason is that 2FA is a relatively easy solution to implement into the login process and many solutions are freely available. Many customers are also now used to 2FA, having used it on various services from ecommerce to government websites. Depending on the demographics, they may even expect and feel more comfortable knowing they are protected by this apparent security layer.

But no single layer of security is a fool-proof safety net. Fraudsters are constantly adapting their techniques to take advantage of security oversights. Relying just on 2FA can create a false sense of security that costs you and your customers dearly.

To provide comprehensive and adaptive security, merchants need to implement a multi-layered approach. This includes techniques such as machine learning and rules that complement each other and address gaps and vulnerabilities. Let’s take a closer look at what these are for 2FA.

2fa fraud prevention

The limitations of 2FA

1. Social engineering allows fraudsters to circumvent 2FA

People will always pose a vulnerability to any security system. In the case of 2FA, fraudsters use social engineering to exploit this limitation. It remains the number one ranking type of attack.

Social engineering is the art of manipulating people to disclose confidential information. Tactics can include phishing emails or phone calls. Fraudsters are resourceful and employ many different techniques to gain trust and solicit information from your customers.

For example, a fraudster may send a convincing email that appears to be from a real company, asking the recipient to click on a link and enter their login credentials and the 2FA code. Everything might look legitimate, but the link is to a fake website which captures the details to be used elsewhere.

The rise in large language models' (LLM) use by fraudsters, who can use tools based on technology such as ChatGPT, has meant that creating phishing and spear-phishing emails is easier than ever – and consumers are even more likely to fall for them.

In this scenario, 2FA fails to prevent account takeover because the fraudster has already obtained the victim's login credentials and the login appears legitimate.

2. 2FA imposes significant friction on good customers

While 2FA adds an additional layer of security, the burden is placed on your customers to complete an additional step in the journey.

Some might argue this is a small price to pay to protect your valued customers. But the reality is this increase in friction may result in higher abandoned login rates – in churn.

The impact will vary based on the industry, market and customer demographics but as a case in point, "concerns about friction and customer churn" was the second most popular answer (out of eight) when we asked online merchants "What stops your company from being more effective in fighting fraud?" as part of our 2024 Fraud Survey.

What is consistent is that customers have come to expect streamlined experiences. They can become frustrated when completing a task that is overly complex or time consuming.

Additionally, some customers may not have access to the necessary devices to receive the 2FA code. This further increases friction and you could potentially lose business from legitimate customers.

In a sense, indiscriminate use of 2FA punishes both customers and businesses for fraudster behavior.

3. 2FA doesn’t use data to enhance customer experience

Merchants have more data and tools available than ever to understand their customers and deliver a personalized, streamlined experience.

This is particularly evident in ecommerce and online marketplaces. Merchants painstakingly craft a seamless path to purchase that delivers recommendations based on search and purchase history. They can also use these insights to refine the customer experience by identifying friction and drop-offs.

This nurturing approach does not extend to 2FA. It’s simply a security layer that authenticates customers directed towards it. By applying blanket 2FA, you risk undermining the carefully crafted customer journey you’ve labored to design for your customers – without guaranteeing their account security.

4. 2FA doesn’t look at account takeover beyond login

There is always a need to balance risk with conversion along the customer journey. But making 2FA at login the sole or main account takeover deterrent means there’s no back up plan for when – not if – fraudsters evade detection. This limitation doesn’t only apply to 2FA, but to any rules or machine learning models that only act at login.

Fortunately, login isn’t your only opportunity to detect an account takeover attack. Monitoring checkout is key to stopping fraudsters masquerading as your legitimate customers. And machine learning allows you to do just that.

Prevent fraudsters by recognizing their tactics

So how exactly does machine learning help fight account takeover?

In a nutshell, a machine learning model is a security layer that constantly adapts and evolves in response to the changing techniques used by fraudsters. Models are trained on specific fraud characteristics and attack patterns, which allows them to identify and prevent attacks in real-time.

Account takeover models at login and checkout use historical customer behavior to identify irregularities that may indicate an account takeover attack. And each model uses different data according to the customer journey stage.

For example, a login model will be concerned with information relating to login history. This includes features such as device, location and whether credentials are being manually entered or pasted in.

A model deployed at checkout will be focused on post-login behaviors that might signal fraud. These signals might be the number of transactions made from that device, change in delivery address, or a higher than expected monetary value.

Account takeover models at both login and checkout provide a second chance to thwart fraudsters before they inflict financial harm on your customers and business.

Do you currently use any of the following functionality or tools as part of your strategy to mitigate account takeover?

Your business needs a comprehensive toolkit

There are definitely scenarios where 2FA is appropriate in the fight against fraud. But an effective defense against account takeover requires an ecosystem of tools.

You need a fraud strategy that provides robust and effective protection but also enhances the customer journey. The benefits are clear for everyone – except for the fraudsters.

To learn more about the benefits of machine learning for account security, book a call with one of our team of friendly fraud experts today.

Related resources

About ravelin logo

 Sign up to our newsletter

Subscribe with us to get a monthly update of what's new in fraud and payments.

About ravelin logo
Subscribe

Related content