ANALYSIS OF THE EFFECTIVENESS OF TWO-FACTOR AUTHENTICATION AND THE HUMAN FACTOR IN CYBERSECURITY
DOI:
https://doi.org/10.28925/2663-4023.2025.28.853Keywords:
two-factor authentication; human factor; digital security; phishing; social engineering; backup codes.Abstract
In the digital environment, where information has become one of the most valuable resources, ensuring its confidentiality and integrity is a top priority for both government institutions and the private sector. Given the growing diversity of cyber threats and the rapid increase in incidents of unauthorized access to user accounts, traditional password-based authentication methods are no longer sufficient to provide an adequate level of protection. The widespread use of social engineering techniques, phishing attacks, malicious software, and automated password-cracking technologies has emphasized the urgent need for more secure and resilient authentication mechanisms. One such method is two-factor authentication (2FA), which relies on the combination of at least two independent factors for identity verification. Although 2FA is supported by most modern digital services and platforms, its effectiveness in practice is determined not only by its technical implementation but also by the behavior of the end user. This paper presents a comprehensive approach to analyzing the resilience of two-factor authentication systems, addressing both technological solutions and the human factor as a potential vulnerability. A series of practical experiments were conducted to simulate typical threat scenarios, including code delivery failures, device loss, and manipulation of time parameters. The results reveal that unauthorized access often becomes possible due to poor storage of backup codes, users’ limited awareness of authentication principles, and the use of insecure delivery channels such as SMS. Particular attention is drawn to the issue of users refusing to configure additional recovery mechanisms, which may lead to permanent account loss. The study evaluates the effectiveness of tools such as Google Authenticator, Authy, hardware tokens, and cryptographic protocols like FIDO2. The findings justify the need to integrate multi-level authentication systems with clear user guidance, time synchronization checks, and automated suspicious activity monitoring. It is concluded that an optimal combination of technical safeguards and user digital literacy forms the foundation for building robust authentication mechanisms capable of countering contemporary cybersecurity threats.
Downloads
References
Information security, cybersecurity and privacy protection – Information security management systems – Requirements. Geneva: International Organization for Standardization (ISO/IEC 27001:2022). (2022).
National Institute of Standards and Technology (NIST). Special Publication 800-63B. Digital Identity Guidelines: Authentication and Lifecycle Management. Gaithersburg, MD: NIST (2020). https://pages.nist.gov/800-63-3/sp800-63b.html
Bonneau, J., Herley, C., Van Oorschot, P. C., & Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. IEEE Symposium on Security and Privacy, 553–567. https://doi.org/10.1109/SP.2012.44
Google Security Blog. How Google Accounts are attacked: Insights from millions of users. (2021). https://security.googleblog.com/2021/
FIDO Alliance. FIDO2: Moving the World Beyond Passwords. (2021). https://fidoalliance.org/fido2/ʼ
Kim, M., Sukh, J., & Kwon, H. (2022). A study of the emerging trends in SIM swapping crime and effective countermeasures. Proceedings of the 7th IEEE/ACIS International Conference on Big Data, Cloud Computing, and Data Science (BCD 2022), 240–245. https://doi.org/10.1109/BCD54882.2022.9900510
Brostoff, S., Sasse, M. A. (2013). Are Passfaces more usable than passwords? A field trial investigation. Proceedings of the Sixth International Conference on Information Security, 161–174. https://doi.org/10.1007/978-1-4471-0515-2_27
IBM Security. (2022). X-Force Threat Intelligence Index 2022. International Business Machines Corporation. https://www.ibm.com/reports/threat-intelligence
Anti-Phishing Working Group. (2022). Phishing activity trends report: 4th quarter 2021. APWG. https://apwg.org/trendsreports/
Zscaler. (2022). EvilProxy phishing-as-a-service platform targets MFA-protected accounts. Zscaler. https://www.zscaler.com/blogs/security-research/evilproxy-phishing-service
Microsoft. (2022). Defending Ukraine: Early lessons from the cyber war. Microsoft Security Blog. https://www.microsoft.com/enus/security/blog/2022/04/27/defending-ukraine-early-lessons-from-the-cyber-war/
Federal Communications Commission. (2021). FCC acts to protect consumers from SIM swapping scams. https://www.fcc.gov/document/fcc-acts-protect-consumers-sim-swapping-scams
ThreatFabric. (2022). Mobile malware BRATA evolves with new features. https://www.threatfabric.com/blogs/brata-targeting-latam.html
Proofpoint. (2023). 2023 State of the Phish Report: Threat Actors Double Down on Emerging and Tried-and-Tested Tactics to Outwit Employees. https://www.proofpoint.com/us/newsroom/press-releases/proofpoints-2023-state-phish-report-threat-actors-double-down-emerging-and-0
ENISA. Threat Landscape 2022: Cybersecurity threats facing Europe. European Union Agency for Cybersecurity. (2022). https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022
2023 Data Breach Investigations Report. (2023). Verizon. https://www.verizon.com/business/
resources/reports/dbir/
Understanding phishing attacks and how to prevent them. Cloudflare Learning Center. (2022). Cloudflare. https://www.cloudflare.com/learning/security/threats/phishing-attacks/
Global Cybersecurity Outlook 2023. WEF. (2023). World Economic Forum. https://www.weforum.org/reports/global-cybersecurity-outlook-2023
CIS Controls v8. CIS. (2021). CIS (Center for Internet Security). https://www.cisecurity.org/controls/cis-controls/
Cybersecurity and Infrastructure Security Agency (CISA). Protecting Against Phishing. (2022). CISA. https://www.cisa.gov/protecting-against-phishing
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Іван Опірський, Роман Сікорський, Дмитро Мартинюк
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
