Secure My Stuff Now

Simple Advice to Secure Your Life

Simple home and digital security advice to secure your life

A Beginner’s Guide to Two-Factor Authentication. Do I Really Need it?

by

two factor authentication adds another layer of authentication to your accounts

If you have a smartphone or online financial accounts, then you’ve heard of two-factor authentication. In fact, if you’re alive at this point in time, even if you’ve not heard of it, you’ve probably used it in some form. Two-factor authentication or 2FA, has become an essential step in accessing many of our private accounts online. This is because it adds extra layers of security. However, it can be confusing. How does 2FA work and is it really safe? Do I really need it? This beginner’s guide to two-factor authentication should help answer your questions!

I have spent countless hours researching and implementing security solutions for my businesses. I also have a background in the sciences and computers, and a concern for privacy. Hopefully, the insights shared on this site will help you make informed decisions about securing your stuff!

What is Two-Factor Authentication?

Two-factor authentication (2FA) is a security procedure in which users are required to use two pieces of information to authenticate themselves.

Trending
The Best End-to-End Encrypted Cloud Storage Providers

Two-factor authentication (2FA) provides greater security by requiring the second form of verification. Single-factor security relies on just one level of security, usually a password, passphrase or PIN.

Two-factor authentication entails a user supplying a password as one component and another, unique element, usually either a security token or a biometric factor such as a fingerprint or face scan.

When you turn on two-factor authentication, an extra layer of security is added to the authentication procedure. This makes it more difficult for hackers to gain access to a user’s devices or online accounts. That’s because even if the victim’s password is stolen, a password alone is not enough to pass the authentication check.

What are authentication “factors”?

There are several authentication methods that can be sued together to provide 2FA. Most single-factor authentication methods use knowledge factors. The most common of the knowledge factors is the humble password. In two-factor authentication, another factor will be added. This is usually either a possession factor, location factor or an inherence factor.

The following are the six most widely used factors in 2FA and MFA: Something you know, something you have, something you are, somewhere you are, something you do and something submitted within a time frame.

#1 Knowledge Factors (Something you know)

A knowledge factor is something that you know like a password.

A Knowledge Factor is a piece of information that the user knows, such as a password, a personal identification number (PIN), or another form of shared secret.

Knowledge factors limit access to a system by requiring the user to supply some information or data. A password or personal identification number (PIN) is the most frequent form of knowledge-based authentication requirement utilized to restrict access to a system. To access a system, most common apps or network logins require a username/e-mail address and a matching password or PIN number. The username on its own is not enough to authenticate the user and is not an authentication factor – it’s simply how the user establishes their identity to the system. A password or PIN number is used to confirm that the username or e-mail address being supplied is actually owned by the individual.

#2 Possession Factors (Something you have)

A possession factor is something that you have like a hardware key.

A possession factor is one of several types of factors that a user has in their possession. This factor could be an identification card, a security token, a cellphone, a mobile device or smartphone app.

Possession factors are usually administered through a device, like a mobile phone, that is known to belong to the user.

A hardware device, such as the RSA SecurID, may generate one-time passwords. Alternatively, they might be generated automatically and sent to the user’s mobile phone via text message. In either case, the user who is authorized to access the system must have control of the device that generates/ receives one-time passwords.

#3 Inherence Factors (Something you are)

An inherence factor is something that you are like a fingerprint.

Biometric features are considered inherence factors. These are characteristics inherent (and unique) to the user’s physical attributes. These might include personal traits linked to bodily characteristics, such as fingerprints. Fingerprints are often used as a second factor of authentication where a fingerprint reader scans the user’s fingerprint to either allow or deny access.

Other commonly used inherence factors can include facial and voice recognition, retina or iris scans.

Biometric factors may be one of the most secure types of authentication. Biometric data is unique to an individual.

One drawback is the limits of available hardware. Users who choose to use biometrics must have compatible device hardware that supports that specific authentication factor. This limitation is beneficial for security, but it may reduce user convenience.

#4 Location Factors (Somewhere you are)

A location factor is some where you are like GPS coordinates.

The location from which an authentication attempt is originating can also be used as an authentication factor.

Limiting authentication attempts to specific devices in a particular location, or tracking the geographic source of an authentication attempt, are two strategies that can be used to enforce this. The IP address, or some other geolocation data obtained from the user’s mobile phone or another device, can provide this location factor.

If a company has 150 employees and all are based in the Miami area, it would be possible to limit access to the company network from those originating from within the Miami area. An attempt to access the company’s resources from IP addresses outside the area could indicate a cyber attack. Of course, VPNs could bypass this, but MAC addresses (which are unique to every single network device) could be filtered. So, for example, only a device with an approved MAC address that is also accessing from the Miami area could be granted access.

#5 Behavior Factors (Something you do)

A behavior factor is something that you do like drawing a pattern.

A behavior-based authentication factor is based on the user’s actions to gain access to a system. A system that uses behavior-based authentication factors will usually require users to pre-configure a password by performing certain behaviors. These actions will then be entered later as identity verification.

For example, the drawing of a pattern on a screen could be a behavior-based authentication factor. A mobile phone where the user is required to draw a specific pattern onto a grid of dots to gain access is one example.

#6 Time Factors (Something you submit within a time frame)

A time factor is something that you submit within a required timeframe.

A time factor is often added. It isn’t so much a factor in and of itself, but it is used to enhance the effectiveness of other factors. Basically, user authentication is limited to a certain time window during which logging on is permitted, and access to the system is restricted outside of that period.

#7 Multi-Factor Authentication (A Combo of more than two of #’s 1 – 5)

Most two-factor authentication methods use the first three authentication factors (knowledge, possession, inherence). But, where greater security is necessary, the system may require multiple factors. In other words, a higher security system may require knowledge, inherence and location factors for authentication. When more than two factors are required, it is referred to as multi-factor authentication or MFA.

How does two-factor authentication work?

Two-factor authentication is enabled in various ways by different applications. Below are the typical steps used with practically all 2FA services.

  1. The application or the website prompts the user to log in.
  2. The user enters their login and password. Then, the site’s server finds a match and identifies the user.
  3. The website generates a unique security key for the user when no passwords are required. The authentication tool validates the key and the site’s server verifies it.
  4. The site then encourages the user to complete the second login procedure. Although this step can vary, the user must demonstrate that they have something unique to them, such as biometrics, a security token, an ID card, a smartphone or other mobile device. These are the possession or inherence factors.
  5. The user may be required to input a one-time code that was generated during step four.
  6. The user is authorized and given access to the application or website after both factors have been verified.

What 2FA Is and Isn’t

Two-factor authentication is a form of multifactor authentication. 2FA is the strict requirement that any two different types of factors are used for authentication. Using two factors from the same category (e.g. the knowledge category) is not technically 2FA. For instance, if an account requires that you submit a password and a shared secret, which is two pieces of information, they are still both considered knowledge factors. So the authentication is not 2FA. It is considered SFA (single-factor authentication).

But what’s the problem with passwords?

OK, so for some people this may seem like a lot of extra steps. Perhaps unnecessary steps. Why aren’t my passwords good anymore?

Usernames and passwords are not the most secure. One major disadvantage of password-based authentication is that it requires a user to create a strong password and also store or remember that password securely. Not everyone can do this. Some of us are careless with storing our passwords. And some of us are lazy when it comes to creating a strong password. We use simple, basic, easily hack-able passwords. We are often our own worst enemies when it comes to our password security.

Other threats pose risk to password security. Hackers use lots of different methods to crack passwords, and breach systems and networks. With enough time and resources, a password can be vulnerable.

So why do we still use passwords? Well, they are still a good first layer. They are low cost to implement. And, we are all familiar with how they work.

Types of two-factor authentication products

OK, so we have covered what 2FA is and looked at the added security that it offers. So, how does this actually work in the real world? What 2FA products and services are there?

There are many devices and services that offer 2FA. The options include smartphone apps, RFID cards and USB drives.

But in general, there are typically two types of two-factor authentication products you will come across:

  1. Software that identifies and authenticates access for users who are using their tokens correctly; and
  2. Tokens that are given to users to use when logging in.

Authentication tokens can be physical gadgets like key fobs or smart cards, or they may be software-based mobile or desktop apps that generate PIN codes for verification. These authentication codes are also known as a One Time Password (OTPs). OTPs are generated by a server and can be identified as genuine by an authentication device or app. The authentication code is a short sequence that may only be utilized once during the course of an authentication procedure and is linked to one particular device, user, or account.

Users authenticating with their tokens must be permitted or denied access to the system, which should include a mechanism to accept, process, and allow or deny access.

Two-factor authentication for mobile devices

SMS text messages can provide the second layer of two-factor authentication but they can be compromised.

Smartphones provide a number of 2FA options because of the technology included in the devices, such as cameras. So, a business may choose to use fingerprint scans, facial recognition or even iris scanning. Because a mobile phone has a microphone, there’s the option for voice recognition. And many have GPS so that can be used to verify location factors. Finally, SMS text messages can be used as a second factor of authentication. These have been tremendously popular but are losing their appeal because of security risks.

A user may use a trusted phone number to receive verification codes by text message or an automated phone call. To enrol mobile 2FA, a user must verify at least one trusted phone number.

All the major software OS providers offer apps that support 2FA. These are often called Authenticator apps. These apps enable the phone to serve as a physical device to satisfy the possession factor.

Google Authenticator is a mobile phone app for two-factor authentication.

Authentication apps replace the need to receive a verification code through text, voice call, or email. To access a website or online service that supports Google Authenticator, a user simply types in their username and password. This is the knowledge factor portion. The site will then request a second factor, a code from the google authenticator app. The authenticator app will generate a 6-digit number every 30 seconds and this is entered on the site. This is the second factor, a possession factor combined with a time factor. The user will enter that 6-digit code into the site requesting it. If it is correct, the user is verified and access is granted.

How 2FA hardware tokens work

So we have software-based authentication products. But there’s also hardware-based authentication. In fact they are probably the oldest form of 2FA. Usually these hardware tokens take the form of small, key fob-like devices that produce a new numeric code every 30-seconds.

Hardware tokens are sued to generate one time passwords (OTP). Certain banks may issue these tokens to clients so that transactions can be authorized by this two-factor authentication process.

A Hardware Token

For example, a bank may require hardware authentication for business accounts and issue a hardware token to their business clients. You may log in to your company’s bank account online, but transferring money out or paying bills online could require a one time password (OTP) issued by their hardware token. The bank’s site will prompt you for the OTP. Press the button on the hardware token and a numeric code is generated (the OTP), which is good for 30 seconds. Enter this code into the OTP field where you were prompted to authorize the transaction.

There are other hardware token solutions that are not vendor-specific like the example above. One popular solution is Yubikey, made by Yubico. Yubico provides several hardware options that take security to a deeper level when compared to a mobile phone solution. Their basic device is a USB device that supports OTPs, public key encryption and authentication, and various protocols including the FIDO Alliance’s Universal 2nd Factor protocol.

Yubikey hardware tokens for two-factor authentication

Example- Using a Yubikey

The process of using a Yubikey is easy. Once you have set it up, to use it for 2FA services it will look like this:

  1. Go to your online web service, like Gmail, that supports OTPs
  2. Insert your Yubikey into the USB slot
  3. Enter your password as normal
  4. Click in the Yubikey field
  5. Touch the button on the Yubikey
  6. The Yubikey generates the OTP and fills it into the field online automatically.

There is more to this going on in the background, but the process is solid. Using a Yubikey or something similar really seals some security cracks.

Push notifications for 2FA

Push notifications are also mthod used by 2FA. A push notification is a passwordless authentication that alerts the user to a login attempt by directly messaging the user’s device. The user can view information about the authentication attempt right in the push notification. Typically, with a single touch, the client approves or denies access. If the client approves the authentication request, the server receives it and logs the user into the web app.

When the device registered with the push notification authentication service receives the notification and the user responds, it is taken as verification that the user is in the possession of the device (usually a mobile phone).

Is two-factor authentication secure?

Two-factor authentication can greatly enhance security. But 2FA is only as secure as the weakest link in the chain. You should be aware of this when setting up 2FA. It will make you more alert and possibly avoid the suffering of being hacked.

Account recovery is also a weak point. This usually entails resetting a user’s current password and emailing a temporary password. The user is able to log in but bypasses the 2FA process. This is how CEO of Cloudflare had their business Gmail account hacked.

SMS-based 2FA is also another weakness and should be avoided. This is an easy and low-cost way to implement 2FA, but is vulnerable to attack. You may have heard of SIM jacking. It’s where a hacker is able to get the SIM of a user’s phone ported to their own device. That way they can receive the SMS authentication texts. SMS authentication can also be vulnerable to attacks against the network provider or malware to intercept and redirect text messages. Use authenticator apps instead.

Where is Authentication Headed?

The tech industry moves quickly. And the security industry in particular has to keep up. Cybercriminals are always developing their strategies and identifying weaknesses. Security providers have to adjust, plug holes, and if possible stay ahead.

So, where is authentication headed? What does the future of authentication look like?

Well, it’s probable that we see more Multi Factor Authentication such as three-factor authentication. Multi factor authentication will offer the better security required as we move into the future. What will that look like? It probably will take the form of requiring a physical token, a password and biometric data. Other factors such as geolocation and the logging of device data as well as the time of day will be used increasingly for authentication.

With advances in AI, behavioural factors are also likely to increase. These could include keystroke length, typing speed, mouse/pointer movements. And it could be that rather than one-off authentication, there is a continuous authentication using real-time monitored behavior.

The use of passwords will likely become less popular and many organisation move toward passwordless authentication requiring biometrics. Adding in the potential of blockchain, with its decentralization and verification protocols, could provide further security opportunities.

What Steps Should I Take Now?

As you sign up for and use web services, for example, you will be encouraged to adopt 2FA. This can be a good thing! And it usually involves downloading an authenticator app.

Become familiar with authenticator apps. There are several decent options. The oldest and most widely used is Google Authenticator. It’s good, but it hasn’t kept pace with others. The best authenticator app is probably Authy. But Microsoft has a decent offering too.

Enrolling two-factor authentication with a web service is usually as simple as scanning a QR code in the authenticator app on your mobile phone
Enrolling two-factor authentication with an online account (e.g. bank) is usually as simple as scanning a QR code in the Authenticator app on your mobile phone

It’s also advisable to begin using a Password Manager. It’s likely that how Password Managers are used will change over time, but start to use one and follow their development as they enhance security measures along the way. Some good ones are LastPass, Dashlane and Keeper. These can help you store, secure and use your passwords effectively and efficiently. A password manager will help to ensure you aren’t using the same password for multiple accounts, and that the password is sufficiently strong. Some offer other services too, such as dark web monitoring and monitoring for data breaches that can impact your online account.

The Final Score: Do I Need 2FA?

In a digital world where our identity has become a valuable commodity, and our privacy is under threat, it’s important to take security online very seriously.

The old method of usernames and passwords is susceptible to different types of cyber attacks. That’s where two-factor authentication comes in. It was developed to provide an additional layer of security to access your accounts. The “factor” just means a category of verification, and there are several forms these factors, or categories, can take:

  • Knowledge. Something you know like a password.
  • Possession. Something you own, like a phone.
  • Inherence. Something you are, like your fingerprint and other biometrics.
  • Behavior. Something you do, like drawing a pattern.
  • Location. Somewhere you are, like an IP address or GPS coordinates.

When two of these “factors” are put together to gain access to a system or account, that’s two-factor authentication. When more than two are put together, then that’s called multi-factor authentication.

There are several ways that 2FA can work. Hardware keys can be used on top of passwords. These are called hardware tokens. The more familiar SMS text message is another form of 2FA. With SMS authentication you provide your password to the site you’re visiting and a text message with a code is sent to your phone. You take that code and enter it on the site to gain access to your account. However, text message authentication in vulnerable and has been overtaken by authenticator apps.

Next Steps

If you want to add additional security to your online accounts, then consider enrolling 2FA on those accounts and using a mobile phone authenticator app called Authy or Google Authenticator. Consider adding another layer of security by using a Password Manager to store, secure and manage your passwords. Good ones include Keeper, Dashlane and LastPass.

With so many data breaches, malware attacks and cybercriminality out there, adding another layer to secure your identity, privacy and precious data is a no brainer.

Be smart and stay safe.