Two-factor authentication uses a combination of something you know and something you have to bolster your online security.
Passwords are a real problem these days. We’re required to create so many of them that most of us re-use our memorable favourites, and lengthy and complex pass strings, however desirable, are very much in the minority.
Two-factor authentication (2FA) uses a combination of something you know (your password or PIN) and something you have (a hardware token) to add another security layer into the authentication process. Unfortunately, ‘true’ 2FA costs rather a lot of money to both implement the system itself and to distribute those hardware devices to every user. This is especially true when you are talking about free online services such as Facebook, Twitter, Gmail or Dropbox, which have millions of users.
A better name for this security feature is two-step authentication (2SA). Today, two-factor authentication and two-step authentication are used almost interchangeably when talking about securing online accounts, and the name differs depending on what service you’re talking about. At its most simple, they effectively mean the same thing and both refer to adding an extra layer of security to your online world.
With two-factor authentication enabled, you log in to your account by entering your username and password as normal. The site will then prompt you to enter a code that is either emailed to you or sent to your phone by text message. This one-time code, or one-time password (OTP), is only valid for a limited time, usually no more than five minutes, and can only be accessed by someone with access to the email address or phone.
Anything that adds a second layer of identity verification is to be welcomed with open armsAnything that adds a second layer of identity verification is to be welcomed with open arms
Although such 2FA-by-SMS systems have their weaknesses, they undoubtedly add additional strength to the login process.
Generally speaking, the reason people give for not making use of optional two-factor authentication systems is the same reason others dilute its effectiveness once activated: the annoyance factor. We’re in a want-it-now society, and nowhere is that lack of patience more apparent than online, where web developers will happily recount tales of research into the short attention span of users.
This is reflected in those who would rather sacrifice security than wait mere seconds to receive a one-time password on their smartphone to type into an authentication box. Indeed, with most two-factor authentication implementations allowing some degree of user configurability, it’s also reflected in people who would rather opt to ‘ask me for a code every 30 days’ than ‘ask me for a code every time I login’.
Here’s the thing, though: think how much time it would take you to recover your Facebook account should it get hacked and someone change the password; think how inconvenient it would be if your email account was used to change the passwords on other services that send a ‘change request confirmation’ to it. Now think how annoying it is, relatively speaking, to enter that one-time SMS password.
The problem with 2FA
Google rightly insists that two-step authentication adds an extra layer of security to Gmail, but it’s wrong when it claims hackers would need to ‘get hold of your phone’ as well as your password in order to access your account.
SMS one-time passwords (OTP) are vulnerable to man-in-the-middle (MITM) attacks because they are what is known as an ‘insecure out of band method’, and the sender of that OTP can’t know for sure that the real user has possession of the handset to which it is being sent.
While 2SA does provide welcome added security, it isn’t foolproof; you should still implement security smartsWhile 2SA does provide welcome added security, it isn’t foolproof; you should still implement security smarts
In the case of 2SA, the “something” you have could actually be something someone else has (a thief) or something someone else has access to (a MITM attacker). The MITM attack needs you to have first been lured to a fake website that has cloned the real deal, into which you enter your login credentials. The clone site will often ask you to enter them again, claiming they were entered incorrectly. This isn’t seen as suspicious as we all make typos, but actually, the clone site is just playing for time while it contacts the real site with your credentials. The real site will then send the OTP to your smartphone, you’ll enter the generated code into the clone site and the hacker will enter it into the real site.
Still with us? Good, because your account will now have been compromised. More time will be played for by displaying some error message or other, during which the hacker will either make a transfer from the account, change the password or do whatever they need to make a profit from the attack.
So while 2SA does provide welcome added security, it isn’t foolproof. This means that you should still implement security smarts by not re-using the same passwords on multiple sites, not clicking first and thinking later, and making use of security tools to alert you about potential URL misdirections.
[relatedYouTubeVideos relation=”postTitle” max=”1″ class=”horizontal center bg-black”]