If you have at least one very high-value online account that is protected ONLY by a password, then allow me to introduce you to two-factor authentication. Because it might just be what would save that account from being hacked or hijacked in the near future. (It’s a matter of when).
Two-factor authentication (also known as 2FA) is a method to confirm users’ claimed identities, by having them provide a combination of two different authentication factors, which are: something you know and something you have.
Now before I expound more on the above-mentioned authentication factors, it’s important you know that you may have already been using two-factor authentication in real life without even knowing.
A good example is when you withdraw money from an ATM. You’ll need a combination of your bank card (something you have) and your correct PIN (something you know) for cash to come out, right!
So, when we urge folks to consider adding two-factor authentication to their important online accounts (thinking online banking and email accounts) this is what we hope to help you achieve:
To help you be more secure by adding an additional layer of security which makes it multiple times harder for malicious hackers to be able to gain access to your online accounts.
Because now, an attacker will have to know more than just your password to compromise your account, they also have to know your second factor authentication code.
The use of multiple authentication factors to verify users’ identity stemmed from the fact that relying on passwords alone was no longer enough. Security in depth is where we are at now.
One of the ways that has proven successful so far in combating this inherent vulnerability in the password-system is the use of multiple authentication factors.
Although there are other authentication factors that can be used to verify someone’s identity, but here are the most popular, listed in an approximate order they were adopted in computer security:
1. Knowledge Factors (Something you know): Knowledge factors are the most commonly used form of authentication. Here the user is required to prove knowledge of a secret in order to authenticate.
This “secret” could be a personal identification number (PIN) like is commonly used for ATM access, a password, answer to “secret questions” like “What is the name of your best friend?”, or a specific keystroke pattern like you use to unlock your smartphones.
2. Possession Factors (Something you have): Possession factors have also been around for many centuries. Here the user is required to have in their possession something in the form of a key to a lock.
This “key” could be a credit card, a smartphone, a small hardware token, or a USB device.
3. Inherent Factors (Something you are): Inherent factors are associated with the user. These are usually biometrics which includes: fingerprint scan, voice print, retina, or face recognition.
Now, for it to be two factor authentication, the two factors cannot come from the same category. They must be one from each of these authentication factors to constitute 2FA.
Common types of two factor authentication
The methods or means of delivery of the second factor authentication codes differ and they are not all on the same level of security.
Some are more secure than the others and hence more complex to set up. But make no mistakes about it, they all offer better protection than the traditional password-only protection.
1. SMS & voice based 2FA: SMS or text message based 2FA relies on the users’ phone number. To access a website or web-based service, the user types in their username and password – knowledge factor. Then for the second factor, the system sends the user a One-Time Password (OTP) via a text message to their phone – possession factor.
This is similar to the voice-based 2FA, instead of a text message, the service makes an automated call to the user to verbally deliver the 2FA code.
A saddening caveat: Although SMS based 2FA is the most commonly adopted form of 2FA by many websites and web-based services including banks, it is considered the least secure way to authenticate users.
Why is that?
Mobile phone numbers are targets for hackers. It is susceptible to SIM Swap attacks.
Secondly, SMS messages can be intercepted whether remotely or locally.
Even at that, 2FA over SMS is still advisable and is far better than no 2FA at all, please use it.
2. Software-based 2FA: This is a popular form of 2FA where an authentication app or software generates a Time-based One-Time Password (also known as TOTP or soft-token) for authentication access.
The delivery of this code does not depend at all on your phone number and is a preferred alternative over SMS or voice-based 2FA. This code cannot be interc+epted at any point in its delivery, because the app or software both generates and displays the code on the same device.
To start using soft-tokens you will first have to install and set up a free 2FA app, after which you can start adding your favorite websites or web-based services that support this type of two-factor authentication method. Any major website or online service worth their salt should have this option for App based 2FA, so you won’t have to look too far.
What’s more, your 2FA tokens can be generated even when you are in a location where there is no service or network reception because the software works offline.
3. Hardware-based 2FA: This is the hardware version of soft-tokens where a user uses a small device, like a key fob, that displays a new code every 30 seconds to get 2FA codes for authentication access.
This 2FA hardware type is commonly seen around the necks of banking officials in a Bank. At some point, you may have seen them glancing at that small device to obtain a code, which they then enter on their computer to complete a transaction.
Furthermore, there are other versions of hardware 2FA devices that automatically transfers the login confirmation code to your computer or smartphone. These are the Universal 2nd Factor (U2F) authenticators.
U2F hardware tokens are the darlings of security pros, primarily because of its secure state coupled with its simplicity of use.
Some U2F devices can both be used on a computer via USB ports and on smartphones & tablets via NFC. Bluetooth is required for mobile devices that do not support NFC, such as the iPhone, which still requires Bluetooth-based authenticators.
The most famous and commonest example of U2F is the Yubikey, made by Yubico. And the best Yubico security key for most people is Yubico’s Yubikey 5 NFC, (about $45, check the current price on Amazon).
4. Push-notification based 2FA: Push notification is a “codeless” form of 2FA where the user only has to push a button to either deny or approve a login request.
There is no entering of 6 or 8 digit string of numbers to authenticate. Just a single tap of a button. Duo mobile security is one company that really shines in this area as push notification is their core 2FA method.
But there are caveats to push notifications to be aware of. It depends heavily on an internet connected smartphone which can as well install the authentication app. So when in an area with unreliable internet connectivity, this could be a problem.
This type of 2FA is often best suited for enterprise environments where the time to input 6 or 8 digit 2FA codes will be a bottleneck for employees. Otherwise, it’s a more user-friendly form of security.
I think by now I do not have to convince you any more whether or not you need to start using two-factor authentication (or 2FA) for your online accounts.
If you value your online security and privacy, adopting 2FA is a huge step in the right direction.
Do you need further clarifications or security advice? Hit me up in the comments below or send me an email at [email protected], I’ll gladly help you out.
Don’t forget to share this post with friends and family to also help them stay secure.