Today I will be introducing a popular security measure called Two Factor Authentication or 2FA for short. Last time I spoke about phishing attacks and how they can be used against people to steal credentials. Well, 2FA is a new method for securing even further your accounts and systems. Let me give you a simple example, Instagram offers 2FA security. How it works is easy, when you login using your username and password you are permitted to enter a one time 6 or 8 digit code that was sent to your phone by Instagram. This way, your account is secure from hackers even if they have your username and password! They will require access to your phone in order to get the 2FA code. In the past years, 2FA has become very popular across various platforms. Today I will describe how it works and why it is only going to get popular along with different ways you can use 2FA for your own benefit.
What is 2FA:
Definition: “Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.”
To put it in simple words, 2FA is another way of using different sources of verification to grant access without compromising the user or device. Of course, everything has its own pros and cons. For example, 2FA’s advantages are:
- No additional tokens are necessary because it uses mobile devices that are (usually) carried all the time.
- As they are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information.
- Depending on the solution, passcodes that have been used are automatically replaced in order to ensure that a valid code is always available; acute transmission/reception problems do not therefore prevent logins.
While disadvantages are:
- Users must carry a mobile phone, charged, and kept in range of a cellular network, whenever authentication might be necessary. If the phone is unable to display messages, such as if it becomes damaged or shuts down for an update or due to temperature extremes (e.g. winter exposure), access is often impossible without backup plans.
- Mobile carriers may charge the user for messaging fees.
- Text messages to mobile phones using SMS are insecure and can be intercepted. Thus third parties can steal and use the token.
- Text messages may not be delivered instantly, adding additional delays to the authentication process.
- Account recovery typically bypasses mobile-phone two-factor authentication.
- Modern smartphones are used both for browsing email and for receiving SMS. Email is usually always logged in. So if the phone is lost or stolen, all accounts for which the email is the key can be hacked as the phone can receive the second factor. So smart phones combine the two factors into one factor.
- Mobile phones can be stolen, potentially allowing the thief to gain access into the user’s accounts.
- SIM cloning gives hackers access to mobile phone connections. Social-engineering attacks against mobile-operator companies have resulted in the handing over of duplicate SIM cards to criminals.
Other Forms of Protection:
Recently Google has unveiled a new form of security, called “Titan Security Key“. It is a USB key that copies the functionality of the standard software version of 2FA but is protected from attacks such as phishing and SIM cloning. These keys offer the highest possible security defenses available on the market today. They are very simple to use and only require Google Play market for code verification and retrieval.
In general, protecting your account as much as possible is a great idea. Give those hackers a hard time, let them know you are one step ahead of them. So don’t forget to login into our online accounts and set up two factor authentication. Also, if you work as an IT admin or operate a business that depends heavily on being connected to the world wide web, consider investing your money into the Google Titan Security Key.