Two-factor authentication: methods and myths
When I mentioned to a few friends that I was writing an article about 2-Step Verification, the typical response was eye-rolling and “Oh, that’s annoying?..” Yes, that annoying extra step. We’ve all thought about it when we needed to get a code before we could sign in or verify our identity online. Can I just log in without a flurry of requests?
However, after much research into two-factor authentication (often called 2FA), I don’t think I’ll be rolling my eyes at this anymore. Let’s take a closer look at two-factor authentication, its various options, and dispel some of the myths associated with this “annoying” extra step.
Most common alternatives to using 2FA
Usually, apps and secure services prompt you to add 2FA, at least via SMS messages, for example, when logging into your account – either always or only from a new device. Using this system, your mobile phone is the second authentication method.
The SMS message consists of a short one-time code that you enter in the service. Thus, Mr. Joe Hacker will need access to your password and your phone in order to log into your account. One fairly obvious issue is cell phone coverage. What if you are stuck in the middle of nowhere with no signal or are traveling overseas without access to your regular carrier? You will not be able to receive a message with a code and will not be able to log in.
But in most cases, this method is convenient (most of the time we all have a phone at hand). And there are even some services that have an automated system for saying the code so you can use it with your landline if you can’t receive text messages.
Google Authenticator, Authy, App generated codes
Potentially the best alternative to SMS because it doesn’t depend on your wireless carrier. Google Authenticator is the most popular app in its category, but if you don’t want to rely on Google for this kind of service, there are comprehensive alternatives like autiwhich offers encrypted backups of codes built over time, as well as multi-platform and offline support. Microsoft And Last pass also have their own authenticators.
These apps will continue to generate temporary codes until the kingdom arrives, with or without an internet connection. The only downside is that setting up the app is a little tricky.
After setting up this service with the Authenticator, you will be prompted to enter an authentication code in addition to your username and password. You will rely on the Google Authenticator app on your smartphone to get a new code. Codes expire within a minute, so sometimes you’ll have to work quickly to enter your current code before it expires and then use the new code.
Physical Authentication Keys
If dealing with codes, apps, and text messages seems like a headache, there’s another option that’s on the brink of popularity: physical authentication keys. This is a small USB device that you attach to your keychain. security key in the photo below. When logging into your account on a new computer, insert the USB key and press its button. Done and done.
It has a standard called U2F. Google accounts, Dropbox, GitHub and many more are compatible with the U2F token. Physical authentication keys can work with NFC and Bluetooth to communicate with devices that also lack USB ports.
App and email based authentication
Many apps and services skip the above options altogether and check them through their mobile apps. For example, turn on “Verify Sign In” on Twitter, and the first time you sign in to Twitter on a new device, you’ll need to confirm that sign in from the app you’re signed in to on your phone. Twitter wants to make sure you have your phone and not Mr. Joe Hacker before you log in.
Similarly, Google accounts offer something similar when logging into a new computer, it asks you to open Gmail on your phone. Apple also uses iOS for sign-in verification on new devices. When you sign in on a new device, you’ll receive a one-time code sent to the Apple device you’re already using.
Email-based systems, as you probably understood from the description, use your email account as the second factor authentication. When you sign in to an app or service that uses this option, a one-time code will be sent to your registered email address for additional verification.
Myths/Frequently Asked Questions
For which common services is it recommended to enable 2FA?
- Google/Gmail, Hotmail/Outlook, Yahoo Mail **
- Lastpass, 1Password, Keepass or whatever password manager you use **
- Dropbox, iCloud, OneDrive, Google Drive (and other cloud services where you store valuable data)
- Banking services, PayPal and other financial services that you use that support them.
- Steam (in case your game library is worth more than your average bank account balance)
** They are especially important because they usually serve as the gateway to everything else you do online.
In the event of a security breach, enable two-factor authentication as soon as possible?
The problem is that you can’t just flip the switch and enable 2FA. The launch of 2FA means that tokens must be issued or cryptographic keys must be embedded in other devices. In the event of a service hack, we recommend that you first change your passwords and then enable 2FA. Best practices still apply, such as using complex passwords and avoiding password reuse across services/websites.
Should I enable two-factor authentication or not?
Yes. Especially for mission-critical services that contain your personal data and financial information.
Two-factor authentication is immune to threats
No. 2FA depends on both technologies and users, which has disadvantages, so it also has disadvantages. Two-factor authentication, which uses SMS text as the second factor, depends on the security of the wireless carrier. It also happened that malware on the phone intercepted and sent SMS messages to the attacker. Another way 2FA can go wrong is when the user ignores and approves an authentication request (maybe it’s a pop-up message on their Mac) that was triggered by an attacker while trying to log in.
How can 2FA fail in case of a successful phishing attempt?
Two-factor authentication can fail in a phishing attack if an attacker tricks a user into entering their 2FA code on a fake page. The attacker then gains access to both the user’s credentials and the 2FA code, bypassing 2FA security. To prevent this, it is important for users to be aware of phishing attempts and to authenticate login and 2FA pages before entering information.
Two-factor solutions are (mostly) the same
It might have been true at some point, but 2FA has had a lot of innovation. There are 2FA solutions using SMS messages or emails. Other solutions use a mobile application that contains a cryptographic secret or key information stored in the user’s browser. Relying on third party services should be considered and should be improved as it has been hacked in some cases and authentication has failed.
Two-factor authentication is an annoying addition with little benefit
Well, with that attitude, we’ll never get anywhere. In fact, some businesses or services see 2FA as a compliance requirement rather than something that can help reduce fraud. Some companies use the minimum required 2FA, which does almost nothing, just to tick the 2FA box. As a user, using 2FA can be annoying, but if a company uses a flexible authentication method (not just a minimal one), it can reduce the chance of fraud. And who doesn’t want that?