Introduction
2-Factor Authentication or 2FA for short is a type of security practice which adds an additional layer of authentication to a website or application in order to make it significantly harder for an attacker to compromise.
Traditional usernames and passwords only provide a single means for a user to authenticate, 2FA however adds another layer typically a phone number with a code.
This code is then used to sign-in after providing the username and password, if an attacker managed to compromise the password their effort would be rendered useless without the 2FA code making it a secure choice for online accounts.
This technology is also commonly referred to as Multi-Factor Authentication and can contain multiple steps for extra security. It is typically deployed by banks and other providers which handle sensitive data and require the utmost security to be available.
Types of 2FA
Security questions
Security questions have been around for many years and are considered the weakest form of 2 step verification due the potential for attackers to guess this information or gather it from different sources such as pictures and social profiles.
Security questions are also typically generic in nature and as such not as random compared to the other approaches shown below.
These questions are commonly used by websites in tandem with the other options when users forget their password and request a new one.
Phone based authentication (SMS)
This is the most common form of 2FA and requires the user to add a phone number to their account. Upon sign-in a code typically 4-6 digits will be sent via SMS to login.
SMS authentication is simple, cheap and can be easily deployed making it a very common method for extra authentication.
One-time password (OTP)
OTP is very similar to phone verification however is more secure as it allows letters and numbers to be used including lowercase and uppercase.
As opposed to SMS OTP codes can be used in a specially designed Mobile app which can be used to generate the codes on the fly as required for sign-in purposes.
Physical device 2FA
(An example of a physical authentication device: YubiKey)
The last option on this list is a physical device which is used to generate the keys on the device itself or independent to the users computer or mobile device.
This approach is by far the most secure as it is least prone to interception if they are physically secured and aren’t prone to attacks like Phishing.
Physical keys can however be inconvenient as they aren’t always compatible with different devices and are limited by the port been used preventing them from easily been used on devices like smartphones and tablets.
Higher end products also contain support for NFC (Near Field Communication) which enables them to be used wireless within short proximity which makes it easier for smartphones and tablets as NFC is a well supported standard at the time of writing.
Security shortcomings
Whilst 2FA will help mitigate a vast number of attacks it isn’t 100% perfect and can be defeated if the target device is compromised and the codes can be extracted by the attacker first.
Modern threats like malware that infects a device and ATM skimming can also render the technology ineffective as sensitive information would be captured immediately.
O2 Telefónica, a German mobile service provider, confirmed in May 2017 that cyber criminals had exploited SS7 vulnerabilities to circumvent SMS-based two-step authentication and make unauthorized withdrawals from users’ bank accounts. In order to steal the account holders’ bank account credentials and phone numbers, the criminals first infected their computers.
The attackers then purchased access to a bogus telecom provider and set up a redirect for the victim’s phone number to a handset under their control. Finally, the attackers logged into the victims’ online bank accounts and requested that the funds be transferred to accounts owned by the criminals.
SMS pass-codes were routed to phone numbers controlled by the attackers, and the money was transferred out by the cyber criminals.
Advantages & Disadvantages of the technology
Advantages:
- Secure and protects against the majority of attacks
- Relatively easy to setup and maintain
- Helps protect against unauthorized activity even if a password is leaked in a security breach
- The keys can be backed up in the event you lose access to your phone or it is stolen
- The keys can be synced across different devices depending on the platform been used
Disadvantages:
- Not a silver bullet, requires good passwords and other security practices to be effective
- Can be inconvenient when in a rush
- Requires a device or app to generate the codes
- Can be problematic if the device generating the keys is lost and not backed up
- Slows down the process of logging into accounts
- Not available on all platforms & websites
- If your phone runs out of power you cannot login to your account
Conclusion
We hope you found this page to be helpful, if so please consider sharing and bookmarking it. Also be sure to check out our business services which include Website Security consulting along with other solutions like Software Development.
To find more content we share also check out our blog, videos, software utilities and social profiles for more.
Related entries from our glossary:
DDoS (Distributed Denial Of Service)
Related content from our blog:
How to choose secure random passwords
Citation(s):
“Multi-factor authentication” Wikipedia, 12 May 2009, en.wikipedia.org/wiki/Multi-factor_authentication. Accessed 29 June 2021.
Yubico, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons
Image by Jan Alexander from Pixabay
Image by Firmbee from Pixabay