Lets talk about 2 Factor Authentication

Passwords are good, but…

We’ve written a lot about security… a lot! It’s vital that you do everything you can to improve your online account security. We live our lives on phones, tablets and computers, so it’s no surprise that our digital accounts have become prime targets for criminals. Malicious attacks against businesses, governments, and individuals are becoming more and more common. Data breaches, hacks and other forms of cybercrime are showing no signs of slowing down.

However, it is easy for individuals and businesses to add an extra level of protection to their online user accounts by using two-factor authentication, also commonly referred to as 2FA.

A Rise in Cybercrime Requires Stronger Security With 2FA

Over the last few years we’ve seen a huge increase in the number of websites losing the personal data of their users. As these cybercrimes get more sophisticated, companies soon find that their old security systems are simply no match for modern threats and onloine attacks. Often, it’s simple human error that has left your data exposed. Once a company has been breached, their reputation is completely damaged. Remember back in 2013 when 3 billion user accounts were affected in the Yahoo breach?

For individuals, the fallout of a targeted hack or identity theft can be devastating. Stolen credentials are used to obtain fake credit cards and fund online shopping sprees, which can damage a victim’s credit rating. Incredibly, identity thieves have stolen over £83 billion in the past six years.

Online sites and mobile apps try and offer tighter security, but whenever possible, you should get in the habit of protecting yourself with something that’s stronger than just a password.

2FA or not 2FA?

From our point of view the answer is obvioulsy 2FA. It’s an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, you will enter your username and a password as normal. Then, instead of immediately gaining access, you are then required to provide another piece of security information. This second factor could come from one of the following categories:

  • Something you know: This could be a PIN, a password, or answers to “secret questions”.
  • Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token.
  • Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint or an eye scan.

With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and unlock the account.

Common Types of 2FA

There are several types of two-factor authentication are in use today; some may be stronger or more complex than others, but all offer better protection than just a username and password.

Software Tokens

The most popular form of two-factor authentication (and a preferred alternative to text messages) uses a software-generated time-based, one-time passcode.

First, a user must download and install a free 2FA app on their smartphone or desktop. They can then use the app with any site that supports this type of authentication. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app. Like hardware tokens, the soft-token is typically valid for 30 seconds. And because the code is generated and displayed on the same device, soft-tokens remove the chance of hacker interception. That’s a big concern with text message or voice delivery methods.

Best of all, since app-based 2FA solutions are available for mobile devices and computers, they even work offline so user authentication is possible just about everywhere, even in areas with poor network signal.

Hardware Tokens

Probably the oldest form of 2FA, hardware tokens are small, like a key fob, and produce a new numeric code every 30-seconds. When a user tries to access an account, they glance at the device and enter the displayed 2FA code back into the site or app. Other versions of hardware tokens automatically transfer the 2FA code when plugged into a computer’s USB port.

They’ve got several downsides, however. For businesses, distributing these units is costly. And users find their size makes them easy to lose or misplace. Most importantly, they are not entirely safe from being hacked.

SMS Text-Message

SMS-based 2FA interacts directly with a user’s phone. After receiving a username and password, the site sends the user a unique one-time passcode (OTP) via text message. Like the hardware token process, a user must then enter the OTP back into the application before getting access. Similarly, voice-based 2FA automatically dials a user and verbally delivers the 2FA code. While not common, it’s still used in countries where smartphones are expensive, or where cell service is poor.

For a low-risk online activity, authentication by text or voice may be all you need. But for websites that store your personal information — like utility companies, banks, or email accounts — this level of 2FA may not be secure enough. In fact, SMS is considered to be the least secure way to authenticate users. Because of this, many companies are upgrading their security by moving beyond SMS-based 2FA.

Push Notification

Rather than relying on the receipt and entry of a 2FA token, websites and apps can now send the user a push notification that an authentication attempt is taking place. The device owner simply views the details and can approve or deny access with a single touch. It’s passwordless authentication with no codes to enter, and no additional interaction required.

By having a direct and secure connection between the retailer, the 2FA service, and the device, push notification eliminates any opportunity for phishing, man-in-the-middle attacks, or unauthorised access. But it only works with an internet-connected device, one that’s able to install apps to. Also, in areas where smartphone penetration is low, or where the internet is unreliable, SMS-based 2FA may be a preferred fall-back. But where it is an option, push notifications provide a more user-friendly, more secure form of security.

According to a recent report, stolen, reused, and weak passwords remain a leading cause of security breaches. Unfortunately, passwords are still the main (or only) way many companies protect their users. The good news is that cybercrime is in the news so much that 2FA awareness is quickly growing and users are demanding that the companies they do business with have improved security.