By JAMES DANIELS JR.
The new buzzword making the rounds is “two-factor authentication,” commonly known as 2FA. However, the technology is not new, and you may have been using it for some time without even realizing it.
For example, when you visit certain gas stations and pay at the pump, you are also required to enter a ZIP code; this is the basis of 2FA. Two-factor authentication protects against not only outside Internet-based threats such as brute force, dictionary or rainbow table password attacks but inside threats as well. Inside threats can be easily accessible passwords on sticky notes, old hard drives that are not adequately destroyed, and social engineering exploits.
What is two-factor authentication?
With two-factor authentication, a user must provide two authentication factors to verify he is who he says he is in order to be granted access to desired information. The process is different from your typical single-factor authentication (SFA) of a password. 2FA adds a layer of security making it harder for attackers to gain access to online accounts because the attackers will need to know more than a person’s password to gain access.
There has been an organic movement by both users and organizations to move to two-factor authentication; in fact, the U.S. government has developed a campaign utilizing the hashtag #TurnOn2FA.
What are the authentication factors?
Two-factor authentication relies on three categories known as factors to verify a person’s identity and grant access. The factors include:
- Knowledge Factor (something you know) – such as a pin number or password.
- Possession Factor (something you have) – this could be an ID card, security token, USB key, or a smartphone.
- Inherence factors (something you are) – meaning biometric, a physical characteristic such as fingerprint, face, and voice. There is also behavior biometrics that includes keystroke and speech patterns.
Two-factor authentication utilizes factors from two of the above categories to confirm a user’s authenticity; once authenticity has been verified, users are allowed to access their data.
How does two-factor authentication work?
Two-factor authentication works in the same manner as SFA initially; the user logs in with a username and password. Yet, the 2FA process requires another code/password that can be generated by a USB key, token device, or smartphone application. An example of USB key authentication would be the YubiKey. YubiKey supports popular online services such as Gmail, Facebook, and Dropbox. Yubikey plugs into the USB port of the user’s devices, the users navigate to the online service and enter their passwords as normal, then touch the YubiKey USB Key, which generates a one-time password (OTP) for use with the online service. The user entered password is the knowledge factor, and the YubiKey is the possession factor. The 2FA is complete.
What about two-factor authentication from mobile devices?
Utilizing smartphones opens the door for a broad range of possibilities for 2FA. The limitations are based on the online service and the abilities of the smartphone. Currently, smartphones have fingerprint recognition, built-in cameras that can be used for facial recognition and microphones that can be used for voice recognition; all can be utilized for 2FA.
Some online services are using a text message to send numeric codes to users as a verification code; this is different than two-factor authentication. This is considered two-factor verification, which is slightly different than 2FA because information is sent via text message or email, which can be intercepted by an attacker compromising the security framework.
Apple IOS, Google Android, Windows 10 and Blackberry OS 10 have created authenticator apps that support secure 2FA authentication. These apps replace the need to receive verification codes via text message or email. The process to access a website or web-based service using an authenticator app includes the conventional step of entering a username and password, which is the knowledge factor. Next, the user will be prompted to enter a six-digit number. Instead of receiving this code via text or email, the authenticator app will provide the number. The authenticator app randomized the code every 30 seconds and provides a different code for every login which ensures the user is in possession of the device satisfying the possession factor. The authenticator apps also provide a more secure means of distributing the verification code needed to complete 2FA successfully.
Is two-factor authentication secure?
It is worth mentioning that two-factor authentication is not 100 percent impervious to hackers. However, it does add another level of protection to single factor password-only authentication. Two-factor authentication is only as secure as the components involved. Therefore, if a USB key or a token device is hacked or compromised, the possession factor of 2FA is broken, and it would be possible for attackers to obtain the codes. However, at the end of the day, 2FA makes attacks more challenging because just having an individual’s password is not enough for access, and it is unlikely that an attacker will gain access to the second authentication factor.
The most popular sites such as Dropbox, Gmail, Office 365, iCloud, PayPal, LinkedIn and many other cloud-based services already support 2FA. If you would like to see if a product you are using is capable of 2FA, an extensive list can be found at mobile identity provider Telesign’s website https://www.turnon2fa.com/tutorials/. This site will also provide tutorials to enable 2FA on those sites.
James Daniels Jr. is faculty advisor and IT instructor at Lindenwood University-Belleville.