The moment you sign up to most websites dealing with sensitive data, you are given the option of enabling ‘Two-Factor Authentication’ (2FA).
Depending on how free you are, you either schedule it for later (and never really do it) or go through the steps of connecting your account to a secondary authentication mode.
This is an important step regardless of what your role is – administrator, editor, or viewer – as high-level security is necessary for all end users.
In 2019, Google published its research – about targeted attacks on 2FA disabled and enabled accounts – conducted in collaboration with the University of California, San Diego, and New York University, with the following findings:
(Image Source: Google Security)
While 2FA feels annoying, time-consuming, and redundant, these figures clearly indicate that adding the lowest level of additional security (phone number, SMS code, on-device prompt) guarantees a 100% prevention rate with automated attempts at account takeovers.
Although other methods of bulk and targeted attacks can still be carried out, the most common, automated technique employed by hackers can usually be prevented by enabling Two-Factor Authentication.
What is a 2FA Code or Two-Factor Authentication?
Two-Factor Authentication, or 2FA, is exactly what the name says. It’s a method of authenticating a user based on two factors – the primary password associated with their account, and a secondary piece of information that a third-party wouldn’t normally have access to.
This additional layer of security could be one of three things:
- A physical device such as a security key or a smartphone.
- Biometric information such as fingerprints or retina patterns.
- Passwords, swipe-patterns, personal identification numbers (PIN), or preset answers to personal questions.
Without enabling 2FA, users are vulnerable to both automated and manual account takeovers. Since the hacker’s only job is to guess the user’s password or guide any free tool into doing so, gaining access to insecure accounts becomes quite easy, even if the password isn’t very weak.
When a user enables 2FA, anyone attempting to login to their account must have access to both layers of security. Due to this, even if a hacker or a bot cracks the password, they don’t gain access to the account unless they’re in control of the information that is present on the user’s hardware device or is biometric.
Need for 2FA
Although there are constant efforts to increase public awareness regarding cybersecurity, the constant increase in cyberattacks makes it evident that not everyone pays heed to the advice.
In partnership with The Harris Poll, Google surveyed a representative sample of US adults to understand their awareness and attitudes regarding basic security measures.
(Image Source: Google Safety and Security)
Besides using easy and predictable passwords, they admitted to participating in irresponsible behavior regarding account security.
(Image Source: Google Services)
Not only were they observed to have reused and shared these highly confidential strings, but a shocking percentage of Americans admitted to opting for comfort, rather than security.
(Image Source: Google Safety and Security)
At a time when basic knowledge of OSINT and the ability to use freely available password cracking tools are enough to perform account takeovers, users must implement every security measure they can.
This is where 2FA comes in. By ensuring that only individuals who can provide both levels of authentication, the chances of third-parties gaining access to your accounts reduce drastically.
You Might Like These Popular Articles:
Types of 2FA
Two-Factor Authentication doesn’t necessarily have to be OTP or password-based. There’s a wide range of options available, with varying levels of security.
Depending on the confidentiality of the account (s) and the comfort-security tradeoff, users can choose a suitable type of 2FA to get more protection than a simple password would offer:
Physical tokens such as security keys – USB or NFC devices – use FIDO U2F open standard to eliminate the risk of phishing. In this security layer, the user needs to connect their key to the host machine in order to authenticate themselves.
The key communicates with the host to let it know that a third party isn’t trying to access the password-protected account.
Key fobs are another hardware-based method of practicing 2FA, in which the key randomly generates a numeric code after a set interval of time and displays it.
This code is valid for a short period, within which it has to be entered into the configured application, and it can’t be predicted since the numbers are arbitrary.
Security keys are one of the most secure authentication methods in existence, as the only way to bypass this layer is by physically obtaining the key.
Commonly known as one-time passwords (OTP), software-based 2FA works in a similar manner as hardware keys.
While signing in to an account configured to use the 2FA app, the user is prompted to enter an OTP. This limited-time OTP code has to be obtained from the 2FA app and then provided to the host application.
Since both the 2FA app and the host are present on the user’s devices, the chances of hacker interference are low.
These days, nearly every smartphone is equipped with facial recognition and fingerprint-based unlocking.
This same technology extends to the 2FA domain, where biometric information such as retina patterns can be used to identify a user, besides their facial features and unique fingerprint.
As all these physical features are part of the user’s body, gaining access to them or the stored data about these features is an extremely hard task.
Phone Number Based
SMS or phone call verification is a phone number based 2FA mechanisms. In order to gain access to their account, the user must enter an OTP into the website, after they’ve entered the correct username and password.
This OTP is sent either as a text message or dictated over a voice call.
As in the case of software and hardware 2FA codes, this OTP is valid only for a certain amount of time, and thus more secure than a plain password.
However, phone numbers can be easily targeted by hackers, so this method isn’t the most secure one.
This password-less mode of authentication requires a single tap by the user to authenticate themselves. You might have noticed this in your Android device if you have 2FA setup.
While signing into your account, the application sends a notification to your trusted device, asking you to verify a third-party isn’t impersonating you.
Without entering any PIN or password, you can easily confirm your identity through your registered device to save time and conveniently authenticate yourself.
How to Get a 2FA Code?
Two-Factor Authentication codes can be generated using third-party applications created especially for this purpose.
In order to enable 2FA for accounts that don’t offer it, you need to install a 2FA application and link it to your insecure accounts.
Once this step has been carried out, every time you attempt to sign in to your accounts, you will be prompted to enter a code generated by the 2FA app. Only when the code is correct, will you be granted access to your account.
(Image Source: Tech Commuters)
Features to Look Out For in 2FA Apps
While having a good 2FA app can make life easier and much more secure, a bad one can be equally dangerous and/or inconvenient to use.
There are an endless number of apps offering 2FA implementation, so how do you know which one to choose? Easy – just make sure the following features are present in any potential choice:
The whole point of using 2FA apps is to get a secure method of authentication with cross-platform compatibility.
Therefore, any good 2FA app should be compatible with both Android and iOS. As a recovery measure, Windows and Mac compatibility would make the app even more suitable.
Software Integrity is the measure of the safety and maintainability of code. When a user chooses to use products from a well-known, trusted company, integrity comes almost automatically.
In the case of 2FA apps, it is important to have the guarantee that your service provider would offer timely support when required.
The main reason people decide not to opt for two-factor authentication (besides lack of awareness), is the lack of comfort associated with them.
While account manipulation (adding, modifying details, or deleting) is a necessary feature in 2FA apps, it should be integrated in such a manner that the UX is fast and smooth.
Account recovery with 2FA enabled can get tricky. Enabling account recovery options defeats the entire point of having different (randomized) methods of authenticating yourself, as backup options must be constant, and permanently stored.
Users must therefore be cautious about the 2FA application they choose since strong encryption mechanisms are necessary for enabling recovery options. These options could be backup codes or customer support based solutions.
Using an application that provides security but doesn’t have any of its own isn’t advisable. 2FA apps that are secured by a password, PIN, pattern, or biometric verification are always a better option.
Is 2FA Secure?
While 2FA provides more security than a simple password, hackers can still overcome it. Automating account takeovers with 2FA protection is a comparatively harder task than carrying it out manually, but it may still work.
Different methods of 2FA pose different types of security concerns:
- Accounts whose secondary layer of security is another string-based password are at a higher risk of getting hacked since password cracking tools can be trained to work on both layers simultaneously.
- Phone number based authentication methods such as SMS and voice calls are also risky since they can be intercepted. If the hacker succeeds in doing so, they can get complete access to your “secure” accounts.
- Device-based authentication is extremely secure, but only when the user has the device on their person. In the event of them losing their registered device, regaining access to their linked accounts can become a very difficult task, unless recovery options were enabled beforehand.
- While biometric information itself can’t be stolen, databases storing this data could be hacked into. If a malicious entity gains access to such a database, data leaks of an extremely high magnitude could place. Besides this risk, there’s also a physical factor. If the user’s biometric data were to change due to an accident (loss of fingers, eyes, or facial disfigurement) then regaining access to their accounts would become challenging.
Only passwords are highly insecure and enabling 2FA doesn’t ensure complete security – so what should users do? Naturally, the best way of upping security is by increasing the number of layers. In order to achieve this, Multi-Factor Authentication (MFA) is used.
As the name suggests, MFA makes use of multiple authentication methods simultaneously, to ensure maximum protection.
Just like 2FA, the various options present in MFA are hardware-based, software-based, biometric-based, phone number based, and device-based. Unlike 2FA, there are no restrictions on the number of methods being employed at once.
All 2FA is MFA, but all MFA is not 2FA. Multi-factor authentication means more than one layer of security, whether that’s two, three, four, or five.
Two-factor authentication, on the other hand, is limited to exactly two methods of authentication – one primary password and one secondary mode. Because of additional layers of security, MFA is guaranteed to offer more protection than 2FA.
However, an increase in security usually means a decrease in user experience. Since MFA would require the user to authenticate themselves on various devices and platforms, it isn’t a very attractive solution.
Due to this reason, users tend to stick to single password or 2FA modes of authentication.
Two-Factor Authentication is a method of providing additional security to password-protected accounts. It can be implemented in different hardware, software, or biometric modes – all of which have varying levels of security – by using a suitable authenticator application.
In 2FA, the secondary layer of protection is responsible for generating unique, arbitrary, and time-limited codes (accessible only by the user) as an authentication method.
They can be obtained using secure authenticator applications without much hassle. Although enabling 2FA protects accounts from most automated attempts at hacking, dedicated and skilled hackers can still bypass the security measures.
To overcome this limitation, Multi-Factor Authentication is now being used. An extension of 2FA, MFA allows a single account to have as many layers of security as required.
Most users tend to avoid MFA as having to authenticate themselves on different platforms is a tedious task.
While a comfort – security tradeoff definitely exists, it’s always smarter to choose the latter over the former. Even if your account is low risk and getting hacked wouldn’t have high-level consequences, security breaches aren’t a joke.
In today’s hyper-connected world, especially, falling prey to an account takeover must be avoided at all costs.
So while 2FA can be used by the general population, MFA is still the better option.