Tips from our technical team –
Two-factor authentication, or 2FA as it’s commonly abbreviated, adds an extra step to your basic log-in procedure for one of your online accounts. Without 2FA, you enter in your username and password, and then you’re done. The password is your single factor of authentication. The second factor makes your account more secure. Multi factor authentication (MFA) is any number of factors more than one.
2FA or MFA requires the user to have two or more types of credentials before being able to access an account. Using two of the same type of authentication is not two factor.
The three types are:
- Something you know, such as a personal identification number (PIN), password or a security question (what is the name of your first pet?)
- Something you have, such as an ATM card, phone, or key fob (a small security device with built-in authentication)
- Something you are, such as a fingerprint, retinal pattern, or voice print. These factors are called Biometrics.
Why is two factor authentication important?
Passwords have been the mainstream form of authentication since the earliest days of computing, however, if we consider that 90% of passwords can be cracked in less than six hours and two-thirds of people still use the same password everywhere, they may not be as secure as they need to be.
The vulnerability of passwords is the main reason for requiring and using 2FA. Implementing multifactor authentication will prevent hackers from gaining access to your accounts even if your password is guessed or stolen. The extra layer of protection that MFA offers ensures your account is more secure and drastically reduces the chances of fraud, data loss or identity theft.
What are the different ways to implement multi factor authentication?
The methods described below all involve ‘something you have’ methods of authentication. There is usually an enrolment process where the user logs onto a website or app with a username and password and follows a process to enable two factor authentication. Then for subsequent log ins, the process will ask for the second layer of authentication.
Time-based One-Time Password (TOTP)
TOTP involves the generation of a one-time passcode from a shared secret key. This can be generated by a physical device that the user is given such as key fob, a USB dongle or smart card which dynamically generates a token for the user. The code is valid for only a short time, sometimes as low as 30 seconds and is single use.
Alternatively, a user can download and install an application that runs on their computer or mobile device that dynamically generates tokens for the user. Software tokens work similarly to hardware tokens in that they are randomly generated and last a brief period of time before changing.
Short Message Service (SMS)
Perhaps the most common method of implementing 2FA. This method sends the user a unique token via SMS text message, normally a 5-10 digit code. The user then needs to provide this unique token before they are granted access.
Typically, push notifications work with applications. A push notification is sent to the app on your mobile device. This notification is a login request and includes information such as the application name, the Operating System and internet browser you are using and well as the location and the date of the request. The user accepts the request & automatically the user becomes logged in.
2FA codes can also be received via email and phone call. Regardless of the nature of the second layer, it serves as a vital barrier to your account.
Biometrics or ‘something you are’ authentication is considered the most secure and hardest to compromise form of 2FA. It’s also more convenient, as users are the token, so the login process is quick and easy and they are not required to have their mobile device on them at all times.
However, biometric authentication presents a number of issues related to storage of biometric data and privacy concerns. If your fingerprint or other biometric data is compromised, how do you change or reset it?
Biometric authentication will be explored in the next blog.
Can 2FA be breached?
While two-factor authentication does improve security, no security system is 100% safe.
The longer a ‘new’ security measure has been in place, the better the hackers get at breaking it. Using 2FA offers another layer of security and will definitely make an attack harder. This will discourage a large percentage of cyber criminals and give you a lot more security than just using a password. We should all strive to use 2FA wherever and whenever possible.
How to enable two-step verification
Most of your common accounts such as Google, Microsoft, Yahoo, Facebook, Linkedin, Twitter and Instagram have 2FA available for your log in. Simply enable it. Go to the security page in settings. Click 2 step verification and then the get started button to sign in to your account and turn on two-step verification.
Cyber Aware on the National Cyber Security Centre website has some great advice on how to switch 2FA on for your main accounts.
If you are currently receiving 2FA codes via SMS, it is recommended that you set up at least one backup option in case you can’t access your phone. You can print out a handful of backup codes that you’ll then store in a safe place. You can also use Google Authenticator app as a backup option or USB security key.
Next week, we explore the pros and cons of biometric authentication.