1. Home
    2. »
  2. IT Security
    3. » Two-Factor Authentication (2FA) Demystified

Two-Factor Authentication (2FA) Demystified

- Posted in IT Security by - Permalink
Two-Factor Authentication (2FA) Demystified

You try to log into your favourite social media platform and enter your username and password, only to be greeted with that dreaded message: "An email has been sent to your inbox." Now, you've got to navigate to your email client, wait for the validation token to arrive, and finally get back to what you were doing. It begs the question: Why the extra hassle? Shouldn't a password be sufficient?

What is 2FA?

To explain this, let's first look at 2FA. As the name 2FA or sometimes also MFA (Multi-Factor Authentication) implies, it's a second layer of authentication used to verify a user's identity. Generally, authentication methods fall into one of three main factors:

  • Something you know: This can be something like your password, a PIN, or even security questions (we'll touch on those later)
  • Something you are: This is more abstract and often involves biometric identifiers like facial recognition, fingerprints, or iris scans
  • Something you have: This typically involves possession of an item like your phone or a hardware token

With 2FA, services employ two different factors to ensure that the person attempting to log in is you. Asking for something you know and also something you either have or are significantly complicates matters for hackers. Even if the hacker somehow manages to obtain or guess your credentials, a password alone won't cut it anymore. This also implies that if a website demands your password and a security question, it still falls under SFA (Single-Factor Authentication) because both elements belong to the same category. This is also why security questions frequently fail to enhance security; they're essentially the same factor as your password and often even more susceptible to guessing since they request specific information.

Different Types of 2FA

Hardware Tokens

Among the earliest forms of 2FA are hardware tokens. These come in two main varieties: connected tokens and disconnected tokens.

Connected tokens, such as Smart Cards, USB sticks, Bluetooth tokens, and similar devices, require a physical connection to a device. Once connected, they can automatically input the token to the service. Disconnected tokens, on the other hand, don't require a continuous connection to a device. However, you still need to manually enter the token from the device to access the service.

The oldest type of 2FA is probably hardware tokens. These can be either connected tokens, such as Smart Cards, USB Sticks, Bluetooth tokens, and more. They can be connected to a device and automatically enter the token to the service. Disconnected tokens don't need to be connected to a device, but you will have to manually type in the token from the device to the service.

Both types of tokens often feature additional authentication methods directly on the token itself, such as a fingerprint reader or an entry code, adding an extra layer of security. The downside is that these tokens get lost rather often.

Sofware Tokens

The modern and probably most popular counterpart to the Hardware tokens are Software tokens which utilize software to generate time-based one-time passcodes (TOTP). With these types of tokens, you typically download an app onto your phone or computer. Then, you scan a QR code or manually enter a lengthy string of characters the service provides. The app then computes a PIN that refreshes regularly, commonly in intervals of under 1 minute.

Text-Based

Text-based Tokens, alongside Software tokens, are perhaps the most widely used type of 2FA. In this method, the service you're attempting to access has your phone number or email address on record. It then sends you a PIN or short passcode via email or SMS, typically valid for 15 minutes. This type of 2FA is particularly favoured because it doesn't require the installation of additional apps or the possession of physical tokens. Additionally, a company can implement it seamlessly without requiring any action from the user.

Push Notification

Another notable authentication method is Push Notifications. Similar to Software Tokens, you'll need to install an app on your phone or computer. However, instead of generating a code for you to enter, it sends a push notification prompting you to confirm if you wish to log in to a service. This method relies on an active internet connection but offers a more user-friendly experience.

Other Types

Beyond those mentioned, there are plenty of other methods for implementing a second factor. These range from Voice Calls to biometric options like fingerprints or iris scanners. Many providers continuously experiment with or develop new 2FA methods.

Why am I forced to use 2FA

The necessity for 2FA boils down to the type of service you use. Users often re-use their passwords, use weak passwords, or only change their passwords slightly between different services. This poses a significant threat, especially for entities like banks or similar organizations that handle sensitive information. In the event of a security breach on one of the websites you frequent, hackers could obtain your password and track down other platforms where you've used the same email. This makes it considerably easier for them to exploit any instances of password re-use and gain access to additional services. 2FA helps companies and, in the end, also helps you protect yourself against this.

If you haven't already, consider utilizing this article to double-check if your account has ever been compromised using the website haveibeenpwned.com

So 2FA is secure?

So, is 2FA a silver bullet for security? Unfortunately, as is often the case in the security space, the answer isn't a simple yes or no. While 2FA unquestionably improves security, it's not immune to vulnerabilities and doesn't cover all attack vectors.

Take smartcards, for instance. They offer resistance to phishing attacks through a combination of server-side verification and cryptographic mechanisms. However, they're not invulnerable. In 2011, RSA Security reported that its "SecurID tokens" were compromised. Furthermore, methods like SMS/email tokens or OTP tokens on your phone aren't foolproof either. If a phishing attack successfully tricks you into entering your credentials, the attacker can simply use the tokens you've entered to log into the portal.

Title Image by Yura Fresh from Unsplash

Tags:

Related posts

« »