In the early days of the Internet, almost everyone reused passwords across multiple sites and didn’t think twice before sharing their credentials with others. Such a ‘slap-happy’ attitude was understandable in that era. After all, ‘cyber’ crime was sporadic, and concerns around identity theft, information warfare, and cyberstalking that are so widespread today were almost unheard of at the time. But as savvy criminals began to find newer ways to exploit the Internet’s vulnerabilities for their own gain, legitimate organizations realized that passwords were no longer sufficient to protect their systems, websites, and customers. Enter: two-factor authentication!
What is 2FA (two-factor authentication)?
Also known as two-step verification or dual-factor authentication, two-factor authentication or 2FA provides an extra level of protection to user accounts. Unlike single-factor authentication (SFA) in which the user provides only one factor – say, a password – 2FA makes it harder for cybercriminals to hack into a user’s account or device.
The use of only a password to secure a system is rife with challenges, many of which are rooted in human folly. According to TeleSign, 54% of consumers use five or fewer passwords across their entire online life; 22% use just three or fewer! In late 2017, a report emerged of a massive 41GB archive of 1.4 billion stolen credentials (usernames, email and password combinations) put up for sale on the dark Web. Most of the passwords in the file were embarrassingly simple, leaving them extremely vulnerable to being hacked or stolen. These facts prove that human inability to create different passwords for different accounts and a lack of knowledge to create and remember strong passwords are two of the most significant weaknesses of SFA. Sharing passwords, improperly-stored passwords (hello sticky notes!), and inadequately-disposed old hard drives are also common ‘inside’ threats to the security of SFA. Passwords are also prey to external threats, such as hackers using social engineering or brute force attacks to break them and gain access to user accounts.
2FA tries to minimize these issues by using more than one factor for authentication. In general, there are three recognized factors for online authentication: knowledge factor or something you know (e.g., password or PIN), the possession factor, or something you have (e.g., cell phone or USB token) and inherence factor or something you are (e.g., fingerprints or retinal scans). Two-factor authentication means that the device, website, or online account requires the use of two factors. Since the third factor (something you are) is far from ubiquitous, the other two factors are more commonly used for authentication. In fact, in most cases, authentication is done with a combination of a password and a one-time numeric password (OTP) that is usually sent to the consumer’s cell phone or email.
The evolution of two-factor authentication
2FA has only been around since the 2000s when companies like Apple began locking their Smartphones with PIN codes. But today, 2FA is offered by almost every major provider including email services (e.g., Yahoo and Gmail), cloud storage services (e.g., Dropbox), banks, and payment portals (e.g., PayPal), eCommerce portals (e.g., Amazon) and social media sites (e.g., Facebook and Instagram).
The concept really took off after 2014 following the Heartbleed exploit. The result of a bug within OpenSSL, the open-source encryption standard, this massive scandal openly exposed millions of credentials and passwords and left them vulnerable to hackers and data thieves. In August 2014, about 76% of Global 2000 firms were vulnerable to Heartbleed. A year later, this number was only down by 2% – a testament to its wide-reaching and severe impact. On the plus side, Heartbleed improved public knowledge about the inherent weaknesses of regular passwords and led to the rising adoption of 2FA. Even the White House launched a campaign called #TurnOn2FA!
How does two-factor authentication work? Why should you enable 2FA?
Most forms of 2FA require a user to first sign in with their user name and password (Step 1). In Step 2, they enter a code that is usually sent to them via an email, a text message, or automated voice call on a device that is pre-registered to receive these codes. This method relies on proving that the user knows something (their login credentials) and also that they have something (mobile phone).
In some cases, 2FA is a one-time-only process on a particular device. Sometimes the user may have to go through the 2FA process if a certain amount of time has elapsed (say a year) since they last used that service. Other services send a code via email each time a user connects a new device to the service. This precaution is to ensure that the user has not been hacked for their user name, password, and device.
Admittedly, 2FA adds some friction to the online user experience. However, it’s a small price to pay if you consider the potential costs of not turning it on. 2FA helps protect your personal data (including files and photos) online and minimizes the chances of a hacker accessing this information and then using it to hurt you financially, personally, professionally, or socially. How you enable 2FA would depend on the online service you use.
Types of Two-Factor Authentication Systems
Different types of two-factor authentication systems are used today. They vary by strength and complexity, but in general, they offer better protection than traditional passwords alone.
i. Hardware tokens
Among the oldest 2FA systems still in use, a hardware token (often called a ‘dongle’) is a stand-alone device that produces a new numeric code, usually every 30 seconds. To access an account, the user enters the displayed 2FA code (Factor 2) into the site or app, generally after entering their user name and password (Factor 1).
ii. Cell phone: text messages and/or voice calls
After entering his user name and password, the user receives a unique OTP via text message. He must enter the OTP into the application – usually within a certain period of time (say 15 minutes) before getting access. SMS-based 2FA is commonly used, but it is one of the least secure authentication methods.
Voice-based 2FA also involves an OTP code but by automatically dialing a user and verbally delivering it.
iii. Software tokens
This method uses a software-generated (usually a free 2FA app) time-based OTP aka TOTP that is both generated and displayed on the same device. A more reliable alternative to text-based 2FA, this approach minimizes the chances of hacker interception. Like hardware tokens, the soft token code is also valid for less than a minute.
Popular software token apps include:
- Google Authenticator: Free on Android, iOS, and BlackBerry
- Twilio Authy: Free on iOS, Android, BlackBerry, macOS, Windows, and Chrome browser
- Duo Mobile: For iOS, Android, BlackBerry, and Windows
- LastPass 2FA Authenticator: For iOS, Android
iv. Push notifications
In this 2FA system, a website or app sends the user a push notification for authentication. The device owner can approve or deny access with a single touch. This ‘passwordless authentication’ provides a more user-friendly form of security.
Weaknesses of Two-Factor Authentication
Despite its superiority over password-based authentication, 2FA is not without its problems. For example, the security of hardware tokens often depends on – and is usually defeated by – human factors such as not sharing the device. SMS-based 2FA is also vulnerable to numerous attacks, particularly if the device itself is stolen. This weakness has prompted the National Institute of Standards and Technology (NIST) to officially discourage the use of SMS as a second factor in 2FA services (NIST Special Publication 800-63B).
In general, smart cybercriminals have found ways to bypass 2FA to launch phishing scams, execute Man-in-the-Browser (MitB) attacks, infect users’ devices with malware, and to use social engineering for nefarious purposes. This is why more and more organizations are embracing multi-factor authentication (MFA) to secure their user devices and accounts. One form of MFA is three-factor authentication (3FA), which usually involves a password, a physical token, and biometric data such as fingerprint scans or voiceprints. Other factors, such as geolocation, device type, and time of day are also being used to authenticate or block users as the case may be.
A final word
Although not completely problem-free, two-factor authentication is definitely a better method for user identification and authentication than traditional methods that rely on passwords alone. That’s why 2FA has been around for a while and is unlikely to go anywhere anytime soon. Nonetheless, it is incumbent upon users to remain vigilant about the growing threat landscape and to stay updated on newer security measures for all their devices and online accounts.
Verifapp is leading the way in implementing meaningful and secure application-to-person communications. Over the course of a decade, we have sent over 10 billion pin codes and one time passwords, helping to enrich the customer communications ecosystem and creating a bright future for memorable customer experiences. To find out how our integrated platform can help you make and retain your customers for life with rich application-to-person communications, contact a Verifapp representative today.