Importance of Two Factor Authentication (2FA)

Importance of Two Factor Authentication (2FA)

Importance of Two Factor Authentication:

Absolute security is a myth but users must take reasonable steps to ensure online safety and security. E.g., 2FA which adds an additional layer of security. In fact, enabling two-factor-authentication is one of the simplest yet very important security measure. 

Two-factor authentication is a feature that asks for more than just password (something you know) to access your accounts. As you enter your password, you receive a code on the linked device (something you have). And only after you enter the code you are able to log-into the account. It’s lot more secure than solitary password and can keep hackers at bay. 

Introduction:
In the 21st century, data is the new oil. Therefore, the importance of password now is more than ever. Hackers are hungry for passwords, as the data can be sold or misused for financial gains. Therefore, two-factor-authentication comes into play, which adds an extra layer of security. 

Two-factor-authentication is more prevalent than what it appears. An example is withdrawal of money from an ATM kiosk. Here, you require both your physical card (something you have) and your ATM PIN (something you know) to access your bank account. 

What is 2FA – Lucid Explanation:
Two-factor-authentication, also known as multi factor or multiple step verification, is an additional process to double check your identity. It adds an extra layer of security to every online platform you access. 

An Example: When you sign into your Gmail account, you are asked to enter your username and password – the initial verification stage.  

Subsequently, you are asked to enter your verification code – a second security layer to confirm your identity. 

The authentications all over the world are based on 3 parameters:

  • What we know: PIN, passcode, answer to security question etc. 
  • What we have: It always relates to a physical device like USB token, mobile phone, SIM, USB stick, ID card, ATM card, Rubikey etc. 
  • What we are: This includes biological factors such as face or voice recognition, fingerprint, DNA, retina scan etc. Since, some of them are quite expensive, they are less used for authentication purposes. 

When individuals employ two of these three parameters it is called two-factor-authentication. It reduces the instances of data loss, fraud and identity theft drastically. Regardless of the nature of second factor, it protects your account efficiently. 

Thus, two-factor-authentication is a process meant to protect our accounts from unauthorized access. It adds an extra step – an extra layer of security – when you log into your online accounts. To comprehend 2FA more lucidly, consider this example:

There are several websites on the internet where you can login simply by entering your username and password. It’s an example of one-factor-authentication, where you require only one factor i.e., password to access your accounts. 

On the other hand, 2FA requires an additional step – the second factor – to access online accounts. Most often, you enter your login credentials into the website. If the credentials are correct, the website typically sends you a text message to your website linked phone number. You can login only after entering the code that appears on your device. If you don’t have the code, you can’t be authenticated, and therefore can’t access the account even if you know the correct password.  

No doubt, this two-factor-authentication requires an additional step, but that’s what it’s meant for. The ultimate goal is to protect the online accounts, and the little hassle involved is all the worth it. 

Why do you need 2FA?
Passwords have been the most popular form of authentication since the inception of the virtual world. But this security measure is far from being infallible. Consider these stats:

  • 90% of passwords can be cracked in less than few hours with brute force attacks
  • 2/3rd people use same passwords everywhere

The vulnerability of passwords is the most important reason for need of two-factor-authentication. 

Two-factor-authentication might appear like unnecessary hassle. After all, you need to take an extra step to log into your favorite website. But, without two-factor-authentication you are left vulnerable to cyber criminals. A single mistake like shoulder surfing of password, entering credentials into a fake phishing website etc can compromise your account forever.

After hacking your account, cyber criminals can inflict unacceptable damage. Consider the possibilities detailed below:

Financial Gain: Once the hacker has all the sensitive private details about you, a hacker can use the same, to fleece you by impersonating an authority like banker. Basically, the innate personal details can be used to garner your trust and then de-fraud you. 

Request for Favors including Money: After hacking your accounts, attacker can seek donations or loans from your family and friends, in your name. These requests are laden with sense of urgency, for example, needing money for an urgent operation. It forces the person on the other end, to comply with the request without much deliberation or confirmation of facts. 

Lewd/ Vulgar Chats: Once hacker has access to your account, he may send lewd/ vulgar message to female friends, family members or even strangers. Even worse, he may seek sexual favors or pass on sexually colored remarks. In all probability, you shall appear the culprit to victim and police.

Phishing Attempts: We know that based on privacy settings, social media sites provide differential visibility of personal information contained in profiles. For example, a friend can see more information vis-à-vis complete stranger of an account. After hacking, hackers collect as much information as possible, about connected profiles and then use the same to design well crafted phishing attempts. It enhances the success ratio of phishing attacks drastically. 

Extortion, blackmail: A hacked social media account, can also be used to demand extortion or to blackmail someone for financial or other gains. 

Thus, a hacked social media account is of enormous utility to hacker. It can used to reach out to new potential target from a trustworthy account, which enhances the success ratio. 

As discussed above, a hacked account can be a lifelong regret. Therefore, this extra step should not deter you from protecting your accounts with two-factor-authentication. This is because this extra layer can protect your account from being hacked. For example, a hacker may have your username and password combination, but may fall short of the code sent to your device through text messages. Similarly, he may not know the answer to security question or may not have the physical USB token needed to breach your account.  

Factor types for 2FA:
Sites employing 2FA can choose amongst several factors to authenticate its users. Here, is a complete list of such factors: 

Knowledge Factor: Many sites employ knowledge factor as authentication mechanism. You are required to enter the verification code sent through text messaging on the linked phone number. In other cases, users are required to answer certain security questions before logging in.  

Possession factor: In these cases, you might need an actual piece of hardware to log into your personal account. For example, to withdraw money from an ATM you mandatorily require ATM card. Similarly, institutions might provide USB token or Yubikey to employees who need to insert it into their computers before they can log into. Some hardware tokens display a digital code that users must enter before accessing their account. 

Software validation factor: You can also download apps that generate 2FA on the local device e.g., Google authenticator. Once you install and configure them, every site that supports 2FA will need the validation code generated by the app for access. 

These apps use Time-based One Time Password (TOTP) algorithm. They generate a unique, time-sensitive six digits code that you must use to sign-in to your account. The code typically works for only 30 seconds.

Here are some apps that you can use of two-factor-authentication. 

  • Google Authenticator: Available for Android, iOS and Blackberry
  • Authy: Available for Android, iOS, but also available as desktop app and browser extension.
  • Microsoft Authenticator: Available for Windows Phone 7

The most popular app among them is Google Authenticator or Authy. The codes are based on time, and determined by an algorithm. Since the authenticator app knows the algorithm, it is able to determine whether you have entered the correct code even in offline mode.  

Biometric authentication: It relies on “what you are” such as your palm-print, fingerprint, voice pattern etc as authentication mechanism. The most commonly and widely used amongst them is fingerprint, where you need to press your finger against a sensor. Once the device recognizes you, access to the account is granted. 

Location factor: Some sites consider location as factor to verify your identity. If you try to log into the website from an unusual location, the site sends you a text message or requires you to answer a security question or input a code before granting access to your account. 

Again, if you try to log into your account from a place and another person tries to log in from a different country, the system may automatically block such attempt. 

Voice factor: Some websites send you a voice message giving you a code that you must enter to gain access to your account created on the website. 

Push notifications factor: When you enter your log-in credentials into the website, a push notification is sent to your smartphone. A message then appears on your phone requesting you to approve your log-in attempt with a tap. Once you tap the site, it allows you to log-in.

How secure is 2FA? Can it be Cracked?
The efficacy of 2FA depends primarily on two factors:

  • Chosen form of authentication 
  • Security of channel used to deliver/ generate 2FA 

2FA can also be compromised and the methods include - 

Compromised device: Your mobile phone can be compromised with malwares or spywares, to intercept your text messages. Similarly, loss of phone, Rubikey, USB token, ATM card etc limit the utility of 2FA security. 

Guessing the code: Two-factor-authentication is based on a code which is usually of six digit. Mathematically, the possibility of someone guessing it is 1/ 1000000. Thus, if you run out of luck, someone may guess your code perfectly.  

Social engineering: Hackers tend to manipulate people with social engineering techniques to make the users share their verification code. In these scenarios, the users are themselves responsible for compromise of the accounts. 

While two-factor-authentication can also be bypassed, yet the risk is considerably reduced. 2FA certainly helps to protect our online accounts better. 

Is two-factor authentication all I need?
While two-factor-authentication certainly adds up to your online account security, but it doesn’t mean that you should disregard security of your password. Besides, your mobile phone should be secured properly with pincode, passcode or biometric methods. It will ensure that even if your phone goes missing or is stolen, the person won’t be able to access your codes.  

Additional password security measures: If you are looking for additional steps to protect your online accounts while using two-factor-authentication, then consider these:

  • Do not reuse passwords across multiple accounts.
  • You password should at least be 13 characters long and be a mix of uppercase and lowercase letters, number and special characters. 
  • Don’t use personal information like DoB, address, name in your passwords. 
  • Don’t post too much personal information on the internet. It may enable hackers to answer your security questions. 
  • Don’t share your password with anyone nor write it anywhere
  • Change your passwords regularly and if possible not later than 90 days
  • Avoid common substitutions in your passwords e.g., a and @, 1 and ! etc
  • Regularly check for data breaches
  • Don’t open insecure websites on public Wi-Fi
  • Use latest patches and upgrades  

You can use the website twofactorauth.org to find out the websites that employ 2FA. 

Accounts where 2FA is must:
Google / Gmail: This is generally the most important account you have. Besides it is linked with multiple other accounts including financial ones. Therefore, you should enable 2FA in this account proactively. After you shall enable 2FA, you will receive a six digit codes on your linked number via text message. Subsequently, Google will prompt you to enter the code every time you want to log-in from a new device. 

Also make sure to link a backup email address and a phone number. You can also use Google authenticator app, which works even in offline mode. You may also like to generate back up codes. These 8 digit codes will enable you to login, even if you exhaust all other possible options.  

Facebook: All major social networks allow 2FA protection including Facebook. In fact, it had launched login approvals as early as 2011. This security feature requires you to enter a six digit code every time you try log-in from a new device. You receive the verification code on your registered mobile number via text message. 

You can find comprehensive list of all the services that offer 2FA at twofactorauth.org

Challenges - Why Not All Users / Websites Employ 2FA?
Two-factor-authentication in its crude form first appeared in 1990s, but is yet to be universally implemented. In fact, studies worldwide have shown that approximately 30% people have never used 2FA. 

The reasons stated for same includes inconvenience and privacy concerns associated with use of two-factor-authentication. Few claim to see no enhancement in online security with adoption of this additional authentication mechanism. The researchers concluded that misinformation and disinformation was responsible for slack adoption of this 2FA.

Another roadblock is the financial expenses involved in its effective implementation. The agency implementing it has to cover all the possible scenarios – different devices, different usage habits, different locations, use of VPNs etc. It’s difficult to estimate volume of text messages and expense involved in sending them to different locations across the world.  

Many small organizations lack the requisite infrastructure to setup two-factor-authentication. For example, a company may lack human resources with adequate knowledge to setup 2FA and to make sure that it shall work perfectly.  

Finally, another issue is digital illiteracy of end users who may not appreciate the importance of 2FA. With little to no perceived value, the process usually fails. Except for security enthusiasts and those having experienced hacking episode in the past, people are not eager to adopt 2FA security.

But, with time as data breaches are becoming commonplace, more and more websites will be implementing and adopting two-factor-authentication. 

Conclusion:
Two-factor-authentication makes it difficult for hackers to access your online accounts. Attackers will likely move onto another target that is not 2FA protected, rather than spending considerable amount of time and energy in overcoming your two-factor-authentication. 

Another benefit of two-factor-authentication is its convenience. As most people carry phone along-with them therefore, no extra effort is required in entering the 2FA code.  Finally, two-factor-authentication is must for critical accounts like password managers, online banking, e commerce, emails, cloud storage accounts, social network accounts, etc.