A Little About 2FA: Two-Factor Authentication

    Today, we decided to pay attention to the topic of two-factor authentication and talk about how it works.

    Two-factor authentication or 2FA is a method of identifying a user in a service that uses two different types of authentication data. The introduction of an additional level of security provides more effective protection of your account from unauthorized access.

    Two-factor authentication requires the user to have two of the three types of credentials.

    These types are:

    • Something he knows;
    • Something he has;
    • Something inherent in him (biometrics).

    Obviously, the first item includes various passwords, PIN codes, secret phrases and so on, that is, something that the user remembers and enters into the system when prompted.

    The second point is a token , that is, a compact device that is owned by the user. The simplest tokens do not require a physical connection to the computer - they have a display that displays the number that the user enters the system to log in - more complex ones connect to computers via USB and Bluetooth interfaces.

    Today, smartphones can act as tokens, because they have become an integral part of our lives. In this case, the so-called one-time password is generated either using a special application (for example, Google Authenticator), or via SMS - this is the most simple and user-friendly method, which some experts rate as less reliable.

    In the course of the study, which was attended by 219 people of different sexes, ages and professions, it became known that more than half of the respondents use two-factor SMS authentication on social networks (54.48%) and when working with finances (69.42%) .

    However, when it comes to working issues, tokens are preferred here (45.36%). But what’s interesting, the number of respondents using these technologies both voluntarily and on the orders of superiors (or due to other compelling circumstances) is approximately the same.

    Graph of the popularity of various technologies by field of activity

    Graph of respondents' interest in 2FA

    Among tokens , one-time passwords synchronized in time and one-time passwords based on a mathematical algorithm can be distinguished . Time-synchronized one-time passwords are constantly and periodically changing. Such tokens store in memory the number of seconds elapsed since January 1, 1970, and display part of this number on the display.

    For the user to be able to log in, there must be synchronization between the client token and the authentication server. The main problem is that over time they can be out of sync, but some systems, such as RSA's SecurID, make it possible to re-synchronize the token with the server by entering several access codes. Moreover, many of these devices do not have replaceable batteries, therefore they have a limited service life.

    As the name implies, passwords based on a mathematical algorithm use algorithms (such as hash chains) to generate a series of one-time passwords with a secret key. In this case, it is impossible to predict what the next password will be, even knowing all the previous ones.

    Sometimes 2FA is implemented using biometric devices and authentication methods (third paragraph). It can be, for example, scanners of the face, fingerprints or retina.

    The problem here is that such technologies are very expensive, although accurate. Another problem with the use of biometric scanners is the non-obviousness of determining the required degree of accuracy.

    If you set the resolution of the fingerprint scanner to the maximum, then you risk not getting access to the service or device if you get a burn or your hands are simply frozen. Therefore, to successfully confirm this authenticator, the fingerprint does not fully match the reference. It is also worth noting that changing such a “bi-password” is physically impossible.

    How reliable is two-factor authentication

    This is a good question. 2FA is not impervious to attackers, but it seriously complicates their lives. “By using 2FA, you eliminate a fairly large category of attacks,” said Jim Fenton, director of security for OneID. To crack two-factor authentication, the “bad guys” will have to steal your fingerprints or gain access to cookies or codes generated by tokens.

    The latter can be achieved, for example, using phishing attacks or malicious software. There is another unusual way: attackers obtained access to the account of Wired journalist Matt Honnan (Matt Honnan) using the account recovery function.

    Account recovery acts as a tool to bypass two-factor authentication. Fenton, after the story with Matt, personally created a Google account, activated 2FA and pretended to “lose” the login information. “Account recovery took some time, but after three days I received a letter that 2FA was disabled,” Fenton notes. However, this problem has solutions. At least they are working on them.

    “I think biometrics is one such way,” saysDuo Security CTO Jon Oberheide. - If I lose my phone, then it will take me forever to restore all accounts. If there was a good biometric method, it would become a reliable and useful recovery mechanism. " In fact, John suggests using one form of 2FA for authentication and another for recovery.

    Where does 2FA apply

    Here are some of the main services and social networks that offer this feature - these are Facebook, Gmail, Twitter, LinkedIn, Steam. Their developers offer a choice: SMS authentication, a list of one-time passwords, Google Authenticator, etc. Recently 2FA introduced Instagram to protect all your photos.

    However, there is an interesting point. It should be borne in mind that two-factor authentication adds another additional step to the authentication process, and, depending on the implementation, this can cause both small logon difficulties (or not cause them at all), and serious problems.

    For the most part, the attitude to this depends on the patient's patience and desire to increase the security of the account. Fenton expressed the following thought: “2FA is a good thing, but it can complicate the lives of users. Therefore, it makes sense to enter it only for those cases when the input is from an unknown device. "

    Two-factor authentication is not a panacea, but it helps to seriously increase account security by spending a minimum of effort. Complicating the life of crackers is always good, because using 2FA is possible and necessary.

    What awaits 2FA

    Today, a large number of companies trust security methods based on multi-factor authentication techniques, including high-tech organizations, financial and insurance market sectors, large banking institutions and public sector enterprises, independent expert organizations, and research firms.

    Oberheid notes that many users who were skeptical of two-factor authentication soon discovered that things weren’t so complicated. Today 2FA is experiencing a real boom, and any popular technology is much easier to improve. Despite the difficulties, a bright future awaits her.

    PS By the way, we recently introduced two-factor authentication to increase the security of your 1cloud account. After activating this method, to enter the control panel, the user needs not only to enter an email address and password, but also a unique code received via SMS.

    Also popular now: