Two Factor Authentication:
Next level security
Whether via social engineering, carelessness, or nefarious hacking, cybercriminals can, and potentially will, get hold of your passwords. Even if you make the most elaborate, difficult to guess password, an extremely determined hacker could still crack it. How can you better protect your online accounts?
The answer is Two Factor Authentication, or 2FA for short.
2FA does pretty much what it says on the tin: instead of using just one form of authentication, a password for example, to access your account you provide a second form of authentication as well.
The second factor could take the form of a one-time password generated by an app on your mobile, it could be a USB token, or even a form of biometric authentication eg. Fingerprints, retinal scans, a voice print, or other James Bond/ Mission Impossible style digital wizardry.
Knowledge and Possession Factors
A Knowledge Factor means that the user has to provide their knowledge of some kind of secret: a secret answer to a question, a PIN, or a password for example.
A Possession Factor is something that the user has. This is the oldest form of authentication and could, for example, be the key for your house. The important distinction between knowledge and possession factors is the physical aspect: although you technically “possess” your password or PIN, they aren’t a physical item, like a key.
Knowledge Factors represent the most common form of 2FA and almost everyone reading this will have used it.
Picture the scene: you arrive at an ATM, having remembered that you need some cash to buy sweeties with, you slide your debit card into the designated slot and next you are prompted to input your PIN and bingo! You’ve just used 2FA. Get yourself some well-earned sweeties as a reward.
Most folks don’t realise that accessing an ATM uses 2FA but it does: the machine first reads the information present on your physical debit card; you then provide you PIN and are allowed access to your account.
Tokens and Apps
“Tokens”, specifically disconnected tokens in this case, are the next most common form of 2FA. Tokens technically come under Possession Factors, but are quite different from the traditional lock and key.
A typical Token is pocket sized, with an LED or e-ink display and possibly a button in order to display a one-time code, which is requested when you try and log in to an applicable service.
A fair few online video games make use of physical security key tokens in order to better protect their users, often offering incentives for their use.
World of Warcraft, Star Wars: The Old Republic, Wildstar, Guild Wars 2 and a few others all offer 2FA services. You can find out more at the links provided.
Most services that offer a physical security key token also offer a digital alternative in the form of an app. The app performs exactly the same role as the physical token but without the need to carry another gadget around.
The drawback is that if you lose your phone then you lose all of your tokens and resetting/ deactivating your tokens can be a long and annoying process depending on the provider.
Both the physical and app based security tokens work in much the same way. An authentication server runs a cryptographic process in order to create a number, usually around six digits and changing every 30-60 seconds. When you try and log in you activate the token or app and input the number, this is then checked against the authentication server and you are allowed access.
This is a very difficult process to try and hijack, providing an excellent level of security extremely easily for the user.
Google provide a 2FA app that works with all of their services and a few other third party services, highly recommended. The Google Authenticator provides an easy to use and setup security key for your Google accounts.
I have so many online accounts attached to my Google profiles. If they were to become compromised then my whole digital world crumbles like a sand castle full of my personal and financial information. It’s a no brainer that takes mere minutes to setup and adds a huge amount of security.
Connected Tokens and USB keys
Connected tokens differ from disconnected tokens in that they need to be physically connected in order to perform authorisation, go figure. Connected tokens are more or less the digital ages answer to the common key and lock.
Common examples that you might recognise are: Magnetic strips, Smart keycards, Radio-frequency identification (RFID), proximity keys, or possibly USB keys.
A fair few folks will be familiar with Smart keycards, magnetic strips and proximity keys. All three are commonly used for access to flats, offices or super-secret military bases.
Office workers may also be familiar with USB security keys. They can either be standard USB’s with security credentials stored on them, or specifically designed USB keys which are used for authentication only.
Basically when you are trying to login the server will send a challenge that your USB key will answer, allowing you to log in successfully. It really is like a key for a lock, if the lock only appeared when you wanted to use it.
Inherence Factors are anything that the user is: finger prints, voiceprint, or iris scans.
They are far less common, partly due to the expense of the tech and partly due to the programming expense, although some laptops now come equipped with very basic fingerprint scanners.
The obvious advantage of this form of authentication is that you are the only one with your fingerprints or iris, I hope. Unfortunately you can mechanically reproduce an artificial fingerprint, voiceprint or iris scan, so it’s not infallible, just like the movies taught us.
What we’ve learned
Two Factor Authentication is a brilliant, and often cheap or free, way of beefing up your home or online security.
In fact, when it comes to the Google Authenticator, authenticators for your games, or email authentication, you really have no excuse not to and in fact could get a nice little bonus for doing so.
Get smart and protect yourself online!