With everything rapidly moving online, it is important to protect your information. Don’t let someone steal your identity away. Two-Factor Authentication (2FA) is the use of more than one level of authentication to prove one’s identity. It is part of what is known as multi-factor identification, which employs many components to ascertain the identity and allow access to the asset.
The type of identification with which we are most familiar is to enter a username and password. However it’s possible that these may be hacked and your information, identity, and money may be stolen. It’s best then to use a second factor to ensure security.
The one with which we are probably most familiar is the application which is used on a mobile phone to generate a 6-digit code which is then put into the browser to verify your identity. But let’s first look at the basics.
Identify yourself! There are three main ways by which to confirm who you are. They are knowledge, possession, and inherent identification. Basically, they are something you know, something you have or something you are. Using two of these factors is what is known as two-factor identification. Let’s delve a little deeper.
You can verify your identity by confirming something you know. This is the form of authentication that is most popular.
The simplest version of this is supplying a username and password. The password should be a secret word that only you know. This could, for example, consist of a phrase, numbers and letters, or a PIN. This works securely if you keep the information to yourself.
Some sites use an e-mail or SMS to set up a “one time PIN” in which a sequence of letters is generated uniquely for each login. This method can be used to access internet banking or other sites where security is a priority.
In its simplest form, it could be that you have a key to unlock a door and only you possess it. As far as computer systems are concerned, you may have disconnected tokens not attached to the computer with a built-in screen from which data is typed in by the user.
Connected tokens are physically connected to the computer and transmit their data automatically. An example of this is a USB of a flash drive. A software token is a type of 2FA device which may be used to authorize the use of computer services. They may be stored on a general-purpose electronic device such as a desktop, laptop, or mobile phone.
These are factors associated with the user and are usually biometric methods. Biometrics is the technical term for body measurements and calculations. It is used in computer science as a form of identification and access control.
This could include fingerprints, face, and voice recognition. Fingerprint recognition is actually used by law enforcement agencies to connect known criminals to crime scenes where fingerprints are found.
Voice recognition could be used to identify yourself to the call center when you are calling about medical information. Also used, could be an image of your iris that is used for passports and other important documents.
Even behavioral biometrics can be used in two-factor authentication. Behavioral biometrics relates to the uniquely identifying and measurable patterns in human activities. The term is not the same as physical biometrics which measure innate human characteristics. They include keystroke dynamics, gait analysis, mouse use characteristics, and even signature analysis.
Financial institutions, businesses, and government facilities are increasingly using behavioral biometrics to increase security. Biometric data is gathered and then a software application digitally picks out specific points in the data which are called match points.
An algorithm is then used to translate these match points into a numeric value. The database value is then contrasted to that of the biometric input the user has entered and is either authenticated or rejected.
There is a fourth factor of identification, which is being increasingly used. This involves the physical location of the user. While connected to the network, the user would be allowed to log in by entering, for example, only a PIN code as opposed to not being connected to the network when the user could use a soft token to connect.
Network control systems can be used in similar ways, where the level of access might depend on if you are on a wifi or wired connectivity. This allows the user to be free to move to other places and receive the same level of access each time. This brings improved efficiency and effectiveness.
Possession drawbacks and voice biometrics
Possession authentication means that you must have something in your possession to authenticate yourself. This was the lock and key example from above. You must actually possess the physical token and you must carry it around. Examples of this can be a USB stick, a bank card, or a magnetic token to open a security door. The basic risks to this are obvious: loss and theft.
Many organisations don’t allow you to use a USB stick because they’re scared that their systems will be infected with a virus. Some organisations have computers without USB ports for this very reason. A different token is usually required for entry into each system.
Biometrics is really the modern version of possession authentication. You possess your fingerprints, your eyes, and your voice. They are all easily accessible. This is much better than carrying a hardware device around with you which may get broken or stolen or lost.
Voice recognition is becoming an increasingly popular method of how to ascertain your true identity. Voice recognition services are available over HTTP-based API’s and are simple to implement. A username and password are provided or some other first-factor identification code and then you are asked to say a certain phrase that is processed for voice recognition in order to grant you access in the future.
The mobile phone
Mobile phone two-step authentication is more secure than single-step authentication and although it suffers from some security concerns, it’s a useful tool and is always at hand. You normally access your phone with a passcode in any event and on the phone, a new code is independently generated by a specifically designed and downloaded app.
These apps are available both on the Google and Apple operating systems. Using an SMS or email sent to the relevant address with a one-time code can also be used. Although this is often an approved way of identification, it has security issues of its own and using the app system is better.
The way forward
Two-factor authentication does have its problems. It takes time to input the codes or passwords and there is the added risk that you may forget them. There are recent advances in the field which have as their objective to be more user-friendly and not pose so much of a hindrance.
New ideas include using the Global Positioning System and a gyroscope or accelerometer. The gyroscope indicates orientation, while the accelerometer measure acceleration in a straight line based on vibration.
These types of authentication are fast becoming more trustworthy. Even comparing ambient noise captured by a mobile phone with the noise recorded by a computer in the same room has been used as authentication.
The normal two-factor interaction mechanisms require you to interact with your phone and copy the passcode to your browser. This is an additional step that the user has to traverse and can be, if not complicated, at least annoying. However, authentication systems that eliminate user-phone interaction do exist.
One of the more interesting ideas is the above-mentioned ambient sound system. Here, the authentication is the proximity of the user’s phone to the device being used to log in. This is verified by comparing the ambient noise picked up by both device’s microphones. The recording of the audio is automatic and does not need any user input. You just type in your normal password and the 2FA is done remotely.
Two-Factor Authentication via SMS
For this type of authentication, you will be asked to provide your phone number. The next time you log in, you will be asked to enter a short numerical code, which is sent to your phone. This does not require installing an app and only needs an SMS capable phone.
In some countries, many people do not have access to a smartphone and thus the use of SMS would be suitable. In the developed world, strangely enough, it is still very common to use this type of authentication. It’s simple and is still a significant step-up from just entering your username and password and provides much better security.
However, there are some disadvantages to this technique. People may not be comfortable in giving their telephone number to a website or platform. It is something by which they can be identified. And some websites, once they have your number, may use it for their own nefarious purposes like targeted advertising or password resets.
To allow password resets based on your phone number is a particularly vexing problem. Another problem is that you cannot receive SMS if your phone has run out of battery or cannot connect to a mobile network. Also, a person could conceivably convince your phone company to assign another SIM card your number, thus giving access to your two-factor authentication codes.
This application generates codes locally on your phone based on a secret key and matches to that of the website you want to enter. The underlying technology is called Time-Based One Time Password (TOTP) and is part of the Open Authentication (OATH) architecture.
A site offering this type of authentication will show you a secret key and a QR code containing it. You can enter that key into the app to generate the codes or an easier way is to scan the QR code into the application. You can scan the image into multiple phones or tablets and you can print out a copy of it and keep a backup.
Security of TOTP and the PUSH-based system
Once you have scanned or alternatively put in the code manually your application will produce a new 6-digit code every 30 seconds. Similar to the SMS system, you will have to enter one of these codes in addition to your username and password in order to log in.
This, however, is an improvement on that system as you do not have to be connected to a mobile network when you use it because the secret key runs physically on your phone. Even if your number is redirected to another SIM, you still get your codes. However, If your phone dies or gets lost or stolen there is trouble. You need to have a backup.
Duo Push and Apple’s Trusted Devices method will send a prompt to your devices when you log in. This prompt indicates that there has been an attempt to log in, and gives an estimated location for this attempt at logging in. You can then deny or accept the attempt.
This is an improvement on the authenticator app in two ways. It is much easier than typing in a code and it is a little more resistant to phishing. With SMS and the authenticator app, a phishing site can just ask for your code as well as your password. Then it uses that code to log into a legitimate site.
FIDO security keys
FIDO or Universal Second Factor (U2F) is a quite a new type of two-factor authentication which uses small USB devices.
You register your device on the site, and then each time you log in, you are prompted to connect your device and tap it to log in. This means that you do not have to type in any codes. The U2F device recognises the site you are on and gives you a code specific to that site.
This means that the U2F is phishing proof because the browser includes the site name and the device won’t connect with a site it to whose name it has not been registered on.
U2F also affords good privacy. You can use the same U2F device for multiple sites and it stores a unique identity which is used to log into each site so a single device identity cannot be used.
Perhaps some issues with U2F is that some browsers have yet to support it and also, it works mainly with USB ports so using a mobile device can be difficult. There are however connections these days which you can use to mate your mobile to a USB port.
Nevertheless, you could log in on your mobile device using TOTP and when you want to use your desktop, for extra security against phishing employ the U2F device.
We have come a long way from there being a certain lock in which a key specific to you turns.
The principles are the same for two-factor authentication.
You log in with your normal details and then you have to bring something specific to further identify yourself. This is usually a certain code that is sent to you by SMS or generated on your mobile or U2F device.
Interestingly the ambient sound experiment allows the device and the computer to talk top each remotely to confirm your identity. It is even possible to use your voice, the iris in your eye or the cadence of your typing to identify you.