In this post I’ll explain what two factor authentication (2FA) is, why it is important and how it is used in practice for improving security – primarily in terms of accounts and data ( and Identity) security on the Internet.
- What is authentication?
- What is multifactor authentication?
- Why is multifactor authentication important?
- Multifactor authentication in practice – 2FA
- Authy – 2FA done properly
- Final notes and author’s personal opinion
1. What is authentication?
Authentication is a confirmation (or verification if you like) of identity. I’ll use a real life example to explain:
- Somene knocks on your door. “Who is it?”
- “- It’s me.”
- If this is the voice of someone you know, you’ve just made an authentication, using voice recognition.
- If you are cautious enough, you’ll look through the spy hole before opening the door. That is a facial recognition authentication.
Even though two authentication methods were used in this example, It is still not a two factor authentication in the narrow meaning of the term, as I’ll explain in the next chapter:
2. What is multifactor authentication?
To answer this question, I must first explain what the authentication factors are. There are 5 types of authentication factors used today:
- What I know (knowledge factor): usually username and password, but can also be “the city in which my parents met”.
- What I have (possession factor): an obvious example is a key, or a payment card, token, USB dongle etc.
- What I am (inherence factor): biometric data such as: fingerprint, face, retina (scanned), or voice tone. As well as behavioral biometric data like the way one walks, types on the keyboard, pronounces words…
- Where I am (location factor): this can be determined by using mobile phone GPS, tracing IP address location (if the authentication is done over the Internet), or even confirming the fact that one has entered a monitored restricted space (say using a landline phone from an office, police station, president’s office…).
- At what time I’m trying to authenticate (time factor): restricting system access out of determined time windows, issuing temporary, quickly expiring keys/tokens etc.
For an authentication to be considered multifactor one, at least two different authentication factors must be used.
3. Why is multifactor authentication important?
Say someone who knows you well manages to crack your e-banking password. Password is a knowledge factor. Person knowing you well might have no problems passing other knowledge factor authentications (if the bank has them set up): where your parents met, which school you went into etc.
On the other hand, if another factor of authentication was introduced, like a confirmation code sent to your mobile phone, hacking the account would be a lot more difficult, since another hurdle would be introduced: getting in possession of your mobile phone (or intercepting and decrypting the confirmation code message).
So, while any factor of authentication can be “hacked”, it takes enormously more effort to hack several different authentication factors at once. For example, if you have multifactor authentication set up for the e-banking application and you find out your bank’s customer passwords have been breached, your account will still be protected, giving you enough time to change your password.
I hope that it is now clear why multifactor authentication is important?
4. Multifactor authentication in practice – 2FA
In practice today, most commonly used model of multifactor authentication is two factor authentication, also referred to as 2FA. Usually using a combination of password (knowledge factor) and a code sent via mobile phone application, or an SMS (possession factor).
It should be noted that SMS can relatively easily be intercepted, so it is safer to use a mobile phone application (that uses encrypted Internet connection). The most popular application is Google Authenticator. Most websites offer 2FA using this application.
How does it work? When setting up the 2FA for a website, its server sends a secret key to the application (on the mobile phone). Then, when you are trying to log in using the 2FA, server calculates a value (usually a six digit number) using a mathematical formula, that includes the current time and the shared secret key (shared with the app, when the 2FA was set up for the first time). The number is not shown however! Mobile app, when you use it, calculates the number using the same algorithm. Only, unlike the server, the app shows you the number – so you can enter it on the website and authenticate yourself that way.
This number is called TOTP (Temporary One-Time Password). It is usually valid for 30 seconds, then another number is calculated and also valid for only 30 seconds.
What happens if you can’t use your phone, or if it gets lost, or stolen? Well, when setting up 2FA, you are provided with several backup codes, which can be used once (each) for situations like this. Where to save these codes? More on that in a separate post. Still, there is a more elegant solution, explained in the next chapter:
5. Authy – 2FA done properly
Authy is a two factor authentication application made by the Twilio company. The same one that created SendGrid. It is free (Twilio’s explanation is they sell the app to companies who want to enable 2FA logging in to their servers).
It practically does the same that Google Authenticator does and 99% of the websites that support it will work with Authy as well.
Why do I prefer Authy? Because it can be installed on any computer, not just on a mobile phone. You just authorize a computer using the app (process is similar to setting up 2FA on any website). You can also give a descriptive name to the computer (Business, Home, Laptop…). In case any of the computers gets compromised (stolen), you can log into the app using any other computer/phone and de-authorise the stolen one. Though even authorised computers are password protected – as an additional security measure, so for example a colleague can’t just quickly sit at your desk and (ab)use the Authy’s 2FA.
For me it is more practical not having to use a phone, but being able to log in using just the computer I’m working on. Also, I don’t have to use up any backup codes in case my mobile phone is not working, or isn’t accessible for any reason.
Of course, if your phone gets stolen, make sure to de authorize the currently set 2FA and create a new one, using a new phone – this goes for any 2FA application, not just Authy.
6. Final notes and author’s personal opinion
Use 2FA for everything that is important to you, that is if unauthorised access could cause you a lot of trouble. Bank accounts, or Facebook page – it’s up to you to decide.
As I explained in the post about website security, no system is 100% secure (in other words: 100% secure system is useless, by definition). Yet, multifactor authentication does increase security by a large margin, without bringing in an enormous amount of extra hassle, or inconvenience. In addition to that, I’d recommend you read the chapter about safe habits, from the above mentioned post.
Multifactor authentication protects you both from “evil hackers” and from accidental errors, such as clicking on a phishing link and entering your password on a wrong website (that can save it and use it on the right one later). I think that it is, in addition to a strong password (not to be underestimated) the least you can do for the safety of your property, data and identity on the Internet.