TWO FACTOR AUTHENTICATION (2FA) 101: WHAT IT IS, WHY IT MATTERS FOR CYBERSECURITYWritten by Super User
Go beyond the basics of authentication
There are, simply put, three generally accepted methods of authenticating identity: knowledge; possession; and inherence. The first is familiar to everyone in the form of the password, passphrase, PIN, or even the pattern drawn with a finger on some smartphone lock screens; this is also sadly the weakest form of authentication. The knowledge factor relies on something you know, and that's at once its biggest positive and negative.
On the plus side, a user can create (if the login process allows, and all enterprise strength ones should) a truly 'strong' password. I have placed strong within inverted commas for a reason; one person's strength is another's weakness. So, while the user may well think that transposing an “a” for an “@”, and throwing a couple of exclamation marks at their partner's name is strong, a hacker could crack it in less time than it took me to write this sentence.
Password complexity and randomness
And here's the thing: Not only can dictionary attacks take out any password that's easy for the user to remember, but brute force attacks can do a pretty good job of those where strength has been confused with complexity and randomness. Not that the attacker need worry about cracking your passwords half the time; they often gain control of your email through a phishing attack, and that makes resetting your passwords simple. And disastrously simple at that if you, like the majority of people, reuse the same piece of knowledge-based authentication to access multiple sites and services. (By the way, there’s an “app for that” to help you manage your passwords. This article “The Best Password Managers for 2017” in PCMagazine gives you a grid of how to choose one that’s best for your needs.)
How Two-Factor Authentication (2FA)works
Earlier I mentioned three methods of authentication of knowledge, possession, and inherence.
Knowledge: It’s not always enough and does not always equate to intelligence. Certainly in the cybersecurity world a little of it can have big consequences. Another layer of protection is needed, and that's where Two-Factor Authentication (2FA) comes in.
By adding another layer of authentication, which can either be through possession (something you own) or inherence (something you are), accessing your accounts and services suddenly becomes exponentially more difficult for the bad guys. Not impossible, but by applying a secondary authentication factor, the task becomes so much harder that it will protect most accounts from most would-be attackers.
Possession: Think of 2FA in terms of protecting your vehicle if you like. A steering wheel lock deters the casual thief, but can be broken fairly quickly by a seasoned criminal. Yet if the car also has an engine immobiliser the theft will take longer, be much harder, and require different hardware.
Traditionally, the second factor in a 2FA equation has involved possession. The thing that you “own” being a token. This can be in the form of a hardware token or increasingly a one-time authorization code (OTAC), also known as a one-time password (OTP). Whatever you call it, this code can be generated by dedicated hardware (not dissimilar to the hardware token already mentioned) or more likely, the user's smartphone. Once the user has passed the username/password login phase of the authentication process, they are asked to input a code. These 'soft tokens' are generated either by an authenticator app on the device or sent via a text message on demand.
Whichever method is employed—and text messaging is slightly less secure because of the potential for interception—the output is the same: a cryptographically secure one-time passcode that is time limited to 30 or 60 seconds depending on the settings at the server end. Because most staff not only already have the hardware to generate the codes, but also carry it around with them everywhere, implementation costs and staff training are both kept to a minimum.
So how does this one-time code generation work again? Well, the OTAC itself is a hash-based code that uses a combination of a secret key (the user initially enrolls with the code server) and the current time to generate a code using a cryptographic hash function. The code expires to the pre-determined countdown timer, and if the right code is entered in the right timeframe, then you are authenticated.
Inherence: But why not use the inherence factor instead? After all, something that you are is far more secure than your smartphone or a bit of plastic hanging from your key fob, right? The truth is that the jury is out on that one. Biometrics—that's what we are talking about here—can be a very secure method of authentication in most scenarios. Fingerprint scanners can be fooled, but it involves a lot of determined James Bond-style preparation with things like the target’s prints being lifted and transferred onto latex. Similarly, facial recognition software and even iris scanners have been fooled with photos in the past. However, the real problem with biometrics is cost, both in terms of initial rollout and ongoing support through the enrollment and usage phases.
Multi-factor authentication is ideal
This could all change as fingerprint scanners for smartphone access becomes the de-facto specification. I already have my authenticator app locked down with a fingerprint scan required to access it. This means I've kind of hit the multi-factor authentication sweet spot: all three factors in use at once.