Two Factor Authentication
What is 2FA, and why do we need it?
In today’s cybersecurity landscape, threats are everywhere, and keeping user accounts secure is a constant game of cat and mouse. In the early days of the internet, having a password like “ilikepie” wouldn’t have been a problem, but this is no longer the case. In the modern internet, hackers use massive lists of passwords to attempt to brute-force the login you use for the services you use every day. Or they’ll use automated systems to try to decrypt the securely encrypted password that your services are storing. With enough time and computing power, any password can be cracked. No password is truly invincible.
Enter two factor authentication (2FA). 2FA basically says that to successfully log in you need your password, and a little something extra. It secures accounts by requiring 2 factors for authentication instead of the one you already have. Factors include something you know, something you have, and something you are. Let’s get into a better description, and some examples of each:
-
Something you know:
Just like it sounds. Basically a piece of information that you need to know. Examples include passwords, pins, one-time recovery codes, etc. -
Something you have:
This method of authentication relies on you having a specific electronic device, with the theory being that you’ll always have it on you, making it convenient and secure. After all, if you have it on you, someone else can’t have it on them, thus ensuring that only you will be able to log in to your account. Examples include authenticator apps (Google Authenticator, Duo Mobile, etc), push notification login, physical security keys (ie YubiKey), etc. -
Something you are:
The theory behind this authentication method is very close to that of something you have. It is always on you, and can’t be easily stolen. Examples include fingerprint (Apple’s Touch ID), faceprint (Apple’s Face ID), and retinal scanners.There are also some other methods that could potentially be used, but these are far less common (ie walking gait, typing speed). There is also an argument that something you are could include metadata around your login, such as the time zone on your device, IP address, keyboard model, etc. These pieces of metadata could be combined to create a unique fingerprint of who you are, but for practical reasons they are almost never used as an authentication method because they are behavioral, fluctuate wildly, and could be changed or spoofed, defeating their security. Most often, these pieces of metadata are used by services to flag suspicious login attempts rather than directly for authentication.
what are the most commonly supported 2FA methods, and just how secure are they?
Since you can access your email from anywhere, and a typical implementation of 2FA through email involves entering a code, email 2FA gets classified as something you know. What this means is that you have a password (something you know) with the additional factor of an authentication code (also something you know). This means that unless your email is protected with 2FA, email as a 2FA method is not actually 2FA, but a more secure 1FA.
Text/SMS
Texting is a bit more complicated when determining what kind of authentication factor it is. After all, you can only access texts on your phone, which should make it something you have, right? That makes sense… until you consider that SMS messages are sent unencrypted, meaning anyone with the right tools or access could theoretically intercept those codes. Since the codes you get aren’t generated directly on the thing you have, I would consider SMS authentication something you know once more, effectively making SMS 2FA just a slightly more secure 1FA. Add on a social engineering attack known as “SIM-swapping”, where an attacker convinces your service provider to send your texts to their phone, and you get a slightly more secure 1FA that is pretty trivial to bypass.
Biometrics
Biometrics are a staple example of something you are. But out in the wild, implementations of 2FA for biometrics tend to be lacking. Because biometrics have historically been more secure than passwords, often applications will start up a session with a password for 1FA, and use tools within the operating system to allow continued access via biometrics. Functionally, this is just swapping a “something you know” with a “something you are” for authentication, meaning there is no real 2FA there, as both factors are not required for authentication every time.
Authentication Apps
All authentication apps are an example of something you have, and come in a variety of different flavors:
Push Notifications
Push notifications are probably one of the most technically complex 2FA methods an authentication app can use. Basically, when you try to authenticate, the cloud is used to send a notification to your phone to verify that you are indeed trying to log in. Because of this, it’s pretty hard for you to get tricked into entering your code in a phony site that looks legit. The added convenience also adds security. Sounds perfect, right? However, like all 2FA methods, push notifications aren’t without fault. Because of the reliance on the cloud, it isn’t purely something you have, since theoretically an attacker could trick the servers sending the push notifications that their device is yours, allowing them to intercept the push notification. But this is hard to do. The larger problem to worry about is that push notifications are vulnerable to something called a fatigue attack. In this attack, an attacker makes continuous login attempts using a password they have already breached from you. The successful password entry triggers a 2FA push notification. The hope is that you accidentally push accept on the notification instead of decline, banking on human error for a breach to occur.
One-time Passwords
If you’ve ever used an app like Google Authenticator, you might be familiar with these already. Basically, you scan a QR code to set up your 2FA, and the app uses that to generate codes (typically 6 digits) that are then entered for your 2FA. These codes will change as time goes on, ensuring that codes are only valid one time. Living on your device, only you have access to the QR codes that can be used to generate authentication codes, exactly the way something you have is intended to work. Unless your app syncs those QR codes to the cloud. If your app does, then if that cloud gets breached, your 2FA could be at risk.
security keys
Security keys are something you have, and are arguably the most secure 2FA method. After entering your password, the service you are logging into waits for a signal to be sent on your device from the security key. So you enter your password, insert your security key, press a button that sends the okay signal, and you are now logged in. A true implementation of something you have, these little devices, typically in the form of a USB stick, live in your pocket, without internet access. No syncing, no compromise of something you have. Which brings in one of the potential downfalls of a security key. Since a security key isn’t multipurpose like your phone is, it requires constant effort to remember that you need to have it on you. This typically makes security far less convenient than other something you have methods.
Why it matters
As I have gone through these 2FA methods, I have not shied away from the fact that 2FA isn’t perfect. In fact, it is far from it. But it is better than just having a password. Every attack that a 2FA method is vulnerable to is one more attack that a malicious actor has to be proficient in to get at your valuable data. You don’t have to be the most secure, just less convenient to attack than the person next to you.
What about passkeys
Now I would be remiss if I didn’t mention passkeys, which a lot of companies are betting on as the future of authentication. This is because they are basically a single unified workflow that combines something you have with something you know. That crazy idea for a unified 2FA experience gets rid of the security risks inherent with something you know. After all, something you know is something someone else can find out. Passkeys were also designed with website spoofing in mind, which should limit times where a malicious site looks like the real one and tricks people into logging in.
Of course, passkeys are still a fledgling technology, and implementations are still being pushed for wider adoption. On top of this, passkeys at the moment are extremely difficult to swap from provider to provider, and most providers only work on a single platform. There are also challenges with passkeys if your device gets lost.
Conclusion
2FA isn’t perfect, but almost nothing in cybersecurity is. Perhaps you don’t need 2FA, but if it adds a ton of extra security without a whole lot of hassle, why not enable it at least for the important services you use? As always, you can do hard things, and make yourself more secure. This is TheITFirefly, signing off.