Two-Factor Authentication: A Little Goes a Long Way
Despite the security industry’s best efforts to educate users about the weaknesses of password authentication, awareness remains frustratingly low. Keeper Security recently analyzed 10 million compromised accounts and found that just 25 passwords made up more than half of the list. Nearly 17 percent of users were guarding their accounts with the password “123456.”
The Two-Factor Tide Is Turning
Two-factor authentication (2FA) is an effective supplement to passwords. It adds a second layer of protection by requiring users to enter either something they know or something they have. You use 2FA whenever you withdraw money at an ATM, for example. Your personal identification number (PIN) is effectively the password and your bank card is the second form of authentication.
This is not the same as two-form authentication. The two-form technique uses a second login gate, such as a challenge question, to validate a user’s identity. It is the least effective form of two-factor security, although it’s better than nothing.
Two-factor authentication is widely used behind corporate firewalls, but public adoption has been slow. A Dropbox official told KrebsOnSecurity that less that 1 percent of the company’s customers had taken advantage of its 2FA option. Online services are often reluctant to introduce any inconvenience into the login process. Attitudes are beginning to change, however, largely due to recent, well-publicized thefts of large password files.
Four Forms of Two-Factor Authentication: Pros and Cons
There are several types of 2FA, each with its own strengths and weaknesses. Here’s a quick overview.
SMS verification is the most popular form of 2FA. Large sites such as Google and Facebook support it, albeit on an opt-in basis. SMS verification uses a cellphone as a second authentication method. When a user logs in, a verification code is sent to his or her phone as an SMS message. The user then must type the code into the login screen to authenticate. Most systems also offer the option to receive a phone call with a spoken code.
- Pro: The biggest advantage of SMS verification is simplicity. Nearly everyone has a cellphone and the process only takes a few seconds.
- Con: SMS coverage isn’t universal, and if you can’t get a signal, you can’t get a text. Theft is also a risk, particularly if the victim has stored passwords in plaintext on the device. The thief then essentially has both factors in hand.
An authenticator app also generates a unique code to use as a secondary password each time a user logs in. Unlike SMS verification, however, it does so directly from the device.
When you set up an account, a secret key, called a seed, is stored on the server and sent to your phone or tablet. When you log in, an algorithm spits out a unique code by combining the seed and date/time information. The code is good for a short period, usually 30 to 60 seconds. The same thing happens on the server. If the two codes match, you’re in.
Google Authenticator is the best-known app in this area, but there are many others. Some alternative authenticator apps are unique to certain host applications, while others offer additional bells and whistles such as local encryption.
- Pro: Authenticator apps provide great protection. They are compatible with multiple host applications and don’t depend on cellular phone networks.
- Con: For the same reasons as SMS verification, authenticator apps are at risk of data theft. Also, setting up the authenticator can be a bit complex for nontechnical users.
This method uses a physical token that either plugs into a USB port or generates a unique passcode to type into the login screen. This security measure is particularly popular with banks and other companies that deal with highly sensitive information.
- Pro: This is the most secure form of 2FA. A cybercrook would need to steal the token and, even then, wouldn’t have access to the password.
- Con: Hardware can be costly. If you lose or forget your key, you’re out of luck.
Biometric authentication is the only 2FA method that relies not on something you know, but something you are. Fingerprint scans, retina scans and voice recognition are three forms of biometric security.
- Pro: In theory, this should be the most resilient form of 2FA. All other forms are vulnerable to compromise, if only because the second factor is information. It’s impossible for a thief to impersonate you directly.
- Con: In reality, biometrics still has a long way to go before it can be considered a rock-solid security technique. Fraudsters can fool fingerprint readers with impressions made in modeling compounds. They can also circumvent facial recognition software and even iris and retina scans with high-quality video. The technology is improving, but it’s a bit early to go mainstream.
A Simple Way to Prevent a Password Breach
Any form of 2FA is better than none. Implementing any of the above techniques is good for you and everyone who logs in to your site or service because it reduces the risk of a giant password breach. For the best security, physical authentication is the way to go. However, implementing SMS security is cheap and reasonably straightforward.
If you want to know whether or not a website you use supports 2FA, Two Factor Auth is an invaluable resource.