What is 2-Factor Authentication and Why Should You Care?
In the digital world that we live in, our virtual identity has become as important as the real one. We are becoming more and more aware of our virtual presence, social activity and how we act and how we are perceived online.
With digital frauds and hacking at a record high, keeping your account and data safe is becoming a priority for everyone.
Once someone gets access to your account, not only can they cause you financial loss, but also the loss of reputation and image. 81% of hacking-related breaches leveraged either stolen and/or weak passwords, according to Verizon’s Data Breach Investigations Report 2017.
As a result, more and more sites are taking cyber security seriously than ever before. Gone are the days when you could set any small word as your password. Most sites nowadays require you to use numbers, special symbols or a combination of both in your password. This greatly increases your security against brute force attacks.
Using a complex password doesn’t solve the security issue completely. Since we tend to reuse the same passwords everywhere, if one of your accounts gets compromised, it can have massive consequences. According to a survey conducted by TeleSign, 73 per cent of online accounts are guarded by duplicate passwords and 54 per cent of people use five or fewer passwords across their entire online life.
We tend to use the same key in all the digital locks, making the loss of the key highly risky.
81% of hacking-related breaches leveraged either stolen and/or weak passwords. — Verizon’s Data Breach Investigations Report 2017
One way to solve this is to use a unique password for every account. But unless you have super memory, this is not feasible. It’s not practical to try and remember a different password for each website. Instead, you can use a password manager like LastPass to save all your passwords in a secure vault.
But setting up unique passwords is not enough. Especially, for important accounts such as email accounts, social media sites and sites having your financial details.
These sites do understand their responsibility and tend to offer advanced security options. Any cyber security breach doesn’t only affect the user, but these organisations as well. All the organisations from big companies to small businesses to startups can suffer severe financial and reputation loss due to hacking.
Even though websites save your sensitive information such as passwords in an encrypted format, that’s just half the story. This does help in case of a data breach at the server level but it doesn’t take into account the errors and faults at user’s own end.
73 per cent of online accounts are guarded by duplicate passwords and 54 per cent of people use five or fewer passwords across their entire online life. — Survey conducted by TeleSign
That’s why more and more companies are getting serious about user’s security. One of the steps to achieve this is by using 2-factor authentication.
What is Two-Factor Authentication?
In the traditional flow, there is just 1 layer of security, that is your password. You enter your password and voila, you can access your account. But as stated above, this process is good but not great.
2-factor authentication (2FA) adds another security layer to the login process, reducing the chances of account hacking. In this, just knowing and entering your password is not enough. This new layer can be anything like an OTP sent to your mobile, an auto-generated code, or biometric verification on a device you own. All these extra steps are time sensitive, making them more secure.
According to a study by cybersecurity firm Symantec, 80% of data breaches could be eliminated by the use of two-factor authentication.
2FA works similar to why websites ask you to confirm your email. They want to make sure the request is coming from you. Same is the case here. 2FA makes sure that a password is not enough for someone to impersonate you. Two-factor authentication usually works in one of the 2 ways:
1. OTP (One Time Password)
In this, after you enter your password, the company/website sends you a one time password via email, SMS or call. This random password can be range from a numerical code to an alphanumeric string. Once you enter this code, you can access your account.
The OTP code is generated on the server, and thus requires some kind of connectivity for the user to receive the code.
This method is becoming increasingly popular in the banking industry. This helps banks prevent frauds in case the card details get in the hand of someone else. But since sending an SMS or call requires resources and possibly incurs a financial burden on the organisation or the user.
80% of data breaches could be eliminated by the use of two-factor authentication. — Symantec’s study.2. TOTP (Time Based One Time Password)
This authentication method avoids the connectivity need of the above method. In this, the security codes are generated on your own device using a pre-defined standard RFC 6238 algorithm. This algorithm auto-generates a temporary passcode periodically without connecting to the internet or cellular network. You can use this code to login to your account after entering the password.
The code is generated via a combination of a shared secret key and the current timestamp. The timestamp part makes sure the passcode is unique each time. The code regenerates every 30 seconds, making it difficult for any hackers to spoof the code.
TOTP is widely used by big companies such as Facebook, Twitter, etc to provide better security to the user. Even though 2-factor authentication is turned off by default, you can easily turn it on and set up your device.
How Do I Setup TOTP Security?
To setup TOTP authentication, you need to:
- Enable the 2-factor security option on the website.
- Download a handy app / get a hardware security device. (both of which generates the codes for you.)
1. Enabling 2FA For The Account
To enable 2FA, you first need to check if the website supports 2-factor authentication. Go to the settings page of the website you want to enable the feature for, and see if you can find an option for two-factor authentication. (Tip: it’s usually under the security tab.)
For example, on Facebook go to ‘settings’ > ‘security and login’ > ‘use two-factor-authentication’ to enable the feature.
Once you select to enable the feature, you’ll be greeted with a QR code, which you can then scan with your authentication app. Alternately, an alphanumeric key will also be visible on the screen, which you can manually enter instead of scanning the QR code.
In some cases, you’ll also be provided with backup codes, to assist you in case you lose access to the authentication app. You can save these codes in a safe place or print them out.
And that’s pretty much it, whenever you want to login into the website next time, you’ll need to enter your static password, followed by the code generated by the app/hardware device. One thing to remember is that the codes are automatically generated every 30 seconds.
2. Setting-up And Using an Authenticator App
There are many TOTP supporting apps available in the market such as Google Authenticator, Authy, Microsoft Authenticator, etc.
But from our research and experience, we at BinaryBoot felt that even though these apps were free, they all were lacking some feature or the another. For example, Google Authenticator doesn’t allow you to backup or copy your account’s secret key, thus rendering you helpless in case your phone gets lost.
We developed the TOTP Authenticator App to overcome this issue. Our aim was to develop an app with a seamless user experience providing all the features a user can need in an authentication app. The app works on both iOS and Android platforms.
The good thing about two-factor authenticator apps is that most of these apps usually have the same setup process and basic functionality. For the purpose of this tutorial, I’ll use the example of TOTP Authenticator App. To set-up the app for a new account, the process is as follows:
- Scan the QR Code/ Enter the Key manually.
You can click on the ‘+’ symbol on the bottom-right part of the screen and choose whether to ‘Scan QR Code’ or ‘Enter the key manually’. In case you scan the code, the account is automatically added in the app. But if select to enter the key manually, you need to enter the account name (eg. the login email id), secret key and the issuer name (eg. Facebook, Twitter) . In both the cases, you can also select or upload an icon of your choice.
Tip: TOTP Authenticator allows you to backup your account name and secret keys in an encrypted format. You can save this backup on your device or cloud. You can also import the same backup while switching the phone.
You can either scan the QR code to setup or manually enter the details.
2. Use the code.
After the initial set up, you can use the app without a network connection.
The app will display the passcode for each account, as well as the time period for which the code is active. The code expires every 30 seconds, being replaced by a new one. You can also add a widget to display the passcodes on your home screen for quicker access.
You can access the codes either inside the app or by adding a widget.
Note: You can also get a hardware security token generator instead of a mobile app. The hardware device removes your dependency your mobile phone for the codes, but you have to carry another device. Also, it costs money.
Limitations of 2-Factor Authentication
As good as 2FA maybe, it is not bulletproof. Your phone can runs out of battery or can stop working unexpectedly, locking you out of your accounts.
In case your phone get’s stolen, you can be vulnerable as someone else can access the codes to impersonate you. Despite these limitations, 2FA is the easiest way to drastically improve your virtual security.
Accounts You Should Use 2FA For
Two-factor authentication is highly recommended for the websites and services which save personal or sensitive data. Some of the sites we highly recommend using 2FA for are:
- Google accounts (it’s the backbone of most of our virtual presence)
- Email accounts (In case you don’t use a Gmail account)
- Bank websites (self-explanatory)
- Cloud storage accounts (Dropbox, OneDrive, etc)
- Social networks (Facebook, Twitter, LinkedIn, etc)
- Password managers (LastPass)
- Communication apps (Slack, Skype, MailChimp, etc)
Your digital security is important and at a bigger risk than you think. Two-factor authentication makes it harder for cybercriminals to breach your privacy.
If you’re a user, it’s better to set up 2FA for all websites which offer the feature. It may require some extra effort every time you want to login to your account, but not compared to the troubles you may face in case of account hijacking.
If you’re a web developer or business owner, you should evaluate your service’s security and whether providing a 2-factor authentication facility is the right idea for you.
Be safe :)
What is 2-Factor Authentication and Why You Should Care was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.