Authenticating users is a key technology in today’s internet-connected world. Without it, individuals and employees would not be able to work, shop, and bank online while keeping their privacy and identities are safe. Two-factor authentication is a key piece of this system.
What is Two-Factor Authentication?
Today’s most powerful tech companies, such as Apple, and Facebook, all use two-factor authentication. You have likely already used two-factor authentication and perhaps not known it.
Two-factor authentication, also abbreviated as 2FA, adds an additional step beyond just using a password and username. Adding an additional step should in theory increase your account security.
SMS is often used in 2FA which has users enter a numerical code sent to their mobile phone, which ranges from four to eight digits. These are not foolproof and it is possible for a thief to intercept the text messages, called man-in-the-middle attacks (MITM).
SMS is easy for tech companies such as Twitter to implement because it only requires users to have a mobile phone. However, there have been hacks against corporate social media accounts where sophisticated hackers will target them due to their high value.
Three Types of Login Credentials Required For 2FA
Two-factor authentication requires users to have 2 of 3 types of login credentials to be allowed to access an account. These include:
- What you have: A biometric marker, such as a fingerprint or voice pattern.
- What you own: An ATM card, phone, or other possession.
- What you know: A PIN, password, or movement pattern.
Limits of Two-Factor Authentication
Two-factor authentication is a very very old authentication method, going way back through history. It is commonly used today every time a user is required to enter their address and phone number along with their credit card number to make a purchase online. 2FA comprises both the object of ownership (the card) and the piece of knowledge (the address and phone number.)
2FA = An Inconvenience?
Two-factor authentication can cause user inconvenience in today’s fast-paced world. It requires users to have patience and be thorough in entering the correct information to get the security benefits. This is set up when a user first logs in to a website or online app. However, even though it is tedious for some users, it has its security benefits.
Account Recovery Vulnerability
Using the account recovery feature can expose your account to being compromised. It uses a temporary login to recover your account. A key fob is emailed or texted to a phone that is a randomly generated access code. This changes in a short time, usually 30 or 60 seconds. Users will need to enter their email or personal identification number (PIN) along with the generated code. This process will reset your password when you forget it.
However, tech firms have not fully solved the problem of account recovery and vulnerability to hackers. This process bypasses 2FA because it only requires one form of identification to get the second part.
How Hackers Break 2FA
Hackers can get to user log-in data through malware, phishing, account recovery, or even credit-card-reader skimming. This will allow them to get to the data stored via cookies or tokens by the authentication mechanism on the user’s device.
Cookies and Hackers
A hacker could use an HTTP cookie or an OAuth token to gain control of a users’ logged-in online session. An OAuth is an open standard that allows users to grant certain websites access to their data without requiring a password. An HTTP cookie can store a user’s login information for the hacker to use at a specific website.
Hackers Will Continue to Threaten 2FA
Because online user growth is continuing, 2FA will be increasingly used. The present more targets for hackers, so threats to 2FA will increase. It is up to technology firms to develop ways of preventing hackers from compromising user accounts, and users to be wary of 2FA.
2FA is not hard to use for most users to get through. Older 2FA technology may not be able to keep up with hackers today. But as more companies adopt 2FA, the technology will likely be refined and improved.
Improving the usability and security level of 2FA will mean everyone who relies on it for safe authentication will benefit.
2FA Does Help Protect You
2FA allows a lot of attackers to access user login information, but overall it does help protect users. Any additional measures enacted to stop hackers help protect user’s data. So, 2FA does provide more protection for users than if they log in without it.
Biometrics Can Help
Biometric markers, such as voice patterns, eye scans, or fingerprint scans may help keep the recovery process protected by removing the opportunity for a thief to intercept the access code message.
Using two sets of 2FA, one to log in and one for account recovery could work.
For more information, read our post What is Biometric Security?
Two-factor authentication continues to be a cornerstone of consumer and enterprise account authentication. It will play a crucial role in online authentication in the near future as well.