Two-Factor Authentication and You

Written By Ivan Lai
Screenshot 2021-05-31 at 8.51.58 PM.png

  • Two-factor authentication is a security measure that makes you pass two security tests before gaining access to your account or device. 

  • As hackers and hacking systems become more advanced, passwords alone are not enough to keep your data secured.

  • Many apps and websites now are giving users the option to use two-factor authentication.

You might not be aware of it, but you frequently use two-factor authentication. When you purchase something online and are asked to enter your TAC or withdraw money from the ATM and are asked to enter your PIN code? Each is a form of two-factor authentication. The first example requires you to know your online banking account login info and possess the phone to which the TAC is associated. The second requires you to possess your card and know your PIN code.

Two-factor authentication requires two ways of proving your identity and can also be used to protect your various online accounts. It doesn't offer perfect security and requires an extra step when logging into your accounts, but it does make your data more secure online.

What is two-factor authentication and how does it work online?

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. Two-factor authentication provides a higher level of security than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor -- typically, a password or passcode. 2FA methods rely on a user providing a password, as well as a second factor, usually either a security token or a biometric factor, such as a fingerprint or facial scan.

2FA forces hackers to come up with solutions to two unique problems, rather than one. Two-factor authentication has long been used to control access to sensitive systems and data, and online service providers are increasingly using 2FA to protect their users' credentials from being used by hackers who have stolen a password database or used phishing campaigns to obtain user passwords.

Types of two-factor authentication

1. SMS/voice-based 2FA:

  • This type of two-factor authentication will usually prompt you to enter your phone number and choose whether you would like to receive a text message or a phone call to have your identity verified. 

  • An automated system will call you or text you to confirm your login, depending on the option you choose. 

  • It is however not recommended to use this type of method in 2FA services as one-time passwords (OTP) sent via SMS are too vulnerable to mobile phone number portability attacks.

2. Hardware tokens:

  • Hardware tokens for 2FA are available supporting different approaches to authentication. One popular hardware token is the YubiKey, a small Universal Serial Bus (USB) device.

  • When users with a YubiKey login to an online service that supports OTPs -- such as Gmail, GitHub, or WordPress -- they insert their YubiKey into the USB port of their device, enter their password, click in the YubiKey field and touch the YubiKey button. The YubiKey generates an OTP and enters it into the field.

3. Software tokens:

  • A software token is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone.

  • These tokens combine the best factors of SMS and hardware-based 2FA while eliminating some significant issues each of the other methods face and are the most popular 2FA method.

  • Examples of software tokens are CAPTCHA, authentication apps such as Google Authenticator, Microsoft Authenticator, or Authy.

4. Biometrics: 

  • Examples of biometrics are fingerprint scanners, facial recognition such as Face ID, iris scanner. These can be found on many devices people use every day, like phones and laptops. 

  • Some apps on your phone, especially banking apps already start using two-factor authentication. If you have a phone that allows for fingerprint or facial recognition, these apps work with its software to allow you to store your username and password in your device and have the device fill it in for you as long as it recognizes you.

  • The problems with this technology are that not all devices have a fingerprint scanner or facial-recognition technology while facial recognition technology is still immature.

5. Push notifications:

  • Push notification is an improved form of SMS-based 2FA. The difference is that push notifications eliminate opportunities for phishing scams taking advantage of unsuspecting users, and, more importantly, stops man-in-the-middle attackers from intercepting login links. 

  • With push authentication, access requests are sent via out-of-band notifications to an associated mobile device that a user then approves or denies.

  • The drawback of this method is that push notifications need a stable internet connection to work.

  • An example of push notifications is Maybank2uā€™s secure verification that replaced part of its TAC services recently.

How to enable two-factor authentication

1. Use a hardware token such as Yubikey.

2. Install software tokens, e.g.  Google Authenticator, Microsoft Authenticator, or Authy.

3. Many major sites and services offer 2FA capability that you have the option to set up with your account. Below is a brief list of guides on how to set up two-factor authentication on some of the most popular sites, apps, and devices:

Ivan Lai
Previous

Basic Digital Security Hygiene
Next

More Than Half a Billion Facebook Users' Phone Numbers and Personal Data Have Been Leaked Online