Two factor authentication (2FA) – What is it?
Simply put, two factor authentication is an extra layer of security to prove that the person trying to access your account is really you. Each login attempt from an unknown or new device requires verification on your behalf and a code/notification is sent on your trusted device. The details may slightly vary but the idea is the same across all platforms. So, even if your passwords are compromised for whatever reason, you can rest assured that there won’t be any unauthorized access to your account.
Let’s be honest, it’s not the most convenient way to have your phone available and tap on a prompt whenever you log in from a new device. But is that inconvenience worth it? According to a research by Google, on-device prompts (2FA) help prevent 100% of automated bots, 99% of phishing attempts and more than 90% of targeted attacks.
What happened to complex passwords?
Gone are the days when having a complex password made you safe from most of the hacking attempts. This is because today’s password-cracking tools and hackers have become advanced enough to cut through the complex password tricks many of us use. The infamous 2012 LinkedIn data breach that exposed 6.5 million hashed passwords likely impacted more than 117 million users, the company now admits. Ironically, an inordinate number of hacked passwords included a variation of “linkedin” in them.
Cybersecurity experts suggest that the solution is to move away from ‘complex passwords’. Sure, using complex and strong passwords is definitely better than easily predictable simple passwords but combining strong passwords with two factor and multi-factor authentication adds greater protection to your account.
Types of two factor authentication
All the Two factor and multifactor authentication methods have slightly different functionality but follow the same idea. Following are the most common types of authentication techniques available:
With almost the same working as OTP (One-time password), you get the code in your email or via an SMS and it’s only valid for a short time period, say 60 seconds. You have to enter the code on the login page to pass through and get your login approved.
While this method is more convenient, if someone already has access to your email account, they will get the code as well.
Security token device
It is a device that generates validation codes using in-built software. There could be 2 types of tokens:
- Connected tokens which are generated only when you have your device connected to target endpoint
- Disconnected tokens which are independent of your connectivity to the endpoint.
The only drawback for Security token devices is a certain level of inconvenience that you have to carry them with you all the time.
These could be deemed as a more convenient version of Security token devices. Instead of a dedicated token generating device, this method uses a device that almost everybody has on them – all the time: smartphone. Some apps require you to enter a code displayed on your smartphone, whereas others would require you to simply tap on YES/NO to allow or disallow the login attempt.
A relatively new method which includes facial, vocal or fingerprint verification to approve your login.
Kind of similar in functionality like SMS code verification, except that there’s a dedicated authentication app that you’d have to install on your smartphone. At each login, you will receive a code on your app. What makes these authentication apps the most secure is that the codes are sent over an HTTPS connection which makes it almost impossible for someone to snoop in and steal the code. As long as you have the app, only you can login.
Two factor authentication software
The simplest most secure way of using two factor authentication is installing Google Authenticator on your smartphone. This works like a charm and the whole process is fairly simple. You enable two factor authentication on any service such as WordPress, Facebook, or Instagram etc. and the service would require you to take a snapshot of QR code using a relevant app e.g. QR code reader.
Once the QR code has been read, Google Authenticator will start generating codes which you can use to verify and login. It’s entirely up to you to choose which accounts you’d like to link with Google Authenticator.
This service uses a unique one-tap password verification that lets you login to websites on PCs with a click rather than manually entering codes. For one-tap logins, they currently work with selected 3rd party services: Google, Dropbox, Amazon, Facebook and more. You must have a LastPass extension enabled in your browser and a free LastPass account to use this feature. For a detailed understanding of how LastPass authenticator actually works, take a look at this short video uploaded by LastPass YouTube channel.
Image source: Google Security Blog
On a personal level, choosing a complex password, setting up a simple 2 factor authentication e.g. Google prompts and keeping an updated recovery phone/email is good enough.
Data source: The 3rd Annual Global Password Security Report
According to the 2019 Verizon Data Breach Investigations Report, 43% of cyberattacks are aimed at small businesses that quickly go out of business. For comprehensive information, updates and guidance for companies ready to take the next step in order to stay safe for cyberattacks, the SANS whitepaper from Bye Bye Passwords: New Ways to Authenticate by Microsoft could come in handy.
Skysta recommends you always enable 2 Factor Authentication. To do so with us, click here for more info.