One of the most frequently asked questions that we receive at the Adaware Malware Lab is about two-factor authentication (2FA) – what it is, how does it work, what are its benefits, and what are its pitfalls? For the team at Adaware we believe that two-factor authentication is a critical part of your overall security and protection while you are online, so in this 2 part blog series, we have picked the brains of the team in order to outline what is important and what is hype with 2FA.
What is Two- Factor Authentication?
Two-factor authentication (2FA) – sometimes referred to as “two-step verification” as well as “strong authentication,“ is an authentication mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of security to your online accounts, while minimizing security breaches.
The most common types of recognized factors for authentication when logging into an account are:
- A password, PIN, or answer to a question such as – a first car, mother’s maiden name, name of a pet, favorite television show, etc.
- A cell phone or hardware token
- A biometric scan such as – face, fingerprint, retina or voice
So two-factor authentication means that the system is using two of these options.
How does two-factor authentication work?
Even if you have not heard the term “two-factor authentication,” you have almost certainly used it at some point in the past. When you pick up a package at the post office, and they ask for the postal slip as well as your ID is an example of 2FA. If you withdraw money from an ATM you must first insert your card, then key in your PIN, this is another example of a 2FA that we use every day.
When you are online two-factor authentication works as follows:
The first authentication factor occurs when the user enters their password into the app or website.
The second authentication factor can be:
- An alphanumerical code that the user receives by text message that they will need to enter in order to complete the connection to the account. Unlike a PIN code for a bank card, a two-factor authentication code is only valid for single use; each time the user logs into that account, they will be sent a new code.
- Biometrics – facial recognition, fingerprint, or voice analysis are an alternative second factor that is becoming more and more prevalent with advancements in technology.
- Authentication Apps such as Google Authenticator and DuoMobile enables users to automatically receive authentication codes instead of having them sent via SMS.
What is the best Second Factor Method?
All of the second-factor methods have their strengths and weaknesses, and depending upon your security requirements, any of them, in general, will work fine.
In terms of security receiving codes via SMS is far less secure than by biometrics or by using an authentication app, although in general, it is a very secure method. It is possible (although unlikely) for hackers to intercept an SMS message. Hackers can also use impersonation scamming techniques to convince your provider that they are you, enabling them to commandeer your mobile phone, gaining access to all of your vital data. SMS Codes are the most common method for two-factor authentication as many of the leading online websites and services, including Payaware, Google, Amazon, and Facebook use his authentication method.
Pioneered by companies like Apple biometrics is the most secure authentication method. For example, facial recognition solutions are able to read the geometric patterns of a person’s face. The software reads up to 60 vital facial elements, including the distance between a person’s eyes or the distance from the left eye to the chin.
While very difficult to hack, biometrics do have their limitations, and it is not from the criminal element, it is from the technology itself as well as a privacy matter. Reduced lighting can render facial recognition useless.
From a privacy standpoint, facial data can be collected and stored, often without your permission. Government agencies may have the ability to monitor you, making it impossible to remain anonymous.
Even though using an authentication app requires a little extra time to set up, it may be worth it to you. Because codes are sent to the app automatically and not to the phone, if a hacker does hijack your phone, the code remains with the app.
In our next article, we will continue our look at two-factor authentication including the latest techniques that hackers are using in order to circumvent 2FA