Contents:
Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism used to double-check that your identity is legitimate.
How Does Two-Factor Authentication Work?
When you want to sign into your account, you are prompted to authenticate with a username and a password – that’s the first verification layer. Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity.
Its purpose is to make attackers’ life harder and reduce fraud risks. If you already follow basic password security measures, two-factor authentication will make it even more difficult for cybercriminals to breach your account.
However, you shouldn’t expect it to work like a magic wand that will miraculously bulletproof your accounts. It can’t keep the bad guys away forever, but it does reduce their chance to succeed.
What Are Authentication Factors?
There are 3 main categories of authentication factors:
1. Something that you know – This could be a password, a PIN code or answer to a secret question.
2. Something that you have – This is always related to a physical device, such as a token, a mobile phone, a SIM, a USB stick, a key fob, an ID card.
3. Something that you are – This is a biological factor, such as face or voice recognition, fingerprint, DNA, handwriting, or retina scan.
4. Time and location factors can also be used. For example, if you log into your account and someone tries to log in from a different country 10 minutes later, the system could automatically block them.
Why Should I Activate Two-Factor Authentication?
Passwords on their own aren’t as infallible as we need them to be. Cyber attackers have the power to test billions of passwords combinations in a second.
Answers to security questions are also easy to find out, especially now that we are willingly sharing all the details about our lives on social networks and blogs. Anyone that interacts with us on a daily basis can find out the answers to common security questions, such as the graduation year, the city that you grew up in, or our first pet’s name.
Even if you don’t give these out in your Facebook profile, some can be found through public records, available for anyone who cares to look.
This is where two-factor authentication comes in handy.
It will offer you an extra layer of protection, besides passwords. It’s hard for cybercriminals to get the second authentication factor, they would have to be much closer to you. This drastically reduces their chances of success.
A Few Examples of Two-Factor Authentication Methods that Most Likely You Are Already Using:
- The token issued by your bank, which generates you a specific code at a specific time – you use it with your username and password for Internet banking.
- A one-time password, that you receive a text message on your mobile phone and you use it when you want to log into your Google, Facebook, or Twitter account.
- Random passwords generated by an app like Google Authenticator or Facebook Code Generator that you use to log in to your email or social media account.
- Push Notification for Two-Factor Authentication. Websites and apps may now send a push message to the user indicating that an authentication attempt is being made. The device owner easily reads the information and, with a simple touch, approves or denies access. It’s password-free authentication, with no codes to input and no further interaction needed.
Here are a few examples of mobile apps that you can use for two-factor authentication:
- Google Authenticator (available for Android, iOS, Blackberry)
- Authy (for Android, iOS, but also available as desktop app and browser extension)
- Microsoft Authenticator (Windows Phone 7)
These apps use Time-Based One-Time Password (TOTP) algorithm. They will generate you a unique, time-sensitive six digits code, that you can use to sign in to your account. A code will typically work only for 30 seconds – after that, the app will generate you a new one.
After the initial setup, you can use the app without a network connection.
Some of the accounts where we strongly encourage you to activate 2FA and how to do that:
1. Google / Gmail
This is probably one of the most important accounts that you have, and is usually linked to many others – from social networks to online shops, work documents, personal information, financial accounts, taxes and so on. It should be the first account where you activate two-step verification and make sure that you take advantage of all their security enhancing options.
After you set up two factor authentication, you will receive six digit codes via text message on your registered mobile phone number. Google will prompt you to enter the code every time you want to log in from a new device. You can save each new device for 30 days, and during this time you won’t have to recheck your identity on that device.
Make sure that you also set up backup phones and emails, in case that your primary ones are ever unavailable.
You can also generate backup codes – these are 8 digit codes that you can save and use if you travel a lot, have problems with your mobile network or simply cannot use the Google Authenticator mobile app. Each code can only be used once.
Alternatively, you can get codes through Google Authenticator mobile app. It works on Android, iPhone or BlackBerry, even when your device has no data or phone connectivity.
2. Facebook / Twitter / LinkedIn
Major social networks also have two-factor authentication available.
Facebook introduced Login Approvals in 2011. This security feature requires you to enter a six digit code every time you want to log in to your Facebook account from a new device. You will receive the security code via text message on your mobile phone.
Alternatively, you can activate the “Code Generator”, a feature integrated in Facebook app that allows you to get security codes on your phone.
Twitter introduced login verification a few years ago. After you log in, it will send you a SMS message with a code that you need to access your account.
If you ever lose access to your mobile phone, they also provide a backup code that you can use once to verify your identity.
Linkedin also added two-step authentication, that you can (and should) enable. Your mobile phone number will be used to send you verification codes via text each time you want to sign in to LinkedIn from a new device.
3. Dropbox
If you are using cloud services, you should also enable two factor authentication for them. Most likely, you store sensitive data in the cloud, right?
After you enable two factor authentication for Dropbox, it will require you a six-digit security code or a security key every time you sign in or add a new device.
Dropbox will also send you 10 8-digit backup codes, that you need to store somewhere safe – you can use these in case of emergency, if you don’t have access to your phone anymore.
You should also add a backup phone number.
Can It Be Cracked?
As all other security measures, multiple-factor verification methods are also vulnerable to attacks.
Their efficacy depends on many things, such as the chosen authentication method, the security of the channel that is used to deliver or submit the second-authentication factor.
A few scenarios or techniques that would allow an attacker to break or jump over the second-authentication step:
1. They could gain access to it. They could steal your phone, your card, your token. Text messages sent to your mobile phone can be intercepted.
2. Through a Man-in-the-Middle attack. They could use a Trojan horse to manipulate the communication between you and your web browser and launch the attack against the 2FA.
3. With real-time phishing – the attacker will ask for the one-time password and use it immediately. LastPass users were recently targets to a severe phishing campaign, that not even two-factor authentication could have prevented. You can find out more about how to detect and prevent phishing from our dedicated article.
Basic password security
Remember that two-factor authentication it’s not worth the extra effort unless you use it complementary to strong passwords.
1. Use strong passwords.
They should be at least 12 characters long, contain upper and lower cases, numbers and symbols.
By weak passwords we mean:
- anything that contains the word “password”, “admin”, “querty”, your name or variations of it
- combinations of easy to guess numbers (“1234”, “1234567890”, “2016”, “0000”, “11111”)
- your spouse’s name, your children’s or pet’s name or birth dates
- the default password that your service provider gave to you
- anything from this list of the most popular, or funny passwords
2. Use unique passwords.
They should be different for every account of yours. Never recycle them.
This way, if an intruder gains access to one of your accounts, they won’t be able to breach all of them. It’s the same principle behind not using the same key for your house and your car – if you’ll lose one of them, a criminal will be able to break into the other.
3. Change your passwords regularly.
Never write your passwords down – not in a document that you saved in Cloud or on your Desktop, not in a mail draft, not on a handwritten note that you keep on the desk.
You can use a Password Manager – it’s a service that will encrypt all the saved passwords. This way, you’ll only have to remember one password, the one for your password manager service account.
Conclusion
Having a password and an extra factor authentication does not make your account 100% secure. It’s not a magic wand, that will make your account unhackable. No, it only makes it more difficult to breach.
Hopefully, an attacker will move on to another target, one that is less protected, rather than spend a lot of time on energy trying to breach your second-authentication factor.
But, as two-factor authentication methods will become more popular, new ways for attackers to crack them will also pop out. It’s just how the security game is played.
*This article was initially written by Cristina Chipurici in 2016 and updated by Dora Tudor in 2022.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.