With all the recent high-profile breaches, many people are asking: "How do I protect my data?" The resounding answer from the security community is: "Enable 2-factor authentication!" 2 Factor Authentication (2FA) is widely recognized to be a far more secure option than a password alone. But what is 2FA?
2FA is a form of multi-factor authentication. Multi-factor authentication is a process by which a system requires more than one piece of information or data to authenticate a user before granting them access to that system. Each piece of data is from one of three categories, possession, inherence, and knowledge. These are more commonly known as:
- Something you have ( keycard, RSA Keyfob )
- Something you are ( fingerprints, blood type, iris scan, voice print)
- Something you know ( password, PIN)
Two-factor authentication (2FA) has become commonplace in many systems requiring higher security for accounts such as corporate network access, banks, and credit card accounts. The most commonly seen is the RSA key. This is small keyfob size device with a display that shows 6 constantly changing numbers. The numbers on the keyfob are called a One Time Password (OTP). The RSA Key is something you have. The OTP combined with your Personal Identification Number(PIN), which is something you know, completes the 2FA. The OTP, which is a six digit number, is generated by a complex algorithm that is based on the time and a unique token and known as a Time based One Time Password (HOTP). This type of OTP can be securely generated in a smartphone app too.
In contrast, a more popular authentication method is via the smartphone and SMS. To myself and many other security professionals, this does not qualify as a true 2FA. While the smartphone may feel like something you have, its reliability as a secure token depends heavily on the smartphone provider.
- There have been multiple cases of attackers targeting an individual by social engineering the provider into rerouting the SMS message used for authentication to a new phone.
- Bryan Krebs documents another SMS social engineering attack directed at a user via SMS.
It is for these reasons, that I consider using SMS as only a half-factor.
As the user, you can be vigilant and mindful of scams and social engineering, but you have no control over the security-mindedness of every person on the help desk of your cell phone provider. So why are so many sites using SMS for 2FA? Because it's convenient. But convenience is the enemy of security. It takes an extra step to open the OTP app, read and memorize the token, then type it to authenticate. However, that little extra step greatly improves the security of your account.
The other reason SMS is popular is availability. Today, most everyone has a smartphone and is able to receive an SMS message. But not everyone has access to an OTP key fob. While you can purchase them on your own from companies like Yubico, it is also possible to generate the OTP in a smartphone application.
The setup process for these apps includes pointing the camera of your smartphone at a QR code. The QR code contains the unique token associated with your account. Steve Gibson over at grc.com recommends printing the QR code and keeping paper copies. These come in handy when you get a new phone or if you want to use them on a second device.
2-factor authentication is undoubtedly a significant improvement over simple passwords. Make sure you are using it whenever and wherever you can and never settle for 1.5 factor. And if you have any questions, feel free to contact us here at ITS. We can help you implement a full 2FA solution for any architecture.