At the heart of two-factor authentication is the use not only of the traditional “login-password” bundle, but also an additional level of protection – the so-called second factor, the possession of which must be confirmed to gain access to the account or other data.
The simplest example of two-factor authentication, which is constantly confronting each of us, is the withdrawal of cash through an ATM. To get money, you need a card that you only have, and a PIN that only you know. Having secured your card, an attacker will not be able to withdraw cash without knowing the PIN code and in the same way can not get money knowing it, but without having a card.
By the same principle of two-factor authentication, you can access your accounts in social networks, mail and other services. The first factor is the combination of login and password, and in the role of the second, the following 5 things can act.
Confirmation using SMS-codes works very simply. You, as usual, enter your login and password, then your SMS phone number comes with a code that you need to enter to sign in to your account. It’s all. The next time you log in, another SMS code is sent, valid only for the current session.
- Generate new codes every time you log in. If the attackers intercept your login and password, they can not do anything without the code.
- Snap to phone number. Without your phone, you can not enter.
- If there is no cellular network signal, you will not be able to login.
- There is a theoretical probability of changing the number through the service of the operator or employees of the communication salons.
- If you are authorized and receive codes on the same device (for example, a smartphone), then protection ceases to be two-factor.
This option is much like the previous one, with the only difference being that, instead of receiving codes via SMS, they are generated on the device using a special application (Google Authenticator, Authy). During configuration, you receive a primary key (most often in the form of a QR code), on the basis of which cryptographic algorithms generate one-time passwords with a validity of 30 to 60 seconds. Even assuming that attackers can intercept 10, 100 or even 1,000 passwords, it is simply impossible to predict with them what the next password will be.
- The authenticator does not need a signal from the cellular network, it is enough to connect to the Internet during the initial setup.
- Support for multiple accounts in one authenticator.
- If the attackers gain access to the primary key on your device or by hacking the server, they can generate future passwords.
- When using an authenticator on the same device from which to enter, two-factority is lost.
Verify sign-in with mobile apps
This type of authentication can be called a collection of solyanka from all the previous ones. In this case, instead of requesting codes or one-time passwords, you must confirm the input from your mobile device with the service application installed. A private key is stored on the device, which is checked at each login. It works on Twitter, Snapchat and various online games. For example, when you log in to your Twitter account in the web version, you enter your login and password, then the smartphone receives a notification with an entry request, after confirmation of which your feed is opened in the browser.
- You do not need to enter anything at the entrance.
- Independence from the cellular network.
- Support for multiple accounts in one application.
- If the attackers intercept the private key, they will be able to impersonate you.
- The meaning of two-factor authentication is lost when using the same device to enter.
Physical (or hardware) tokens are the most reliable way of two-factor authentication. As separate devices, hardware tokens, unlike all the above methods, will not lose their two-factor component in any way. Most often they are presented in the form of USB keyfobs with their own processor that generates cryptographic keys that are automatically entered when connected to a computer. The choice of the key depends on the specific service. Google, for example, recommends the use of FIDO U2F tokens, prices starting at $ 6 without shipping.
- No SMS and applications.
- No need for a mobile device.
- It is completely independent device.
- Need to buy separately.
- Not supported in all services.
- When using multiple accounts, you will have to carry a whole bunch of tokens.
In fact, this is not a separate method, but a backup option in case of loss or theft of the smartphone, which comes with one-time passwords or confirmation codes. When configuring two-factor authentication in each service, you are given several backup keys for use in emergency situations. With their help, you can log into your account, untie customized devices and add new ones. These keys should be stored in a safe place, and not in the form of a screenshot on a smartphone or a text file on the computer.
As you can see, there are some nuances in using two-factor authentication, but they seem complicated only at first glance. What should be the ideal ratio of protection and convenience, everyone decides for himself. But in any case, all the problems are justified with a vengeance when it comes to the security of payment data or personal information not intended for other people’s eyes.
Where it is possible and necessary to include two-factor authentication, as well as what services it supports, you can read here.