In today’s online environment, the rudimentary “username and password” approach to security is easy prey for cyber criminals.
Many log-ins can be compromised in minutes, and private data (such as personal and financial details) is under increasing threat.
Multi-factor Authentication, also known as MFA or multi-step verification, adds another layer of security, supplementing the username and password model with a code that only a specific user has access to (typically sent to something they have immediately to hand).
This authentication method can be easily summed up as a combination of “something you have and something you know”.
Two-factor authentication is a security mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of validation, minimizing security breaches.
Two-factor authentication is also known as strong authentication.
Straightforward and steadfast
Back in the early days of authentication, organisations were reliant on hardware tokens to generate a secure passcode.
The type you’d associate with online banking. But that solution was clumsy and prone to unforeseen expenses – with tokens frequently lost, broken or expiring.
Modern tokenless systems use mobile devices to make roll-out and management much easier.
Here at SecurEnvoy, we brought the first-ever tokenless two-factor authentication product to market.
Our system employs a user’s device, with passcodes generated locally or delivered via SMS, voice calls, secure emails or via an app.
The approach is supremely secure, and extremely cost effective too.
And why aren’t passwords good enough?
Before addressing the question ‘what is two-factor authentication’ or ‘what is 2FA,’ let’s consider why it’s important to do everything you can to improve your online account security.
With so much of our lives happening on mobile devices and laptops, it’s no wonder our digital accounts have become a magnet for criminals.
Malicious attacks against governments, companies, and individuals are more and more common.
And there are no signs that the hacks, data breaches, and other forms of cybercrime are slowing down!
Luckily, it’s easy for businesses to add an extra level of protection to user accounts in the form of two-factor authentication, also commonly referred to as 2FA.
Rise in Cybercrime Requires Stronger Security With 2FA
In recent years, we’ve witnessed a massive increase in the number of websites losing personal data of their users.
And as cybercrime gets more sophisticated, companies find their old security systems are no match for modern threats and attacks.
Sometimes it’s simple human error that has left them exposed. And it’s not just user trust that can be damaged.
All types of organizations—global companies, small businesses, start-ups, and even non-profits—can suffer severe financial and reputational loss.
For consumers, the after-effects of targeted hack or identity theft can be devastating.
Stolen credentials are used to secure fake credit cards and fund shopping sprees, which can damage a victim’s credit rating.
And entire bank and cryptocurrency accounts can be drained overnight. A recent study revealed that in 2016 over $16 billion was taken from 15.4 million U.S. consumers.
Even more incredible, identify thieves stole over $107 billion in the past six years alone.
Clearly, online sites and apps must offer tighter security.
And, whenever possible, consumers should get in the habit of protecting themselves with something that’s stronger than just a password.
For many, that extra level of security is two-factor authentication.
Passwords: Historically Bad But Still In Use
How and when did passwords get so vulnerable? Back in 1961, the Massachusetts Institute of Technology developed the Compatible Time-Sharing System (CTSS).
To make sure everyone had an equal chance to use the computer, MIT required all students to log in with a secure password.
Soon enough, students figured out that they could hack the system, print out the passwords, and hog more computer time.
Despite this, and the fact that there are much more secure alternatives, usernames and passwords remain the most common form of user authentication.
The general rule of thumb is that a password should be something only you know while being difficult for anyone else to guess.
And while using passwords is better than having no protection at all, they’re not foolproof. Here’s why:
Humans have lousy memories:
A recent report looked at over 1.4 billion stolen passwords and found that most were embarrassingly simple.
Among the worst are “111111,” “123456,” “123456789,” “qwerty,” and “password.”
While these are easy to remember, any decent hacker could crack these simple passwords in no time.
Too many accounts:
As users get more comfortable with doing everything online, they open more and more accounts.
This eventually creates too many passwords to remember and paves the way for a dangerous habit: password recycling.
Here’s why hackers love this trend: it takes just seconds for hacking software to test thousands of stolen sign-in credentials against popular online banks and shopping sites.
If a username and password pair is recycled, it’s extremely likely it’ll unlock plenty of other lucrative accounts.
Security fatigue sets in:
To protect themselves, some consumers try to make it harder for attackers by creating more complex passwords and passphrases.
But with so many data breaches flooding the dark web with user information, many just give up and fall back to using weak passwords across multiple accounts.
2FA To The Rescue
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are.
First, a user will enter their username and a password.
Then, instead of immediately gaining access, they will be required to provide another piece of information.
This second factor could come from one of the following categories:
Something you know:
This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern
Something you have:
Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
Something you are:
This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print
With 2FA, a potential compromise of just one of these factors won’t unlock the account.
So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely.
Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and unlock the account.
Common Types of 2FA
If a site you use only requires a password to get in and doesn’t offer 2FA, there’s a good chance that it will be eventually be hacked.
That doesn’t mean that all 2FA is the same. Several types of two-factor authentication are in use today; some may be stronger or more complex than others, but all offer better protection than passwords alone.
Let’s look at the most common forms of 2FA.
Hardware Tokens for 2FA
Probably the oldest form of 2FA, hardware tokens are small, like a key fob, and produce a new numeric code every 30-seconds.
When a user tries to access an account, they glance at the device and enter the displayed 2FA code back into the site or app.
Other versions of hardware tokens automatically transfer the 2FA code when plugged into a computer’s USB port.
They’ve got several downsides, however.
For businesses, distributing these units is costly.
And users find their size makes them easy to lose or misplace.
Most importantly, they are not entirely safe from being hacked.
SMS Text-Message and Voice-based 2FA
SMS-based 2FA interacts directly with a user’s phone.
After receiving a username and password, the site sends the user a unique one-time passcode (OTP) via text message.
Like the hardware token process, a user must then enter the OTP back into the application before getting access. Similarly, voice-based 2FA automatically dials a user and verbally delivers the 2FA code.
While not common, it’s still used in countries where smartphones are expensive, or where cell service is poor.
For a low-risk online activity, authentication by text or voice may be all you need. But for websites that store your personal information — like utility companies, banks, or email accounts — this level of 2FA may not be secure enough.
Software Tokens for 2FA
First, a user must download and install a free 2FA app on their smartphone or desktop.
They can then use the app with any site that supports this type of authentication.
At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app.
Like hardware tokens, the soft-token is typically valid for less than a minute.
And because the code is generated and displayed on the same device, soft-tokens remove the chance of hacker interception.
That’s a big concern with SMS or voice delivery methods.
Best of all, since app-based 2FA solutions are available for mobile, wearables, or desktop platforms — and even work offline — user authentication is possible just about everywhere.
Push Notification for 2FA
Rather than relying on the receipt and entry of a 2FA token, websites and apps can now send the user a push notification that an authentication attempt is taking place.
The device owner simply views the details and can approve or deny access with a single touch. It’s passwordless authentication with no codes to enter, and no additional interaction required.
By having a direct and secure connection between the retailer, the 2FA service, and the device, push notification eliminates any opportunity for phishing, man-in-the-middle attacks, or unauthorized access.
But it only works with an internet-connected device, one that’s able to install apps to. Also, in areas where smartphone penetration is low, or where the internet is unreliable, SMS-based 2FA may be a preferred fall-back.
But where it is an option, push notifications provide a more user-friendly, more secure form of security.
Other Forms of Two-Factor Authentication
Biometric 2FA, authentication that treats the user as the token, is just around the corner.
Recent innovations include verifying a person’s identity via fingerprints, retina patterns, and facial recognition.
Ambient noise, pulse, typing patterns, and vocal prints are also being explored.
It’s only a matter of time before one of these 2FA methods takes off…and for biometric hackers to figure out how to exploit them.
According to a recent report, stolen, reused, and weak passwords remain a leading cause of security breaches.
Unfortunately, passwords are still the main (or only) way many companies protect their users.
The good news is that cybercrime is in the news so much that 2FA awareness is quickly growing and usres are demanding that the companies they do business with have improved security.
We agree: “Everybody Should 2FA”
In 2011, the Internet Engineering Task Force released a standard for Time-based One-Time Passwords (TOTP).
The concept is simple enough. When the user registers a TOTP-supporting device with a secure website, a unique shared key is created.
Both the device and the server can generate a time-based one-time password by processing that key along with the current time.
By convention, each TOTP is good for 30 seconds. You log in using your regular password, then enter the current one-time password from your device, and you’re in.
A malefactor who somehow plucks that one-time password out of the ether will find it useless within 30 seconds.
Authy and Google Authenticator both build on TOTP, and in fact you can use Authy on any site that supports Google Authenticator.
Why would you switch to Authy? There are quite a few reasons; I’ll go into detail later.
Well, Authy is just better in a number of ways.
When you set up an account to authenticate via Google Authenticator, your access to that account on mobile devices is cut off.
You must enter a lengthy all-lowercase “application password” to re-enable access for each application on each device.
Authy users can simply install Authy on the device, obviating the need for this annoying process.
If you get a new phone, you can easily transfer over all of your Authy registrations.
With Google Authenticator, you’d have to go through the registration process again for every site.
And Google Authenticator doesn’t offer any way to revoke access for a lost or stolen phone.
The whole concept of time-based passwords breaks down if the client and server aren’t synchronized time-wise.
Authy has a reputation for staying in sync even when your device doesn’t have network access, more so than Google Authenticator.
However, I didn’t find a way to test this.
There are also a small but growing collection of sites that support Authy but not Google authenticator.
My Authy contact reported that Coinbase, Cloudflare, and HumbleBundler are among these Authy-only sites.
Getting Started With Authy
Setting up Authy to use your smartphone as a token is simple.
You install the Authy app on the phone, give it your phone number, and either click a verification link or enter a verification code.
The exact technique for setting up two-factor authentication varies from site to site.
However, for most sites you’ll follow the prompts until you get a chance to select Google Authenticator.
At that point, the site displays a QR code. Snap the QR code with Authy and bam!
You’ve got two-factor authentication.
P.S. If you have a WordPress site, check out Why you need 2FA on WordPress.
Over 10,000 other websites and applications, large and small, use Authy directly for authentication, with no connection to Google Authenticator.
Your registered sites appear across the bottom of the app’s window.
Tapping one brings up the current authentication code for that site, along with a countdown timer that shows how much of the code’s 30-second lifetime remains.
It works much the same on Android and iOS, though I observed that the iOS edition displays a circular progress bar with a label counting down seconds while the Android edition just uses a simple progress bar.
Of course, if a hacker with pocket-picking skills manages to obtain both your password and your authentication smartphone, you could be in trouble.
As with the strictly device-based security used by oneID, you need to secure your device thoroughly.
Use a strong passcode, or biometric authentication, and turn on Authy’s PIN protection (iPhone users can upgrade to Touch ID authentication).
LastPass support Google Authenticator by default.
That means you can protect your LastPass account using Authy, and then go on to use Authy for two-factor authentication of your other secure sites.
You could do the same with Dashlane.
You need a smartphone to get started with Authy, but once that task is accomplished you can install Authy on other smartphones, tablets, or desktops, and sync data between the devices.
Authy supports iOS, Android, and BlackBerry mobile devices, as well as Windows, Mac OS, and Linux.
There’s even an Authy app for the Apple Watch; just glance at your wrist for the authentication code.
By installing the Authy desktop app and Chrome extension, you can bypass the smartphone altogether.
The desktop app prompts you to create a master password, but doesn’t require it (an oversight, in my opinion).
Note that the master password is device-specific, so if you install on multiple desktops you could conceivably create multiple master passwords.
When the master password is in place, the app requires you to re-enter it periodically.
Using the Chrome extension, you can get the current code for any of your registered sites, copy it to the clipboard, and paste it in, with no need to get out your phone.
Yes, this is definitely chipping away at the definition of two-factor authentication.
Someone who has access to your desktop computer could conceivably break in, because the desktop computer becomes the “something you have” factor.
If you choose to use the Authy desktop app, you absolutely must protect it with a strong master password.
In addition, you should password-protect your user account on the desktop and lock the account any time you step away.
There’s another benefit to the Chrome extension that I didn’t notice right away.
If you click to view the current code for a site, and that site isn’t open, you’ll get a phishing warning. That’s handy!
Enabling Authy on another smartphone or tablet is a snap.
On the new device, you enter the phone number of your smartphone, and respond to an access prompt that appears on that smartphone. Just like that, Authy is enabled on the new device.
Lost a device?
You can use the Authy app to remove that device from the sync process.
Note, though, that for sites using Google’s implementation of TOTP the token will continue to supply codes for already-registered sites.
A prudent user will disable and re-enable two-factor authentication on these sites.
If you’ve enrolled all the devices you want, you can set Authy to stop accepting more devices.
There’s also an option to save an encrypted backup of your secure keys to the cloud.
I noticed a Bluetooth option in the Authy iOS app.
I enabled it, but couldn’t find any way to make it interact with my PC.
It turns out this feature is Mac-specific, and that even on Mac it’s having trouble with some recent changes in Bluetooth implementation.
Easy Does It
Two-factor authentication really is a marvelous security enhancement for securing sensitive websites, but users often trade security for convenience.
Getting started with Authy takes an initial effort as you convert your secure sites to use two-factor.
After that, it’s super easy to use, and a definite cut above Google Authenticator.
Authy itself might well merit an Editors’ Choice honor for two-factor authentication; we simply haven’t reviewed enough similar products to be sure.
That’s all we know for now :3
Remember that we constantly update this post like the others.
Hope this post helped you someway.
Thanks for reading.
Remember to share this post with your preferred social network and tell your followers how you find it.
Need help? comment below this post and we will contact you soon if possible.