What two-factor authentication really means and what it can do for your online safety…
Facebook, Google, Twitter, Paypal and Microsoft are just some of the companies that have all increased the security of their online services by offering two-factor authentication at user login time. Most many banks have offered two-factor security for online banking for a number of years.
The concept of two-factor authentication is that, rather than just relying on a user entering a username and password to log in, they are also asked for some additional information to identify themselves, using two of the three factors of authentication available.
The three factors are…
Something you know.
Something you are.
Something you have.
Let’s look at those factors in some more detail…
Something you know can be a password, a PIN, a passphrase or a pattern. These have all been in use for single-factor authentication for a number of years, though patterns have become more popular in recent years due to the popularity of systems with touch screens.
A number of systems will combine a password with a “personal question” such as where you were born or your mother’s maiden name, but these questions still fall under the same category of something you know and, as such, may form a two-step authentication system but not two-factor authentication.
Something you are generally consists of something physically identifiable about you on your body. Such as a security guard comparing a photograph of you to you to make sure someone requesting access is the real you. In computerised environments the technology to identify faces with the accuracy of a human is not quite with us, and the often-used methods are fingerprints, voice prints and retina scans, often referred to as biometrics.
Unfortunately, all of these methods are highly vulnerable to copy attacks, where copies of the items being checked are made and re-used by an attacker. For example, it’s simple to record and replay a voice print identification. Finger prints can easily be lifted from people’s desks, phones, mugs, etc. Also, if a biometric identifier is compromised it is impossible for a person to change it, so it will remain compromised for the rest of their life.
These issues with biometrics leads many people to recommend that their use be regarded as similar to entering a username or other item that may well be public knowledge and requires a second factor to confirm authentication. Unfortunately a lot of computers with fingerprint readers and the latest iphones allow you to unlock with just a fingerprint, which leads many into a false sense of additional security, whereas they are in fact reducing their security.
Finally, something you have. This is an area that provides the easiest methods to increase security and has seen a lot of growth recently with people offering solutions to this authentication requirement. Common methods involve keyrings that display multi digit codes that change at regular intervals, offering limited authentication periods, and preventing an attacker from just writing down the code.
Similarly there are USB keyrings that you can plug into your PC and, with the press of a button, insert a time limited code, and also bluetooth versions.
Previously, smart cards that slotted into a smartcard reader were a popular solution for businesses to secure mobile devices, although a number of online banks make use of a code generator that relies on the debit/credit smart card issued to customers and their PIN to generate single-use codes that can be entered on the site.
Increasingly, mobile phones are becoming the default something you have, with Google and Paypal’s authentications involving sending SMS messages to a phone number that you associate with your account providing you with a code you can use to authenticate your log-in. There are also apps such as Google authenticator for smartphones that can be associated with an account and used to generate one-time passwords that can be used to authenticate against a number of services.