In the last couple of years, we have encountered quite a few security breaches. A lot of internet companies are being targeted with these kinds of attacks. One of the most common forms of online transactions is that you have an account that’s protected with a password. So whenever you want to access your account, you just enter your username along with the password. But the problem is that this is breakable! As in, people can technically break into these accounts. So people started thinking about different ways in which this could be prevented. Of course, choosing better passwords would help, but we need to way to fundamentally improve the security. How exactly do we do it? Do we just choose bigger and better passwords or is there something new we can do?
Why should I care about two-factor authentication?
To understand why we need it, let’s consider the example of Michael. He is working on building a secret lab, and very few people can have access to it. This means that the entry points are limited and the process needs to be secure. From here on out, we have two options. In the first option, we issue an id card to all the employees. To get past the door, you need to swipe your card. But what if the card gets stolen? Anybody with that card can gain access to the lab. So to get around this problem, we can come up with a second option. This time, we discard the id card and we have a door with a password instead. Everybody is given a password and they can only gain access if they enter the right password. This seems more secure than the first option, but what if the password gets stolen?
As you can see here, both the options use a single layer of security. We are protecting the door with a single thing, and that single thing can be stolen. The security process consists of a single step, which is not sufficient. This is why we need an additional layer that’s totally independent of the first layer. This is why we need two-factor authentication. If Michael wants to keep his lab secure, he will design a system where you would need the card in conjunction with the password to get inside the lab. This way, even if the card is stolen, the thief still cannot get inside the lab because he doesn’t have the password. Similarly, if the password is stolen, the thief cannot get inside the lab because he doesn’t have the card. The access mechanism is now a combination of something Michael has (his id card) and something Michael knows (his password). This is inherently more secure than using a single step for authentication.
What exactly is it? Is it the same as two-step verification?
Now that we understand why need two-factor authentication, let’s see what exactly it is. Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical item like a card, and the other one is something memorized, like a password. This is basically a combination of something you have and something you know. A good example of two-factor authentication is a ATM card. The card itself is the physical item and the PIN is the data that goes with it. You need both of them to operate on your account.
Another thing that’s closely related to two-factor authentication is the two-step verification. A lot of people tend to use these terms interchangeably, but there’s a subtle difference here. We can say that every two-factor authentication is a two-step verification, but not the other way around. For example, if Michael scans his id card and enters his password, he is doing a two-step verification using a two-factor authentication mechanism (something he has and something he knows). On the other hand, if he enters his regular password and a one-time-password, he is doing a two-step but only using one-factor authentication mechanism (using only something he knows).
Is there a way to bypass it?
The good thing about two-factor authentication is that it could drastically reduce online identity theft, phishing, and other types of online fraud. The reason for this is that the victim’s password would no longer be enough to give a thief access to their information. If we were to argue against it, then we can say that a thief can technically access to your computer and boot up in safe mode. Now how will that help? Well, booting in safe mode means that he can bypass the physical authentication processes. He can just scan your machine for all passwords and enter the data manually.
Some people tend to argue that this no more secure than the use of a password alone. But then again, we are being a bit hyperbolic here! Just to be safe, some people are proposing a three-factor authentication, which involves possession of a physical token and a password, used in conjunction with biometric data, such as finger-scanning or a voiceprint. High end security firms and banking institutions make use of this type of technique. Yep, I know what you are thinking. We see this all the time in those fancy high-tech movies, right? The movies, where they scan the retina and everything, are actually good examples of three-factor authentication.
Is it easy to use? Will it actually protect me?
It definitely adds an extra step to your log-in process, and depending on how the account vendor has implemented it, it can be a minor inconvenience or a major pain. Most of it also depends on your patience and your willingness to spend the extra time to ensure a higher level of security. I agree that two-factor authentication makes it more difficult to log in, but it’s not exactly a lot more. If you don’t do it, then there’s a chance that an attacker might collect a cookie from a website and take over your session. So, two-factor authentication is definitely a good thing, but it does make the user experience a bit more complicated.
It’s true that two-factor authentication is safe against attackers. Two-factor authentication mitigates the security problems, but a few people have figured out a way around it and a lot of attacks can still happen. One way to look at it would be to say that using it is definitely more secure than not using it. To hack two-factor authentication, the bad guys must acquire either the physical component of the log-in, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. This can happen in several ways, including a phishing attack, malware, or credit card-reader skimming. There is a another way as well i.e. account recovery.
Account recovery works as a tool for breaking two-factor authentication because it bypasses two-factor authentication entirely. You can just create an account, create two-factor authentication on it, then pretend to lose your data. Account recovery takes some extra time, but a couple of days later, you will get a message saying that two-factor authentication had been disabled on your account. After this, you can just log back into the account without two-factor authentication. As simple as that! Until we figure out a way to deal with account recovery, two-factor authentication will still be wide open to attacks.
So where do we go from here?
Biometrics is definitely one avenue that is being explored. If there’s a very strong biometric recovery method, a strong password, and a voice challenge or something like that, it becomes a very good recovery mechanism. Basically, we use one form of two-factor for logging in, and a different two-factor combo for recovery. As two-factor authentication becomes more common, it’s more likely that attacks will be more successful against it. That’s the nature of computer security. But by virtue of being more common, it will become easier to use as well.
One of the most common obstacles with two-factor authentication is that people think it is difficult to use. I mean, remember those warning messages you encounter where you are asked to give your phone number to increase security? Most of us don’t even bother reading what it’s about. We just skip the step and move on with our lives. Adoptability is definitely an issue here, and people don’t realize what’s at stake. But once more people start using it, the technology will get refined further. So may be in the near future, it will be as painless as just using a simple password. We should be planning on designing something that can scale to a large number of websites. More and more people are definitely using two-factor authentication to make sure things remain secure. As is always the case, security and usability factors of any process are inversely proportional to each other. So if two-factor authentication gets those things to an acceptable level, we might witness a nice breakthrough.