Two-factor authentication (2FA), also referred to as two-step verification or dual-factor authentication is a security protocol set up to have two different authentication factors to verify the user before authorizing the login. The process itself is designed to create a more secure way of protecting the user’s credentials and most importantly the resource the user is trying access. It obviously provides a higher level of security than its single-factor authentication (SFA) counterparts where the users are required to provide only one factor – typically a password. 2FA methods require the user to provide an additional verification step usually in the form of a biometric or tokenized factor. Sometimes an SMS to the mobile phone number or an additional authentication request on the application on the smartphone. Google, Steam, and Facebook are some of the most popular services that require 2FA.
It goes without saying that since 2FA adds an additional layer of protection to the authentication process the system becomes harder for the attackers to access since knowing the identification and password of the user is not enough to enter.
There are several different types of authentication factors. Currently, most of the simple methods require something knowledge-based such as passwords, passcodes, an answer to a security question, etc. However, 2FA adds an additional layer by requesting more possession-based or inherence factor. Some of the authentication factors are as follows:
Knowledge factor is something a user is required to know in order to gain access to the system. This may be a password, a Personal Identification Number (PIN) code, or some type of an answer to a secret question. This is the first and the most basic step in the authentication process and is met on every platform one can imagine at this point.
Possession factor is something 2FA usually utilizes to prove the identity of the user trying to log in. This can be anything from an Identification (ID) card, a security token, a mobile device, a smartphone app, or anything that can approve the request to access the system. These are the types of factors commonly utilized in the entertainment industries for example. Video gaming accounts, gambling accounts, online shopping, and so on. This is usually something utilized for services that require payments. The online gambling industry for example is connected with payment methods and moves a lot of money from the person’s account to the gambling one or vice versa. Due to this, possession factor is the type of a 2FA system which is always kept in mind and thus are how casino slots are made to be accessed online. It highlights the importance of protection of a service that involves the identity, financial information, and other private data that is involved with such accounts.
The location factor is a more backend way of dealing with the problem. This requires knowledge of the location where the user is trying to access. We have all seen emails on our google accounts if we try to log in from a different location stating that someone was attempting to access the account from this or that place. This is exactly what location factor means.
Inherence factor, or as it is more commonly referred to, biometric factor, is something a user has physically. This can be personal attributes like fingerprints, retina, facial, or voice recognition. Some of the more evolved versions of this factor may involve speech patterns, keystroke dynamics, and other behavioral biometrics.
The time factor is also one of the popular methods of authenticating a user. This means that the system is only available to be accessed at specific time frames.
The way this system is used to protect the user is quite easy. Once the user is prompted to log into the application, website, or any type of a system after the username and password are input the site’s servers find a match and identify the user. However, now the user himself or herself needs to prove that they are indeed who this account belongs to. This is where the 2FA system comes in as the server now prompts the user to enter some kind of additional information which is usually in the face of a one-time PIN code, an email containing a link, or a ping on the smartphone from the corresponding application.
After providing both of the factors the user’s identity is proven to the server and thus the access is given.
2FA is a much more secure method of access rather than its single-factor counterpart. However, the reality sets in once we start delving into the details. The 2FA method is as secure as its weakest link meaning that sometimes the application on the device or the device itself may get hacked. While things are becoming exponentially harder for the attacker to gain access to it is still possible to steal someone’s fingerprints, or hack the smartphone, intercept the SMS, and etc.
SMS 2FA method is one of the weakest out of the bunch as it is extremely vulnerable to numerous attacks. The National Institute of Standards and Technology (NIST) has even issued a statement discouraging the use of SMS based 2FA methods in its Special Publication 800-63-3: Digital Identity Guidelines. Here NIST argues that the SMS authentication is vulnerable due to the ease of mobile phone portability attacks such as Signaling System 7 hack, or the fact that mobile phone network may be infected with a virus, or even by using malware like Eurograbber, which can literally intercept or redirect text messages to a third party. This is why companies like Google are moving away from the SMS based authentication as a whole.
The account recovery process can also be utilized to bypass the 2FA system. Due to the fact that sometimes users lose access to their smartphones, or lose them, or forget the answer to the security question, or even lose access to the email that they were using. This means that the account recovery process is made with the user-friendliness in mind resulting in the hackers having the ability to basically reset the account to SFA method by requesting a second password on the email or just calling up the company and feeding the customer support with stolen personal information of the user, which can easily be gathered by proper research through social media or other different company data leaks.
In conclusion, the two-factor authentication method is here to stay. It is becoming more and more oriented towards reliable methods of authentication but witty attackers are still fighting the system by coming up with new ways to gather information or break into the 2FA devices itself. The redundancy of the system is not under question however everyone needs to take proper precautions to protect their own devices and thus their accounts.