Let’s Talk About Two Factor Authentication


As if a having a strong password is not enough, now we’re being asked to use an authenticator or have codes texted, emailed, and phoned to us, or worse – having to carry around a small USB device, as a second form of identification.

WHY?

Well, because using Two Factor Authentication (or 2FA) virtually eliminates the threat of password theft. Please, read that line again. Seriously, it’s true. No single technology in the past two decades has provided as much credential security as 2FA. If you are not currently using it on any account with access to your personal and financial information, you are putting yourself at risk.

How it Works

The vast majority of Phishing attacks attempt to steal your credentials.

Since Google started requiring 2FA for it’s 85,000+ employees in 2016, they have not experienced a successful credential Phishing scheme. There are so many Phishing scams going on right now, that cyber security officials have reached a point where they need to be careful about which scams they reveal to the public in order to avoid making people numb to the threat. We are all preaching awareness, but as the threats continue to grow and get more complex, we’re seeing people throw their hands in the air and give up. Instead of becoming more vigilant, they begin to turn a blind eye to it.

This is how hackers win. The collective WE can’t let that happen because these hackers ruin lives, and 2FA is a great way to turn the tables on them.

As the name implies, Two Factor Authentication adds a requirement beyond a password in order to gain access to accounts, websites, email, etc. This secondary verification requirement means that even if a hacker manages to get your user name and password, they still can’t gain access to your accounts. Utilizing this one security protocol nullifies the success rate of the most often employed Phishing threat.

Can it be a little inconvenient? Yes.

Being in IT, I use three different 2FA authenticators for 11 business apps, such as Office 365, website administration, VOIP service, etc, and for 17 personal apps including email, banking, and social media programs like Facebook, Instagram, and Twitter, etc. Every time I log in from a new device – or after 30 days – I am required to re-authenticate with my password and a one time code provided by the authenticator.

Sure, I resisted at first, complaining that it slowed me down. But does it really?

It takes as much time to access the authenticator and type in that one-time passcode as to open Facebook and respond to a meme with a laughing emoticon. The inconvenience is slight, at best, and when compared to the benefit 2FA offers, it is absolutely worthwhile.

Types of 2FA

Up at the top, I mentioned a variety of ways 2FA could be used. The reason that there are so many option is to try to find a method that appeals to the greatest number of people. Whether you are tech savvy or utilize technology only when you must, there is a method of 2FA for you.


Authenticators

Put simply, an authenticator provides you with an encrypted six digit passcode. After being prompted to provide your user name and password for the program or website you are trying to access, the credential manager will prompt you for the passcode. After entering the passcode, you’re in. Some of them even support Push Notifications, allowing you to answer a prompt if your trying to login rather than requiring a passcode.

Authenticators are typically installed on a smartphone as an app, and there are a bunch of them:

  • Microsoft Authenticator – free, easy to use, and works for almost every app out there, and offers push notifications
  • Google Authenticator – also free and works with almost every app and has iOS support, but the initial setup can be tricky
  • TOTP Authenticator – free and really basic, but offers cross-platform support for iOS and Android and cloud syncing
  • SAASPASS – an authenticator with a lot of options and works on virtually every platform available from Android to iOS to Blackberry to Windows
  • 2FA Authenticator – free and very basic app without a lot of customization, its simplicity makes it a popular choice
  • LastPass Authenticator – free, lots of features – including push notifications, and integrates with LastPass Password Manager
  • Duo Mobile – in addition to the popular apps, this one supports a lot of third party apps that others don’t, and includes its own push notifications.
  • Authy – free and works similarly to Microsoft and Google, and offers push notification and device syncing so you can have it on your phone and tablet

There are others, but these are the most popular and best rated.

We would be remiss for not mentioning that there are some vulnerabilities to authenticators related to the smart phones themselves:

  • A smart phone that doesn’t have some type of lock security feature leaves the authenticator vulnerable
  • Smart phones can be sim cloned – meaning a hacker can make an exact copy of it, including the authenticator
  • If the battery dies, the phone breaks, or it is lost, the authenticator will be inaccessible

One last note about Authenticators, during setup, you are given the option of scanning a QR code – that you can take a picture of with your camera – or a code to manually enter. We recommend that you always manually enter the code. Although not quite as simple, you are only required to enter the code once to set up the app, and the QR code could include additional permissions to your phone that are not necessary for the authenticator to function.


Biometrics

When it comes to authenticating to an account, there are four different security methods:

  • Something you know – like a password
  • Something you have – like an authenticator
  • Something you are – like finger prints, facial recognition, and iris scans – also known as Biometrics
  • Somewhere you are – we’ll discuss this in Tokens

A few years back, biometrics were hailed as the next evolution in cyber security. That excitement has waned a little as the initial technologies had some flaws that were greatly exaggerated in movies and on TV, but beyond that it was a technology that people in general were initially less than willing to embrace. As the technology has improved, with people using fingerprint readers and facial recognition on smart phones, biometrics has become a part of a security protocol referred to as Multi-Factor Authentication.

The only difference between this and traditional 2FA is that Multi-Factor Authentication can potentially use more than two security methods.

In truth, Biometrics will likely be the next evolution in cyber security, it’s just going to come at us a little more slowly to allow us all to adapt to and better understand the technology.


Call Code

Do you not have a smart phone? or not want to install an app on your smart phone?

The majority of programs and websites that support 2FA will allow you to provide them with a trusted phone number that will provide you with passcode via phone call. You may provide either a mobile phone number or one from a dedicated landline or VOIP service, like your office phone.

The only negatives here are that the phone must be available to you in an area with service, and if you need to have that phone number changed, it can be very labor intensive and time consuming. 2FA companies are going to err on the side of caution and make absolutely certain the person requesting the change is the actual account holder. To be honest, this is true of any change to a 2FA system, it just so happens that phone numbers are more apt to require these types of changes.

Also, when using call codes, people often write them down. You may think that because it’s a one use code, writing it down is not an issue, right?

No.

Every cyber security expert in the world recommends never writing anything security-related down, and people who get used to writing down security codes, will write down other important security information. So, if you are going to use call codes, whenever possible type them in while on the phone – you can request the code to be repeated as many times as you need.


Text Code

While none of these 2FA methods are completely secure, passcodes received via text messaging or SMS (Short Message System) are the most vulnerable.

Aside from requiring cell service to receive the passcodes, the messaging services that are being used are old and vulnerable to a variety of types of attack. In addition, service providers have easy access to messages in these systems as they are being transmitted between towers and SMS Centers, allowing for the possibility of insider threats that could potentially intercept these messages. Yes, this means that any text message you send from your phone has these vulnerabilities.

The nature of the single use passcodes mitigates this threat enough that there is not a great deal of concern for companies offering 2FA with sending passcodes in this way. In this instance, the benefits of 2FA far outweigh the potential risks of using Text Codes, but we would still recommend one of the other options listed here.


Tokens

Also referred to as a Disconnected Token, these are simply standalone authenticators. Like those listed above, the job of a Token is to provide you with an encrypted six digit passcode. After being prompted to provide your user name and password for the program or website you are trying to access, the credential manager will prompt you for the passcode. After entering the passcode, you’re in.

Although very similar in function, there are a few differences that warrant it’s own section.

  • As an independent piece of hardware, tokens are not susceptible to sim cloning (someone making an exact copy of your phone), they work in areas with no cell coverage, and account recovery is tied to a specific serial number allowing for more secure activation/deactivation
  • Many of them have built in geolocation, requiring you to be in a specific area for the code to work
      • this is used for the fourth security method – Somewhere you are
  • The security certificates stored on the device can be used to provide it with a limited operation time, requiring users to turn in old tokens and get new tokens, at the same time allowing administrators to re-evaluate the user needs and determine if the token is still necessary

There is a version of these called a Software Token, which is installed onto a digital device such as a mobile phone. They are different than standard authenticators in that they have the capability of geolocation and a limited operation time, but otherwise have the same vulnerabilities as any other authenticator installed on a digital device.


Security Keys

Also referred to as a Connected Token and Universal 2nd Factor (U2F), these are standalone authenticators shaped like a USB drive that are plugged into the computer, with a button on top.  Unlike other types of authenticators, these don’t generate a code. After being prompted to provide your user name and password for the program or website you are trying to access, you will insert the Security Key when the credential manager prompts you to enter the code, and then press the button it it.

That’s it, you’re in.

Easy to use, with all of the benefits of being an independent piece of hardware, these Security Keys are growing in popularity as they speed up the secondary authentication option and have the availability of additional security features such as geolocation and a limited operation time.

Of the 2FA options presented, Security Keys are one of the more attractive and the one we at CLARK prefer.


Don’t Get Negligent on Passwords

“I have Two-Factor Authentication on my account, I don’t need a strong password anymore.”

No. No. No. Please don’t fall into this trap.

2FA will help keep you safe if your username and password get compromised, but that doesn’t mean it’s foolproof. Utilizing stolen credentials, hackers could use your information to reset or disable the 2FA feature on the account. In addition, as often as security professionals preach not to use the same password for multiple accounts, people still do it. If you’re one of those people and you use that password on accounts that do not have 2FA, they are immediately vulnerable.

Remember, Two-Factor Authentication enhances your password security, it doesn’t replace it.