Two-Factor-Authentication is a method to ensure a pretty secure proof of identity of a user or a customer. For example the combination of passwords and codes that are sent via SMS for online accounts or the combination of your bank card and PIN for your banking transactions. There are, however, some methods that are safer than others. In this article, we‘ll explain which and why.
How does 2FA work?
Two-Factor-Authentication (2FA) requires, as the name suggests, two factors for a successful authentication. If one factor is missing or fails, access is denied. The following factors are possible:
• Knowledge (Password, PIN, transaction number)
• Ownership (Bank card, app, physical key, hardware-token)
• Inherence (biometric characteristics like fingerprint (Touch-ID), iris recognition, Face-ID (facial recognition))
Why 2FA matters
Despite the fact that many people are still using „password“, „1234“ or their date of birth to „secure“ their accounts, a lot of people are realizing that a strong password should be an essential part of their digital life. When creating a password, you‘re automatically being notified, how strong or weak your password is. In a lot of places you are required to use a combination of at least 8 characters, upper and lower case letters, numbers and special characters. In reality, that leads to passwords that are hard to remember, especially when you don‘t want to (and shouldn‘t) use the same password in all your accounts.
That explains the popularity of password managers.
But what if hackers or other malicious actors have gained access to your password and thus your account? You‘re at the mercy of the attacker, because your defense only relies on one factor, knowledge (password). If you had another factor in place, it would be much harder for the attacker, if not impossible, to gain access to your account.
Different 2FA Methods
The following 2FA methods are commonly used nowadays:
• Apps to generate one time passwords
• Hardware token
If we were to compare the 3 methods, SMS and apps are less secure and private than hardware token. With SMS, the code could be read directly from the display, even when the screen is locked. On top of that, SMS are not encrypted and can be intercepted. They are not totally safe against attacks, as a five year data leak of a big telecommunications provider recently illustrated.
This is aggravated by concerns coming from the privacy scene. It could be a big invasion of one‘s privacy, if Big Tech companies require the combination of passwords and SMS. A social media giant now not only knows your email address and IP address, but also your phone number, which is tied to a proof of identity in most countries. Add to that the device id and device fingerprinting and tracking you across platforms and devices becomes much easier for companies. We don‘t have to discuss the fact that tracking users does not lead to personalized advertising alone.
Apps can generate one time passwords and be an extra layer of security. If the device is stolen however, that can compromise security.
Why are hardware token better than other methods?
Hardware token use cryptographic encryption and are less likely to be hacked just because of that. For a successful attack, they have to be physically stolen and the password would have to be cracked. Hardware token don‘t communicate with a server, such as SMS. Thus, data can‘t be intercepted through a man-in-the-middle attack.
In December of 2019 it became known that two Python program libraries contained malware that intercepted SSH and GPG keys. SSH and GPG are encryption methods, whose success is based on the integrity of the public and private keys that are being used. If, however, both keys are known through such a theft, attackers have an easy job. Hardware token also use public and private keys, but the private keys are saved on the device and are encrypted and can thus not be compromised, as described above.
Another method that you can implement today is to use a password manager. Make sure to use one that is open source and doesn‘t communicate with a server. If your passwords are saved on a different computer accross the globe, it‘s not as safe as if they‘re saved locally on your machine. Here, you can also utilize 2FA in setting up one time passwords as an additional factor to your normal password. All your passwords are stored and secured with master keyword that only you should know.