Two Factor Authentication

Background

Traditionally the way to log into websites, whether it’s your bank, Facebook, Twitter, your blog, or any place, is to provide a username and password. Passwords are sometimes called a “something you know” security. Since there are so many websites requiring usernames and passwords, and password managers aren’t widely used yet, it is common to reuse passwords across different sites. That also means that if a website got hacked in the past where you used the same username / password combination as on Facebook, other people could use that information to “guess” your password and gain access to a site that hasn’t been compromised yet.

In order to make password reuse less of a concern, we can use two factor authentication.

What is it?

Two factor authentication (2fa from now on) is a method to double check that you’re really you by requiring one more check against something you have. This is usually a code generated by an authenticator application on your smartphone, or a physical device, or a text message that’s sent to your phone.

2fa will give you a one-time code that you’ll also have to provide as part of your login. That code can be generated by a card reader, a smartphone app, or a small device, depending on the organisation. Banks that have 2fa will give you a card reader or a small device, while most online services will help you set up an authenticator app.

More technical details

When you set up 2fa you provide a special code (seed) of your account / device which will instruct the authenticator to generate the correct codes. This usually happens by scanning a QR code, or by providing the site with a unique identifier of your physical device.

Based on that information, the authenticator will provide a different code that’s time based (called a TOTP, or Time based One Time Password). Because only you should have the authenticator set up to your account’s seed, other people can’t generate the correct code without your device.

Why is it important?

With 2fa turned on, these sites will also require the person logging in to provide another code from something that you should have on your person. This means that the security of those accounts are greatly improved as they will most likely not have access to the device that generates the second code, which means that even though they do have your password, they won’t be able to log in.

What’s happening with it?

Currently 2fa is being rolled out slowly across the UK. HMRC recently changed their 2fa offering by providing a way to set up an authenticator application along with the possibility of sending a one time code over text message, which is problematic (see later). A which? report released on 20th October 2016 found that of the 11 high street banks, only 5 offered 2fa to their customers.

2fa is very closely related to encryption of user data while in storage and in transit. Without encryption, there’s no point for 2fa.

Examples of different ways of generating 2fa codes

Different sites will have different ways of offering 2fa. Most sites do not offer any, others will offer multiple ways depending on the product / service you use on them. They generally fall into the following categories:

  • send one time codes over text message, eg Twitter, HMRC, PayPal
  • generate a code with their own application, eg Blizzard, Microsoft, Steam, Twitter, Facebook, HSBC
  • generate a code with a generic authenticator application, such as Google Authenticator or Authy, eg Slack, Facebook, Freeagent, iwantmyname, CloudFlare, Stripe, Amazon, Github, Google
  • generate a code with a physical device, eg: HSBC, Barclays
  • use a hardware authentication device, such as a Yubikey, eg: Google, Github

Why is sending a one time code over text message problematic?

The main premise for 2fa is to generate a code with something you have. A text message is generated on the side of the service provider (PayPal or Twitter, for example), and then they use a service to send the code that they generated over to you via the cell network.

This network communnication can fail for a number of reasons:

  • your phone is not connected to a network, because you’re abroad and don’t have signal, or simply you’re in a place where your mobile provider doesn’t have good signal strength
  • there is a network error and them sending the code simply failed and the message got lost
  • alternatively the security of your mobile service operator has been defeated and other people gained access to your account and persuaded your provider to send out a new sim card for your phone number to them. That way messages sent to your number would arrive on their device they put the new sim card in. There have been a lot of news about gaining access to mobile phone accounts using social engineering.

The Web Matters position

2fa should be used where possible as it enhances the integrity and security of accounts and account access by providing an additional layer of verification and confidence that the person logging in is who they say they are.

That said 2fa authentication should be implemented in a standard way, which means it’s preferable to do it with an authenticator app / standard reusable hardware device than sending the code over text message or using proprietary hardware devices.

Source: https://github.com/web-matters/industry-issues/tree/master/2fa