Why is Two-Factor Authentication Used? What Is It?
Users supply two distinct authentication factors as part of a security procedure known as two-factor authentication (2FA), also known as two-step verification or dual-factor authentication.
A user’s credentials and the resources they can access are both better protected with the implementation of 2FA. When compared to authentication techniques that rely on single-factor authentication (SFA), where the user supplies only one element, usually a password or passcode, two-factor authentication offers a better level of security. In order to employ two-factor authentication, a user must supply a password as the first factor and another, distinct element, typically a security token or a biometric factor like a fingerprint or facial scan.
By making it more difficult for attackers to access a person’s devices or online accounts, two-factor authentication adds an extra layer of security to the authentication process. This is because, even if the victim’s password is compromised, a password alone will not be enough to pass the authentication check.
The use of two-factor authentication to restrict access to confidential systems and data is not new. Online service providers are increasingly utilising 2FA to prevent hackers from utilising user credentials after they have stolen a password database or obtained them through phishing scams.
What are authentication factors?
A person can be verified in a variety of ways utilising multiple authentication techniques. The majority of authentication techniques currently in use rely on knowledge factors, such a conventional password, while two-factor authentication techniques also include either a possession element or an inheritance factor.
Following is a list of authentication factors in roughly chronological sequence of computing adoption:
- A knowledge factor is anything the user is aware of, such as a shared secret, a password, or a personal identification number (PIN).
- When approving authentication requests, a possession factor is something the user possesses, such as an ID card, a security token, a mobile, a mobile device, or a smartphone app.
- The user’s physical self possesses a biometric element, also referred to as an inherence factor. These could be physical traits matched to personal traits, such fingerprints verified by a fingerprint reader. Behavioural biometrics, such as keystroke dynamics, gait, or speech patterns, as well as facial and voice recognition are additional inherence elements that are frequently exploited.
- The location from which an authentication attempt is being made typically indicates a location factor. This can be enforced by restricting authentication attempts to particular devices in a specific location or by tracing the geographic origin of an authentication attempt using the source Internet Protocol address or other geolocation data, such as Global Positioning System (GPS) data, derived from the user’s mobile phone or other device.
- A time factor limits access to the system outside of that timeframe and limits user authentication to a certain time window during which logging on is allowed.
Although systems requiring additional security may use them to implement multifactor authentication (MFA), which can rely on two or more independent credentials for more secure authentication, the vast majority of two-factor authentication techniques still rely on the first three authentication factors.
What is the process of two-factor authentication?
Depending on the application or vendor, different two-factor authentication options may be available. However, the general, multi-step procedure for two-factor authentication is the same:
- The programme or the website asks the user to log in.
- User enters what they are aware of, often their username and password. The server for the website then discovers a match and recognises the user.
- The website generates a special security key for the user for procedures where passwords are not necessary. The key is processed by the authentication mechanism, and it is verified by the website’s server.
- The user is then prompted to start the second login stage by the website. The user must demonstrate that they own something only they would possess, such as biometrics, a security token, an ID card, a smartphone, or another mobile device, however this step can take a variety of forms. This is the possession or inherited factor.
- A one-time code generated in step four could then need to be entered by the user.
- The user is authenticated and given access to the application or website after supplying both factors.
Two-factor authentication components
MFA in the form of two-factor authentication is used. It is technically in use whenever access to a system or service involves using two authentication factors. But utilising two factors from the same group does not qualify as two-factor authentication. For instance, requiring both a password and a shared secret is still regarded as SFA because both factors fall under the category of knowledge authentication.
Usernames and passwords are not the most secure method of authentication for SFA services. Password-based authentication has the drawback that it takes skill and care to generate and remember secure passwords. Passwords need to be protected from a variety of insider risks, including sloppy storage of sticky notes containing login information, outdated hard drives, and social engineering ploys. Passwords are also vulnerable to external threats, such as hacker assaults that use dictionary, brute-force, or rainbow table techniques.
An attacker can typically get past password-based security measures and take business data if they have enough time and resources. Due to their low cost, simplicity of usage, and familiarity, passwords continue to be the most popular SFA method.
Depending on how they are used, multiple challenge-response questions might add extra security, and separate biometric verification techniques can also make SFA more safe.
Types of two-factor authentication products
Tokens, RFID cards, smartphone apps, and other devices and services are all available to enable two-factor authentication (2FA).
Two categories of two-factor authentication products exist:
- Tokens that users are given and use to log in
- infrastructure or software that can identify and verify access for users who are correctly using their tokens.
Key fobs and smart cards are examples of physical authentication tokens. Software authentication tokens include desktop and mobile programmes that generate PIN codes for authentication. These one-time passwords (OTPs), also known as authentication codes, are often produced by a server and can be verified as genuine by an authentication tool or app. The authentication code is a brief string that is associated with a specific device, user, or account and can only be used once during the authentication procedure.
In order to accept, process, and provide or restrict access to users who authenticate with their tokens, organisations must implement a system. This can be offered as a service by a third-party provider or implemented as server software or a dedicated hardware server.
Making sure the verified user has access to all the resources they are authorised for and only those resources is a crucial component of 2FA. Linking the authentication system with an organization’s authentication data is thus one of the main purposes of 2FA. Through Windows Hello, which works with Microsoft accounts and can authenticate users through Microsoft Active Directory, Azure AD, or Fast IDentity Online (FIDO), Microsoft offers some of the infrastructure required for businesses to implement 2FA in Windows 10.
How hardware 2FA tokens operate
There are hardware tokens for 2FA that support a variety of authentication methods. The YubiKey, a compact USB device that supports OTPs, public key encryption and authentication, and the Universal 2nd Factor protocol created by the FIDO Alliance, is one well-known hardware token. The Palo Alto, California-based company Yubico Inc. sells YubiKey tokens.
Users that have a YubiKey insert it into their device’s USB port, enter their password, click in the YubiKey box, and touch the YubiKey button to log in to an online service that accepts OTPs, such as Gmail, GitHub, or WordPress. An OTP is generated by the YubiKey and entered into the field.
The one-time password (OTP) is 44 characters long, with the first 12 characters serving as a special ID for the security key associated with the account. The remaining 32 characters are information that is encrypted using a key created during the initial account registration process and known only to the device and Yubico’s servers.
The online service sends the OTP to Yubico for authentication verification. The Yubico authentication server replies with a message confirming that this is the correct token for this user after the OTP has been verified. 2FA is finished. The user has supplied two authentication factors: the YubiKey is the possession element, and the password is the knowledge factor.
Authentication using two factors on mobile devices
Smartphones come with a range of 2FA features, allowing businesses to choose the one that best suits their needs. Some gadgets have the ability to read fingerprints, scan irises or recognise faces using the built-in camera, and recognise voices using the microphone. GPS-enabled smartphones can confirm location as an extra factor. A route for out-of-band authentication may also be voice or Short Message Service (SMS).
Verification codes can be obtained by automated phone call or text message from a reliable phone number. To sign up for mobile 2FA, a user must verify at least one trusted phone number.
Apps that support 2FA are available for Apple iOS, Google Android, and Windows 10, allowing the phone itself to be used as the physical device to satisfy the possession requirement. A technology from Ann Arbour, Michigan-based Duo Security, which Cisco acquired in 2018 for $2.35 billion, allows users to use trusted devices for two-factor authentication. Prior to confirming that a mobile device can also be trusted as an authentication factor, Duo’s software first proves that a user is trustworthy.
Using authenticator applications eliminates the need to text, call, or email for a verification code. Users must provide their login and password — a knowledge factor — in order to access a website or web-based service that supports Google Authenticator, for instance. The next step asks users to enter a six-digit number. An authenticator creates the number for them rather than making them wait a few seconds to receive an SMS message. These figures are unique for each login and are updated every 30 seconds. Users complete the verification procedure and demonstrate ownership of the right device — an ownership factor — by entering the right number.
Information on the minimal system requirements necessary to implement 2FA is provided by these and other 2FA products.
2FA push notifications
Passwordless authentication via push notifications alerts the user that an authentication attempt is being made by delivering a notification directly to a secure app on the user’s smartphone. The user can often allow or refuse access with a single swipe after viewing the specifics of the authentication attempt. The server gets the authentication request and logs the user into the web app if the user grants it.
By validating that the user is in possession of the device registered with the authentication system, which is typically a mobile device, push notifications authenticate the user. Push notifications are compromised if an attacker takes control of the device. Threats including man-in-the-middle assaults, unauthorised access, and social engineering attempts are eliminated through push notifications.
There are still security dangers even though push notifications are more safe than other types of authentication techniques. Because they are accustomed to hitting approve when they receive push notifications, consumers can unintentionally authorise a false authentication request.
How secure is two-factor authentication?
The security is increased with two-factor authentication, although 2FA systems are only as secure as their weakest element. Hardware tokens, for instance, are subject to the issuer’s or manufacturer’s security. In 2011, security firm RSA Security disclosed that its SecurID authentication tokens had been compromised, making it one of the most well-known instances of a two-factor system that had been compromised.
Because it frequently changes a user’s current password and provides a temporary password to enable a user to log in again while evading two-factor authentication, the account recovery process itself can be compromised. This method was used to hack the chief executive of Cloudflare’s business Gmail accounts.
Although SMS-based 2FA is affordable, simple to set up, and regarded as user-friendly, it is open to a variety of assaults. In its Special Publication 800-63-3: Digital Identity Guidelines, the National Institute of Standards and Technology (NIST) discourages the use of SMS in 2FA services. Due to mobile phone number portability attacks, assaults on the mobile phone network, and malware that can be used to intercept or reroute text messages, NIST came to the conclusion that OTPs provided by SMS are too insecure.
Prospects for authentication
Three-factor authentication, which often requires possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints, may be of use in environments that demand stronger security. In order to decide whether a user should be authorised or prohibited, variables including geolocation, device type, and time of day are also taken into consideration. A user’s keystroke length, typing speed, and mouse movements can also be covertly observed in real time as behavioural biometric identifiers to offer ongoing authentication rather than a single one-off authentication check during login.
Even though it’s ubiquitous, using passwords as the primary authentication mechanism no longer always provides the security or user experience that businesses and their customers want. Additionally, even if legacy security products like password managers and multi-factor authentication (MFA) make an effort to address the issues with usernames and passwords, they rely on a system that is fundamentally out-of-date: the password database.
As a result, a lot of businesses are using passwordless authentication. Users can safely authenticate themselves in their applications without having to enter passwords by using techniques like biometrics and secure protocols. Employees may now access their work without having to enter a password at work, and IT still has complete control over each login. As an alternative to conventional authentication techniques, the use of blockchain is also gaining popularity, for instance through decentralised identification or self-sovereign identity.