Two factor authentication (2FA) is a method used for boosting security for people using online services. It is used to establish whether an individual can have access to a computer system or an online resource by providing two types of information that should be different.
It is a way of convincing a computer resource or a system that you are who you say you are. The system then proceeds to find out if you have a right to access the data or information you are trying to have access to.
Common authentication pairs used today are the username and the password. 2FA requires that you provide that password and another form of authentication that will prove that your identity.
Passwords have become less secure and weak password policies have contributed to major data breaches and data privacy violations. This is why 2FA is increasingly becoming the new secure form.
How Two-factor Authentication (2FA) Actually Works
The 2FA process heavily relies on the user and most input comes from the user, here is the process of how the 2FA process works:
- The user logs in to a website through a browser or to an application.
- The user is prompted to enter 2 things, which are commonly a username and a password into the account. The user is matched with the account that matches the credentials provided.
- There are some applications or websites that don’t require passwords and for this case, the user is issued with a unique key that is generated by the website. The tool used for authentication scans the key and validates whether the user is allowed in or not.
- This step is the onset of the second login stage. Many different ways can be used here but all require a user to have something and they should prove it is unique to only them. Such entities can include an ID card or a security token which can be sent through the user’s phone. This stage is referred to as the possession factor.
- This stage requires the user to enter the security code that may be generated to the user’s mobile device so that they can be fully verified.
- In this stage, both authentication factors provided have been approved as true and the user is fully authenticated and provided access to a resource whether it is a website or an application.
Two factor authentication requires three things;
- Something you should know – this includes answers to your secret questions, a password, or a keystroke pattern.
- Something you should have- this may include something like a small hardware token, a smartphone, or a credit card. This is something you possess.
- Something you are- this category is still in innovation and might be advanced to some companies. An example of something you have is your physical body part like an iris scan, a fingerprint, or your voiceprint. Something that you have and is unique to you.
Why 2FA Should be Enabled
2FA implements the zero-trust security model. You need to protect your customer’s data and privacy by verifying all users trying to access your resources.
With 2FA, you will protect your company from avoidable security threats targeting user accounts and passwords. You need to use 2 different modes of authentication to keep away attackers.
If a cyber-criminal taps into a user’s login communication with a server, they can steal the password and interrupt the second form of authentication. This is why the two processes have to be separated.
Using a method where the credentials to the second step of authentication are sent to the user’s physical device, attackers will be discouraged since they do not have access to physical access to the user’s devices.
Attackers cannot easily impersonate users to complete the second step of multi-factor authentication. Two-step verification will protect your business better than passwords only. And cybersecurity breaches can negatively affect your small business and in worse circumstances, throw you out of the market.
User’s data privacy is crucial and your business may even be sued if you do not attain it. Password security, account security are crucial for all online accounts.
To avoid all the troubles that come with cyber breaches, it is advised that you stop relying on passwords only and set up two-factor authentication. 2FA will also reduce IT costs in your business since you will no longer have numerous help-desk calls for password problems.
Types of Threats Addressed by Two Factor Authentication
Passwords alone are not enough to protect individuals from cyber-criminals. You should enable 2FA to curb most cyber breaches experienced today. This method will add an extra layer of security to your business and ensure you serve your users conveniently.
Some of the common threats two-factor authentication addresses include:
1. Brute Force Attacks
This is a common attack technique where a hacker generates passwords randomly while targeting a certain computer system. They guess these random passwords until one matches the target system.
With two-factor authentication, this would not be successful since the hacker would have only completed the first part of the authentication attempt. An extra layer of security will require that the login attempt that was initiated should be validated before the full access grant.
2. Key Logging
Most users have a poor habit of writing down their passwords where they can be accessed by anyone.
Worse still, a hacker can use a special kind of malware to copy a user’s password as they type it to their computer while they track it. This is done through monitoring every keystroke which is then monitored and matched to be used later.
In the second stage of 2FA, a user must validate that the login attempt is coming from them even when the attempt might be coming from another person. With this authentication method, a user can conveniently dismiss login attempts coming from other unauthorised parties.
3. Phishing attacks
Phishing is a common cybersecurity breach attempt.
It is done through malicious links commonly sent to user’s emails, tricking them to click a certain link that will prompt them to enter their passwords or redirecting them to a malicious website.
The link can also be malware that when downloaded infects the user’s computer. Through 2FA, logins coming from stolen credentials can be avoided through the second validation layer after the first layer has approved the password.
4. Stolen Passwords and Login Credentials
Many users in companies and small businesses have poor password handling techniques. This may be sharing login credentials or even writing them down.
Such passwords can easily be stolen. With 2FA, a user is validated through a second device after they enter a password. A device like a mobile phone is unique to that user.
Common Forms of 2FA
Different 2FA methods can be employed for different sites. If a site requires you to take two factor authentication for you to have full access, then you are in safe hands.
There are some complex 2FA methods than others but all of them offer users better protection than a password only. Here are the common ways you can use two factor authentication for your sites;
1. Push Notifications for Two factor Authentication
This method of authentication is simple and convenient for most users as it only requires a single touch to verify that the user is the one seeking authentication.
A push notification is sent to a user’s device to ask them to approve or deny if they are the ones seeking access.
There are no security codes required, the user only has to tap the approve or deny option. With this form of authentication, chances of having a man in the middle attack are few. Unauthorised access is also avoided since every request requires the legitimate user’s verification.
As expected, this method only with internet-enabled devices and in some cases, those that can install applications too. This means that if your mobile device happens to have weak or fluctuating internet, the notifications may not reach the user.
In such cases, SMS-based 2FA is preferred. Push notifications are however still preferred since they are more secure and also more user-friendly.
2. Hardware Token
This method is probably the oldest type of 2FA. Hardware tokens produce new numeric codes after every 30 seconds. An authentication code is sent to a user who wants to access a site or an application.
A different form of this method is when a user plugs a USB device into the computer trying to access the site. The hardware token is automatically transferred upon plugging. They enter the code displayed on the device when trying to access a resource.
This authentication factor may however be costly to certain businesses. It is costly to distribute these hardware token units. They are also not entirely safe from hackers since users can easily misplace or lose them due to their small size.
3. Software Tokens for 2FA
Software token commonly referred to as soft-token or TOTP is a one-time passcode that is software generated. It is time-based and is commonly preferred when compared to voice or SMS 2FA.
This method works with authenticator apps on the user’s desktop or smartphone. During the sign-in process, the user is required to enter the usernames and passwords. A code will then appear in the 2FA app which the user is required to enter to the site they are trying to access.
However, users should use this method with sites that support the authenticator app. The software token is available for less than one minute for security purposes.
Soft-tokens are displayed on the same device the user is trying to obtain access with. This eliminates the chances of hacker interception. This authentication form is available for different devices including wearables and even offline mode. This makes user authentication easy and efficient.
4. Voice-Based and SMS Text Messaging 2FA
After users enter their usernames and passwords to a site, they receive a one-time passcode(OTP) which is unique through a text message on their phone. The user then enters the 2FA code to the site to obtain access. For voice-based 2FA, a user automatically receives a voice-based code to access a site.
Although this method is not common, it is commonly used in areas with poor internet connection and where smartphones may be expensive. This method is also highly used where the online activity you are trying to access is low risk.
However, for sites that require confidential information like credit card details, this level of two factor authentication is highly discouraged. SMS is an insecure way of authentication and small businesses are discouraged from using it.
Other forms of 2FA companies may use include facial recognition, bio-metric 2FA.
Some methods which are being explored include vocal prints, ambient noise, and typing patterns. Some recent innovations include retina patterns and fingerprints.
Each innovation must have its challenges and for these methods too, hackers will come up with ways of exploiting them through unpatched vulnerabilities.
Enabling 2FA Authentication
Each user relies on different sites or an online account for different activities. It could be for online shopping, social interactions, or even cloud services. Each of these sites may have a different way of enabling 2FA authentication but most of them share similar steps. Most of the steps will require a phone number or an email address where the authentication code will be sent. When you access a resource through a website or an application, you need to verify that you are a legitimate user and that the attempt is coming from you. You can verify by either clicking a number or a link that has been sent by your authenticator app.
A common authenticator app you may have come across is Google Authenticator or Authy.
When you add a new account, these apps follow a similar procedure to authenticate you. Mostly, this is by generating a random security code you can enter to the site or scanning a QR code.
Every user and small business should however note that when they turn on two factor authentication, they are not fully secure from potential hackers. However, this is a crucial step and more secure than passwords only.
If you want to enable two factor authentication, here is a process that is common to most websites;
- Go to the site’s homepage and enter your username and password to log in.
- Go to your account and click on security or settings and privacy and choose edit.
- You will see security and login, select “use two-factor authentication”.
- You will have the option of choosing a security key, an authenticator app, or a text message option.
- After you have selected your preferred option, you might be prompted to enter your password to save your changes.
Small businesses can rely on many different factors of authentication to send a verification code to gain access to a certain site. These authentication methods may be different but all are aimed at issuing a security key. Verification codes can be sent through a phone call, an authentication application, or an SMS service.
2FA will improve cybersecurity in your business. Reused, weak, and stolen passwords are a leading cause of cybersecurity breaches. You should ensure that the users in your business are fully aware of 2FA advantages. You should also offer training for password security and online safety.
You can also rely on companies like Kaesim Cybersecurity for guidance on proper password and information security practices. Everybody should use 2FA.
How cyber-secure is your business? Find out with our free cybersecurity health check.
It’s a 30 minute Zoom call that walks through a checklist to assess your current cybersecurity levels and provide a short report with some advice and recommendations.