It’s always the way. I was meaning to write this post a couple of months ago, but as you do, you get busy. But in that time, there has been a lot of talk about two-factor authentication.
This talk has come about because of new threats arriving on a daily basis. More sophisticated than ever before.
As the name states, two-factor authentication, or 2FA for short, relies on another method of authentication rather than just the standard username and password. The second factor can be an SMS text message, a 2FA authenticator on your phone, a phone call or any number of other methods. Some of these methods are better than others.
The way 2FA works is when you log in/authenticate to your application or website, a second authentication method is sent via your preferred method. Once you approve the second authentication method, you will gain access to the application/website.
2FA has been around for a long time. Previously, the 2FA methods were quite cumbersome. Does anyone remember the hardware tokens that ANZ/BNZ use to give out? When you logged into internet banking, you’d use a token generator in order to log in. This was a very slow method (and not really used anymore). Hardware tokens are one of the stronger methods though.
You may be thinking ‘great! If I use 2FA, I won’t be compromised!’. While 2FA significantly increases your security for the application/website you are logging into, it can be compromised.
If you use the SMS or telephone method of authentication, hackers have been known to ring mobile providers and social engineer (pretending to be you) the call-in order to change your number onto their SIM card. This allows the attack to take over your number and complete the 2FA process themselves.
The other problem is that most 2FA authenticators are installed on a mobile phone. If you lose your mobile phone and your 2FA keys are not backed up somewhere, you will lose access to the applications and websites that are protected by 2FA. The process to remove 2FA on your accounts so you can gain access can be very troublesome – but there are ways to get around this listed below.
At Layer3, we’ve been using 2FA with our clients for some time. We use it when logging into your computer at work, and when using services such as Microsoft Office 365. Using 2FA on computers at work has stopped remote attackers a number of times. Using 2FA with Microsoft Office 365 makes it significantly harder for attackers to gain access to your email, especially when the option ‘always stay signed in’ is enabled.
If you’d like to start using 2FA outside of the workplace, and I highly suggest you do, there are some great applications in order to do this:
Authy: I recently moved to this application on my phone as it allows a backup of your 2FA keys to be backed up in their cloud service. Their cloud service protects your keys via strong encryption and a master key. You need the same phone number associated with your phone in order to restore your keys. Most 2FA websites and applications support Authy.
Google Authenticator: This has been the stock standard 2FA authenticator for some time. Google Authenticator works very well, but it lacks a backup feature.
Microsoft Authenticator: Same as the Google Authenticator, Microsoft Authenticator works with most Microsoft websites and Microsoft based accounts. Backup of keys is not currently available, but it is coming within the next month or two.
I highly recommend 2FA. It is not the end all solution, but it does provide significant protection over a standard username and password.