Two factor authentication is getting something for a revival in recent months. Sites like Amazon and Twitch, as well as apps like EasyTaxi and Truecaller are, and have been, using two factor authentication to verify user phone numbers and ensure that user registrations are valid and reachable.
Why? Because as mobile takes over desktop, people stick with their phone numbers for a long period of time, making for a great opportunity to ensure they are genuine users.
What is Two Factor Authentication?
Single-factor authentication is the method most of us know when logging into a web application. Usually, we enter a username and password to access our accounts. Two-factor authentication, or 2FA, is a method that requires two different ways to log in. Here’s how a 2FA login usually works:
Step 1: The user enters their ‘first factor’. This is typically a username + a password, although it could also be a social identity like Facebook or Twitter.
Step 2: If the first factor is entered correctly, the user is then requested to enter a second factor. Typically this is some sort of code, such as a mobile app based code, or a mobile text PIN code. It could also be a passphrase or even a biometric.
When the second factor is entered correctly the user is signed in to that resource.
2FA, is rapidly becoming a ‘must have’ rather than a ‘nice to have’. There have been a number of high profile cyber-attacks that have been successful, purely because of the poor security of a single factor alone, which is invariably username + password. Usernames and passwords are subject to a number of established security attacks, including brute force and phishing. Some examples of recent attacks which have been the result of credential theft include, the Office of Personnel Management (OPM) breach this year, where 22 million staff identities were stolen after the theft of usernames and passwords. Others include, the Ashley Madison hack which resulted in around 16 million cracked passwords and T-Mobile via Experian where 15 million customer records were breached. According to Symantec there has been a large increase in phishing and spear phishing which use techniques that capture single factor credentials. This vulnerability, inherent in first factor authentication credentials, has led to the rise in popularity of 2FA, the use of which could well have prevented these breaches.
Security vs. Convenience
One of the drawbacks of using a second factor has been convenience. Users, especially consumers hate to be inconvenienced and any additional clicks or entry fields in a process are off putting. One of the most difficult things for a software designer is to balance security and usability. Push that exercise out onto a widely used public domain, like a website or web application and the trick to balance these seemingly, at odds, features becomes even more difficult.
A number of devices and methods have been built to handle two factor authentication. One of the earliest forms was a ‘dongle’. This usually took the form of a physical device, which would be used to generate a code, the code input as the second factor during sign in. These devices are not only expensive to issue, especially en masse, but they are inconvenient as they are not part of our ‘everyday kit’ like a phone is and so can be easily lost, stolen or broken.
Enter stage left, the smartphone.
Smartphone = Convenience Security
Smartphones are ubiquitous. According to statistics by Pew Research Center, 64% of Americans have a smartphone and the Bring Your Own Device (BYOD) revolution in the workplace, means that smartphones are with us at home and at work.
The most natural way to add a 2FA method is to utilize something that people are used to using, know well and that they protect, in other words, their smartphone. Two factor methodologies on smartphones are the ideal way to bring convenience and security together. 2FA on a smartphone can work in a number of ways, for example:
SMS Text PIN Code: This is the most popular method to use as a second factor for login. It is used by a number of companies, including Twitter and Amazon as the second factor login credential to protect user account access. An SMS message is sent to the user in a text message which they enter into the interface as their second factor when signing in.
Call Out or PIN and Voice: This is based on a call made to a user’s registered phone. A call is made to the user during sign in. A voice prompt is made during the call to verify the user and sign them in. This is a particularly good system for improving the overall accessibility of a system. It also offers excellent security as voice prints have unique and individual characters in the same way that fingerprints do. This method, being part of the user’s normal mobile phone usage, encourages greater acceptance of the method as it is very convenient.
Flash Call: Flash Call technology lets applications call out to an Android device, and have the app intercept a call to verify a user, with no interaction needed. This is not only much quicker than SMS PIN verification, but also harder to fake. SMS Verification is still easy to fake (unless a developer sets up a fraud protecting backend that checks if a number has been verified previously) by using a number from a free online service around that lets users give a fake number and receive an SMS. Flash call needs a physical device to ping and check.
Biometric as a Second Factor: As biometrics, like fingerprint, become more accepted and ubiquitous in their use, they are becoming more accepted as a method of second factor authentication. The advent of fingerprint on iPhones has normalised this biometric which makes it a more user friendly method that people are used to working with. ther biometrics which are gaining ground include facial recognition and voice recognition, both of which can be used from a mobile device.
Two Factor Authentication – Is it Worth It?
2FA has been in the news recently because of a number of incidents associated with companies not having it in place. We mentioned phishing earlier and this technique, used for stealing first factor user credentials, like passwords, is the usual culprit behind the news articles. For example Twitter, before they implemented the option to add a SMS code based 2FA to an account, saw a number of high profile user accounts breached, including The Syrian Electronic Army, who hacked into the Associated Press’s Twitter account (protected only by first factor at that time) and sent out tweets saying the White House had been bombed. Another example of a breach due to stolen passwords was the massive Target breach which saw the loss of 70 million customer records. Both breaches (and many other similar ones) were caused by passwords stolen via a phishing email. The email asked the user to click on a link which took them to a spoof site. The website, looking just like a legitimate and trusted site or network resource, asked the user to enter their username and password. Once entered, the cybercriminal behind the site then had the credentials to log into the real site or network resource.
If any of these companies had used a second factor, like an SMS PIN code, the breach would not have happened. The cybercriminal had the user’s first factor, but they didn’t have the user’s smartphone, having a password would have been worthless.
Security and Convenience in a Smart Phone
2FA is a good way to add extra security to your services and network resources. It takes the sting out of phishing emails and makes malware built to steal passwords, defunct. But adding security needs to be done with convenience in mind. Security does not need to impact usability, the two can work together. Using a smartphone as the basis for that second factor will mean that security becomes a natural and expected way of signing in. It gives you the means to make security work and remove the pain barrier we all need to cross to help reduce the level of cyber threats.