Most of us have a good general idea of what 2FA is all about: it means you need to prove yourself in two different ways before you can log in or use a service.
When you withdraw money from an ATM, for example, just inserting your card isn’t enough. You need to enter a PIN (personal identification number) as well.
But there are numerous other sorts of 2FA, and many of them don’t rely only on a static secret PIN like your bank card. They have a one-time code that changes every time you want to log in.
Theoretically, that makes it much harder for a crook to get enough information to take over your account, because any login codes he steals today are useless tomorrow.
Problem is, these 2FA systems all work a bit differently, and they all have different strengths and weaknesses.
This article helps you understand these differences.
One-time passwords via SMS
This is where you are prompted to enter an additional numeric code after authenticating with your username and password.
The code is sent to your mobile device as a text message (SMS).
Once the code is received you enter it in the field provided and the login proceeds.
It’s important to point out, specifically for this type of two-factor authentication, that SMS codes do not always work for everyone.
The server might not have your country on its list of supported regions; your mobile provider might not be able to deliver the messages; or you might have unreliable mobile coverage.
For obvious reasons this won’t work with landlines either, but there is a slightly different version that will call you and read out the code.
SMS 2FA: Pros.
|+||The code is different every time, so if your regular password is breached or stolen, it’s not enough for a crook.|
|+||The code is tied to your phone number, which can’t be changed by malware on your computer.|
SMS 2FA: Cons.
|–||If your mobile network is down or you are out of the coverage area, you can’t receive the code.|
|–||Crooks may be able to port your phone number (also known as a SIM swap) through an accomplice in a mobile phone shop, and receive your calls and messages until you notice your own phone is dead.|
|–||If you are logging in and receiving the SMS on the same device (e.g. a tablet or smartphone), your login codes are as much at risk as your password.|
Authenticator apps perform the same type of service as SMS 2FA but instead of the login codes being sent to you, they are generated locally on your smartphone or tablet.
This type of authentication relies on cryptographic algorithms for time-based one-time passwords (TOTP).
The basic functionality is that a secret starting key or seed is generated and stored by the server, and then scrambled up cryptographically with the current time and date whenever you login. This produces a time-specific code, usually valid for 30 or 60 seconds.
When you set up your account, this seed is sent to you (for example using a QR code) and imported into the authenticator app you are using.
As long as the date and time on your device is accurate to within 30 or 60 seconds, and the seed was imported correctly, the app will generate login codes that match the ones calculated on the server.
Even if crooks record your last 10, 50 or 10,000 passwords, there’s no way to reconstruct the sequence and work out what comes next unless they get hold of the seed.
There are many implementations of this type of service but Google Authenticator is probably one of the best known versions.
Microsoft has also released a version that works with Windows Phone.
Authenticator app: Pros.
|+||Doesn’t rely on an SMS every time you login – you only need to be online when you set up an account so you can receive the seed.|
|+||One authenticator app can work for multiple accounts.|
Authenticator app: Cons.
|–||If a crook gets hold of the seed (either from your device or by hacking into the server), he can calculate any future login codes.|
|–||If you are logging in and running the authenticator app on the same device, your authenticator codes are as much at risk as your password.|
Login verification is another variation on the above themes.
Now, instead of being asked to enter a code, a login notification will be sent to your mobile device. Once this has been approved you will be signed into the site.
This process doesn’t use a secret key, or seed, that has to be shared between your device and the server.
Instead, it uses public-key cryptography to verify your identity.
A private key is generated and kept in the app on your device. The public key is sent to the server and stored there for your future logins.
At login, a challenge will be generated by the site and a notification will be sent to your device.
If approved, your device will sign the challenge, send it back to the site to be validated (because only your device should be able to sign the challenge with your private key), and login will proceed in your browser.
Twitter implemented this type of system last year.
Login verification: Pros.
|+||Doesn’t rely on an SMS every time you login.|
|+||One login verification app can works for multiple accounts.|
Login verification: Cons.
|–||If a crook gets hold of your private key, he can masquerade as you.|
|–||If you are logging in and running the verification app on the same device, your private key is as much at risk as your password.|
True two-factor authentication
Earlier, we talked about 2FA and 2SV.
They are nearly the same, but note that the name 2SV carefully avoids stating that there are two separate factors in the system.
A proper “two factor” system, as the name suggests, needs two distinct authentication factors, not merely two steps.
So a web-based account that boosts security with one-time SMS codes is no longer strictly “two factor” if you run your browser and receive the SMS on the same computer or mobile device.
For something to be considered a true 2FA system, it needs two components that operate independently and avoid a common point of compromise.
Smartcards require a special reader to communicate with the chip on the card, but that chip acts as a tiny standalone computer with its own CPU, secure memory and cryptographic capability.
Yubikeys have their own cryptographic CPU, but communicate over USB by pretending to be a keyboard. When you plug in a Yubikey, it effectively “types in” a one-time login code that was calculated inside the key.
Tokens also have their own independent CPU, and generally don’t connect to your computer at all. Instead, they have a tiny LCD screen that displays your current login code.
True 2FA: Pros.
|+||Doesn’t rely on SMS.|
|+||Doesn’t need a phone or tablet.|
|+||Is an independent security device that is always separate from your computer, phone or tablet.|
True 2FA: Cons.
|–||You may end up with a keyring full of tokens, one for each account.|
|–||May not be available from the service provider for free.|
To find out whether the online service you use supports two-factor authentication you can visit twofactorauth.org.
It has a comprehensive (albeit not exhaustive) list of many of the top online services that support 2FA or 2SV.
Turn it on and be more secure.