Why you need Two-factor authentication

The Two-factor authentication (2FA) is one of the best ways to protect your network against credential exploitation. Even if more and more software and online services [1] now support 2FA’s, companies are unfortunately still very shy to implement this additional security layer. Let me explain why and how it should be the users best friends in 2016.

How 2FA works ?

Two-factor authentication requires two different methods of verification to log in to your account (not only your password). Most common example is your usual password and your mobile phone. Each time you log in, you’ll enter your password and a unique code that we’ll find on your mobile phone (in a specific application or received by SMS). If your password is somehow compromised, your account will be inaccessible without the code found on your phone. Without this physical device, remote attackers can’t pretend to be you in order to gain unauthorized access. A single secret password is not strong enough to protect users account, due to software vulnerabilities,  bad policy or weak password recovery feature.

2-step-verification

2FA available solutions

Actually, most common solutions are hardware tokens (like YubiKey), SMS including a “one time” password, touching a physical device (fingerprints scan) or a specific mobile application (like Google Authenticator). According to the chosen solution, it can be more or less annoying for users.

With a hardware token, you usually only press a button on a small USB device which is programmed to generate a new code that will automatically be pasted into your login prompt. If your security solution requires to use a mobile phone (application or SMS), users will need to unlock their phone, launch a specific application then re-type the given code. To reduce time spent re-entering passwords for the same identity, 2FA have to be used in conjunction with SSO (Single sign-on).

Industry standards

There are several designs and algorithms possible when using two-factor authentication. Most common are HOTP, TOTP and U2F. As a final user or global administrator, you will probably never have to deal with such details but it remains important to know that 2FA is an industry standard and designed by nonprofit or public organisation. HOTP (HMAC-based One-time Password Algorithm) for example was published by IETF (RFC 4226) in December 2005. By documenting the full algorithm, it became an open standard which is now massively used.

Two-factor Authentication and Two-step Verification

Major compagnies that provide online services (ie: Google, Amazon, Apple, Twitter, Twitch, Evernote or Facebook) refer to their versions of advanced login security as two-step verification. Elsewhere, many websites refer to it as two-factor authentication. This is confusing. Even if this advanced security feature is more than welcome, it is not as strong as a full 2FA implementation. For example, Google or Apple two-step verification often applies only if a user suddenly connects from a new mobile device or a different device than any of those used previously. If you go further in Google Security options you will find how to configure your account to use U2F security with your YubiKey for example, a true two-factor authentication method.

How can i help ?

When working as a freelance IT consultant, my goal is to help you to take the best choice matching your expectations (for a security level and costs point of view). As you you read in this article, there are several 2FA technologies and devices with specific impact on all users and administrators of a network. Each solution has it own advantages and disadvantages in different scenarios. A balanced choice between security and usability will lead 2FA projects to success. Most of the time, I will also spend time to write full documentation and organize workshop with users to take over the new setup.


[1] List of websites that support 2FA : https://twofactorauth.org/

 

I have been working as an IT engineer (mostly in Web hosting industry) for more than 15 years, with specific interest in Linux internals, TCP/IP networks and software security. I have lived in Montreal (Canada), since 2013.

Leave a Reply