So, what is two-factor authentication? The two-factor authentication definition or 2FA is a method of identifying a user in a service where two different types of authentication data are used.
The introduction of an additional level of security provides more effective protection of your account from unauthorized access. This article will help you to understand how secure two-factor authentication is.
Where This Approach Is Used
Today, a large number of companies trust two-step verification. For example, if you want to use UKessay writing service, you also will be asked to pass this procedure when you login into your account. There are also tech, financial, and insurance organizations depend on two factor to keep their clients’ information safe.
Dual authentication requires that the user has two or three types of identification data. Here are these types:
- Something he knows;
- Something he has available;
- Something inherent to him (biometrics);
Obviously, the first item includes different passwords, pin codes, secret phrases and so on, that is something that the user remembers and enters into the system.
The second item is a token, that is, a compact device that is owned by the user. The simplest tokens do not require a physical connection to the computer – they have a display, which shows the number that the user writes into the system to make an entry. More complex ones connect to computers via USB and Bluetooth-interfaces.
Today smartphones can be used as tokens because they have become an integral part of our life. In this case, the so-called one-time password is generated either with a special application (for example Google Authenticator) or comes via SMS – this is the simplest and most user-friendly method that some experts estimate as less reliable.
Examples of Two-Factor and Multifactor Authentication
The authentication method using SMS is based on the use of a one-time password. The advantage of this approach, in comparison with a permanent password, is that this password cannot be reused. Even if we assume that an attacker could intercept data in the process of information exchange, he cannot effectively use the stolen password to gain access to the system. However, this is not a factor completely safe.
One can also give an example, implemented with the use of biometric devices and authentication methods. This is the use of a fingerprint scanner, which is available in a number of notebook models.
When entering the system, the user must undergo a finger scanning procedure, and then confirm the access right with a password. Successfully completed authentication will give him the right to use the local data of a specific PC.
Similarly, other biometric authenticators can be used:
- the geometry of the hand;
- outlines and sizes of the face;
- voice characteristics;
- the pattern of the iris and retina of the eyes;
- drawing of veins of fingers;
Of course, the appropriate equipment and software are used, and the cost of their acquisition and support may differ at times.
The Issue of Safety You Should Know About (The Case of Biometrical Data)
However, it is worthwhile to understand that there are also some two-factor problems. Biometric authenticators are not absolutely accurate data. Imprints of one finger can have differences under the influence of the external environment, the physiological state of the human body, etc. For successful confirmation of this authenticator, the incomplete correspondence of the print to the standard is sufficient.
Methods of biometric authentication contain a definition of the degree of probability that a valid authenticator will match a standard one. As for biometric authentication and remote access to information systems, at the moment, modern technologies do not have the ability to transmit reliable data through unprotected channels – a fingerprint or the result of scanning the retina.
What about the SMS-Verification Process?
Disadvantages of this method are much more significant than merits, and they are not related to the verification algorithm, but to the phone number. A lost smartphone may well be a reason for hacking an Internet banking system or a mailbox – after all, an attacker has all the tools to do this.
In addition, having gained control over the number, it is possible to not even look for a password, but simply use the function of its recovery via SMS. Serious intruders can even “clone” the number, and the honest user will not even suspect it. The consequences of this are obvious.
SMS-Passwords Are Recognized as Unsafe
The National Institute of Standards and Technology, NIST, introduced in the summer of 2016 a preliminary version of the future Digital Authentication Guideline. It is a document that sets new standards and rules for digital authentication methods. The SMS OTP mechanism was not originally intended for authentication and cannot be considered a full-fledged authentication.
The main concern of experts is that the phone number can be tied to a VoIP service. In addition, attackers can try to convince the service provider that the phone number has changed, and such tricks need to be made impossible.
It is worth noting not only the risk of losing access to accounts but also the usual inconvenience. For example, when traveling abroad, you can forget to plug in roaming (or there will not be such an option at all in a certain country), which will result in the inability to use the necessary payment services.
Another inconvenience is when registering through a phone number, there is a possibility that it will get into the spam database, after which the user will be pestering obsessive advertising calls or messages.
What Is the Way Out
In order for authentication to be truly reliable, it is not the number of features that matters, but the quality of the implementation of the mechanism on both sides of the interaction, both in the user part and in the part of the verifying side. If the fingerprint database is stored on paper in a cabinet, then the biometric authentication will be both inconvenient and unreliable – the required sheet can simply be removed.
Similarly, the recording of user data from the database stored in the PC’s memory can be removed (added/corrupted) and an increased number of factors during the authentication process cannot increase the level of security.
It is very important to imagine the whole process of authentication in a particular system, and not just the number of factors considered.