Two Factor Authentication Day-by-Day

The role of Two Factor Authentication (2FA) in business and daily life. 

Who actually uses 2FA in their daily life? According to a Google report last year, just about 10% of its user base has 2FA enabled. Report on Google 2FA uptake This leaves the door wide open for potential security breaches. Considering the volume of services which are online, and some are "online only", the lack of security on users’ accounts is a point of concern. 

What is 2 Factor Authentication? (2FA) 

Two-factor authentication is a security tool that requires you to type in your password as well as an additional form of authentication. It adds another layer of security to ensure that if your password is compromised, a hacker still can't access your account. 

2FA comes in several forms, the earliest form was a code that’s sent to your phone via SMS text message, you can also opt for an automated voice call, however the most popular form, is a mobile app. 

Authentication Apps 

Authenticator apps are security focused apps which allow you to manage the second factor security measure. There are a number available from different providers, here are some of the most popular:

• Google
• 1Password 
• Authy 
• Microsoft (Authenticator)

How does it work? 

There are options for how you can use 2FA; the original form and still quite popular, SMS. There is also the option for approval requests and finally One Time Passwords.

SMS Two Factor

SMS is the simplest form, when you login to a website e.g. Facebook, you type in your email address and then your password. With 2FA enabled it will prompt you to enter a code. 

The code is sent to your mobile phone as a text message containing a code. The code will expire after a short time to ensure it isn’t re-used multiple times. 

Whilst SMS was one of the original forms of two factor verification, it isn’t without flaws.

A recent breach of Metro bank was revealed due to the lack of security in the SMS protocol. Hackers were able to intercept two factor verification text messages and breach users' accounts. Metro Bank Breach

Click to Approve Apps

When you use app-based security, this method simply gives you a notification on your phone to approve or decline an authentication request. Clicking approve will continue the login process.

One-time Password (OTP) Apps

Within an app the code will appear on the screen with a timer next to it, after 30 seconds it will expire, and a new code automatically generated. You enter the code in a box before the code expires and it will login you in. 

How do you set it up? 

Every web site and app is different; there are guides online, however the common method is by scanning a QR code using an app. In the Google authenticator app for example with outlook.com, if you scan the QR code it will then display in the app with the small circle on the right-hand side to indicate the remaining time before the code expires.

You need it! But why?

Security has always been a concern for technology focused companies; however in the last 10 years with the rise of social media and so many devices with so many services being connected, it means a huge volume of personal data and content is at risk if accounts are compromised. Phishing scams and social engineering has been a highly successful vector for hackers to gain access to bank accounts and social media accounts. 

Due to the vast array of sites people sign up to, people sometimes re-use the same password over and over and don’t always use strong passwords. If a hacker is able to breach a website with poor security, then access the customer database, they can reveal the usernames and possibly the passwords of the users. They can use these credentials across a number of websites hoping for some to be re-used elsewhere. This could lead a person to have all their social media, email accounts and even banking accounts compromised. 

MFA is already common place on some platforms, Apple rolled out “two-step verification” which requires a code from your device to authorise sign-ins elsewhere. Apple Two Step However, Apple are pushing users to opt in for 2 Factor Authentication instead of two-step verification, however it is only available to devices running iOS9 and above. Apple Two Factor

Two Factor Adoption, or lack there of?

So why do businesses see it as such a critical security measure and enforce 2FA, yet the average person doesn’t have it for any of their accounts?

Passwords have always been seen as a roadblock in technology; no-one can be bothered to remember passwords and are often written down. Security conscious companies enforce a password expiration to ensure passwords can’t be compromised long term, but this usually leads to a situation where a password starts as Qwerty, then becomes Qwerty1, then after several months becomes Qwerty12345.

With some people out there using over a dozen personal websites a day, it may be too much to ask them to add yet another layer of security to add to their woes. 

There is also the convenience of a finger print; many apps support native finger print authentication from the device, this means people can use bio metric security instead, which is in theory more secure, as you physically need the device in hand, but can lead to a degree of laziness as there is no conscious effort to remember passwords.

Closing thoughts

If you already use 2FA, great, then this should be old news and nothing new. For those who are still roaming around with no security on their accounts, you should definitely investigate the idea of one of the 2FA apps listed earlier. Google 1Password and Authy would be my choices for someone new to 2FA game; they are free and easy to setup. It takes away the fear that if your account is compromised you can rest assured people won’t be able to get in and do damage. Just imagine if someone guessed your Facebook password and started snooping on your private chats! That may sound like a scare tactic, and it is!

Good day, Good security!