Two-Factor Authentication (2FA)
Before considering the term “Two-factor Authentication”, there is a need to understand the importance of digital security in the present world. With our world evolving into a world of technology where almost all human activities are done online, some people live off stealing the data and information present in our digital space. Malicious attacks against individuals, governments, and organizations have become very common.
These activities do not show any signs of reducing, instead, it rises every day. In recent years, we have seen a lot of sophisticated cybercrime issues, as companies find their security system outdated as modern technology improves. It might be a case of human error or technological error that made the organization vulnerable to these hackers. Anyone can experience this as it is not subject-specific, the after-effects of these attacks might be devastating and can range from financial or reputational loss. This then prompts the need for more secure access to our digital space, hence the need for an extra level of protection called "Two-Factor Authentication (2FA)".
WHAT IS TWO-FACTOR AUTHENTICATION (2FA)?
The two-factor authentication (2FA), is a type of multi-factor authentication (MFA) that cross-verifies an individual with two forms of identification. The 2FA ensures security as it can prevent unauthorized login by intruders. 2FA is an extra layer of security used to ensure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This second factor could come from one of the following categories:
Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern.
Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token.
Something you are: This category is a little more advanced, and might include the biometric pattern of a fingerprint, an iris scan, or a voice print.
With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of someone else having your second-factor information are improbable. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and unlock the account. There are different types of 2FA. Hardware Tokens SMS Text-Message, Email or Voice Based Software Token Generators Push Notification Biometric Third Party Authentication App
PROS AND CONS OF THE VARIOUS TYPES OF 2FA
- SMS Text-Message, Email or Voice-Based
PROS: Simplicity of the usage – The user just needs to input the code from the SMS sent to their mobile phone.
In case an attempt to hack your account happens, you will immediately know about it, as you will receive a message with a one-time password (OTP) and can immediately change your account password.
CONS:
Need to pay SMS sending fees - This con is especially important for companies protecting their users. In the B2B segment, it is more advantageous and cost-effective to use software or hardware tokens.
Cannot be used in the absence of cellular coverage (on remote territories or abroad) or telephone itself (theft, loss, battery discharge).
The SIM swap opportunity allows attackers to steal the phone number.
SMS messages can be intercepted with a variety of methods.
- Hardware Tokens
PROS:
A contactless device, protected from any possibility of malware injection
A one-time password is generated by the device itself, which reduces the likelihood of interception to a minimum level
It does not require a network connection of any kind;
The built-in power source is enough for years of independent operation
CONS:
If a token is compromised, you only need to order a new one. If you stop using the service, then the money was wasted, and there is no possibility of using it with another service.
If you need to protect several accounts (or accounts at different resources), you will need a separate token for each. This may lead to a bundle of varying devices which may be uncomfortable to carry around.
The secret key in such tokens is pre-flashed at the factory, then passed to the supplier, and then transferred to the website owner. Of course, keys are transmitted in encrypted form, but there remains a tiny possibility that at some stage an unscrupulous employee or a hacker could leak secret keys.
Pros of two-factor authentication
An additional layer of security
This is arguably the single most important reason for adopting 2FA controls. Password controls have been the means of preventing or permitting access for decades, but they only provide a single layer of security. If the password is hacked or otherwise disclosed, any unauthorized person who is privy to it has a front door entry into your systems.
The stronger the password, the harder it is to break. But even with that, it is still a single point of failure. 2FA provides a second layer that ensures your systems are secure if one authentication factor is compromised.
Complexity by Factor Variation
While the two terms are used interchangeably by some, 2FA is different from two-step authentication. If a system’s authentication process relies on two controls, but the two controls are of the same type (or factor), that’s two-step authentication. In effect, it’s single-factor authentication. 2FA provides more robust security than two-step authentication.
For example, if the user is required to provide their username and password, these two can be compromised at the same time. But it is far harder for that to happen when you use two distinct factors: a password and a one-time key sent to the user’s phone or an iris scan. The variation in authentication factors that’s inherent to 2FA makes it more difficult for an attacker to break through.
Cost-effective
2FA does not imply a doubling of your access control costs. Of course, the cost of 2FA varies widely depending on the type of authentication method you choose. It’ll likely cost you substantially more to implement retinal scanning than it would an SMS-based security key.
Nevertheless, even the most sophisticated methods experience a gradual price drop. Widespread adoption creates economies of scale, therefore, giving vendors access to lower price points without diminishing their profit. Also, everyday consumer gadgets such as smartphones are increasingly equipped with biometrics and other 2FA-friendly technologies that can be leveraged for authentication. Overall, the barrier to using 2FA is nowhere near as high as it once was.
Cons of two-factor authentication
Time-consuming
Time may be an absolute metric, but it is also relative. What may be adequate time to complete a certain activity could be negligible in a different context. 2FA adds a new step to the authentication process, and this, therefore, increases the time it takes to access accounts. At an individual level, this would appear minuscule.
But when you spread this across an organization with thousands of employees, it adds up to thousands of work hours lost each year. Some 2FA systems, such as SMS-based security codes, are quicker to navigate than others. So, the time lost depends on what form of 2FA an organization adopts.
Cost
Cost, like time, is relative.
For a billion-dollar corporation, a system worth hundreds of thousands of dollars would barely register a blip on the balance sheet. But for an SMB, such an expense could make the difference between profit and loss. Inevitably, it’ll cost your organization more to move to 2FA than it would if you were stuck with conventional password controls.
Failure can be disruptive
2FA creates two distinct hurdles an attacker would have to jump through to gain access. But two-factor control also adds complexity and increases the number of moving parts in the authentication process. This, in turn, means you have more potential causes of authentication system failure. While a good 2FA shouldn’t have much downtime, it can occur. When it does, it impacts user productivity.
It is not secure
No security is infallible. 2FA is much more successful in preventing unauthorized entry than single-factor controls. The depth of security will depend on what type of 2FA you use. Nevertheless, certain sophisticated attackers such as state-sponsored hacking groups may possess a depth of knowledge and resources that could undermine the system. 2FA systems are also not immune to simple, low-cost attack techniques.
For example, an unauthorized person may steal a user’s phone and thereby access the text-based security code.
SMS and email can be hacked too.
Written By: Ojo Itunu Samuel