Two factor authentication: How to protect your accounts
Time and time again, the media reports on large-scale hacker attacks. Internet criminals get their hands on thousands of e-mail addresses and passwords from large web platforms, forums, or online shops, and gain unauthorized access to the accounts of their victims. These so-called phishing attacks also give criminals access to sensitive account information. One of the safest ways to protect your own accounts from criminal tampering is the two factor authentication method: With this, access to an account is only possible with a second identity verification. In our article, we explain what exactly two factor authentication is, how it works in practice, and which benefits and drawbacks the method has.
What is two factor authentication?
Two factor authentication combines two different and independent components of identification to identify a legitimate user. You come across a simple everyday example for two factor authentication every day at the ATM or a supermarket checkout: To withdraw money or pay with a card at the store, two components are needed: Your debit or credit card and your pin (or signature). Only when the two are correctly combined is the two factor authentication successful. The same principle can also be applied to the securing of e-mail accounts, online shop accounts, or other large web portals.
Unfortunately, an overwhelming majority of accounts on the web are still only protected by one component: To log into an e-mail account, cloud service, or online shop, just one password is usually required. If these are targeted, hackers can gain quick access to sensitive emails, account information, and other personal data. To prevent that, a growing number of providers such as Dropbox, Google, or Amazon have implemented two factor authentication as an additional security measure for their respective services. This method can turn out a number of ways, depending on which of the various components are combined to create it.
How does two factor authentication work?
The components or factors necessary for access in a two factor authentication can be a number of different things. The most important and most widely used factors are:
- Token or access card
- PIN (Personal Identification Number)
- TAN (Transaction Number)
- Biometric characteristic (e.g. fingerprint, voice, or iris)
All these factors require something for the identification of a legitimate person that they either know, have, or are inseparably connected to (“know”, “have”, “are”). The bank account example shows that in everyday life, usually tokens of some kind are combined with one of the other factors. But this method has the critical disadvantage that even authorized persons can’t gain access without carrying the token with them – which can result in inadvertent moments of locked access (e.g. the incorrect input).
For this reason, two factor authentication systems where classic tokens aren’t required, or the risk of loss is at least minimized, are increasingly used online for identifying legitimate users: As a rule, the system generates an automatic code in addition to a password. This is delivered to the authorized user by means of their smartphone – either via SMS, mail, or a special authentication app. This guarantees that only the person who should have access receives the additional security code. The benefit: The code is only valid once and automatically loses its validity after a specified time.
Two factor authentication without a token or access card also has the advantage that secondary methods for receiving a security code can be defined: If, for example, access to the app isn’t possible, then a code can alternatively be sent via SMS, or an authorized user can receive a phone call with an automatic announcement of the code.
Why use two factor authentication?
One hundred percent security for an account is never guaranteed – so why bother to set up two factor authentication at all? The answer is pretty obvious: Two factor authentication adds an additional step to the identification process, or a sort of second hurdle that unauthorized persons must first overcome. As a result, almost all common phishing attacks fail.
With phishing, internet criminals try to send links to prepared websites via fake e-mails that will then be used to access passwords, PINs or TANs. The e-mails appear to come from an authentic mailing list, bank, or online shop, and generally ask for a change in one of the authentication factors – supposedly for security purposes. In reality, they just want access to your given password, PIN, or TAN.
An example is the phishing attack on John Podesta, the campaign manager for Hillary Clinton: According to media reports, Podesta – and various other US politicians – received fake e-mails in March 2016. These allegedly came from Google, and told their prominent victims that a foreign IP address from the Ukraine was trying to gain access to their e-mail account and they should change their password immediately. Clicking on the link contained in the e-mail sent them to a fake website. The URL of the website had been abbreviated and veiled, and the layout of the page copied Google.
Fraudulent masks like this are largely successful: Of the 108 members of the Clinton campaign who received the e-mail, 20 clicked on the link, and the rate for the Democratic Party’s National Committee was 4 out of 16. If the targeted Google accounts had been secured with a two factor authentication, then the attackers couldn’t have started without the obtained passwords. The second factor for a successful hack would have been missing: A unique security code, which would have been sent exclusively to the mobile phone of the authorized person.
So why is this method not more widely used? Setting up two factor authentication on Google is neither particularly complex nor lengthy. You don’t even need to recall the automatically generated security code every time you log in, since you can permanently mark a device as trustworthy. The following video from Google demonstrates how the setup works:
The two factor authentication setup process of other services is just as simple: Amazon, Microsoft, Apple – almost all large companies offer their customers similar options. The low prevalence of two factor authentication raises the question of whether there are disadvantages that come with the additional security.
Does two factor authentication have drawbacks?
The higher security standard provided by two factor authentication brings along its own benefits, and is ultimately recommended by the National Institute of Standards and Technology (NIST) in its Electronic Authentication Guideline. For users, though, the risk of being blocked out of their own accounts due to carelessness or system failures is there, since the two-step authentication adds an extra step not only for potential hackers, but also for legitimate users. Because two factor authentication is usually used to secure account online via a combination of “know” (password, etc.) and “have” (cell phone to which the security code is sent), the loss of the phone in question results in the (temporary) lockout of the authorized user. Technical problems with the authentication app also cannot be avoided entirely.
Luckily, most companies have a “double floor” for cases like this, or the possibility to specify a restore option, such as an alternative number where the authentication code can be sent. A written or printed emergency code or a replacement e-mail address are also sometimes requested to restore access to the account. This disadvantage is largely relative, though. It’s only necessary to take the security measures into account – as long as they’re optional and not obligatory – and to carefully note down the information for emergency access. This minimizes the risk of locking yourself out.