Online security: Two-factor AuthenticationSimona Pralovska 19.05.2021 For Customers Reading time: 3 min.
Nowadays, we store quite a lot of sensitive information in different online accounts, websites, apps, and services. Password protection – even with a secure password – isn’t always sufficient.
So how can we protect personal or company data in the most reliable way? The answer is by using two-factor authentication.
What is two-factor authentication?
Two-factor authentication (also known as 2FA) adds another layer of security to a common password login. This means that even if a hacker steals your username and password, they won’t be able to login to the account without an additional code.
What types of 2FA exist?
Two-factor authentication is supported by many services, however it must be enabled manually. You can choose from many options:
- mobile app
- one-time code
- USB drive
- smartphone prompt
- and text message
Let’s look closer at how the different types of two-factor authentication work.
One 2FA method is using a smartphone app, like Duo Mobile, Google Authenticator, or Microsoft Authenticator. You can download the app to your smartphone and link it with the desired accounts. The app automatically generates a time-sensitive access code (usually for a few seconds) that changes once it expires. If an attacker steals your password, they will still need physical access to your mobile device to get into your accounts.
You can also link the app with multiple accounts from different services (including e-mail, cloud storage, and social media).
The service (e.g., Gmail) generates a certain number of codes upon request to be used as an additional login method later. The number of these codes is limited and each can only be used once. Therefore, this method works better as a backup solution.
Ideally, these codes shouldn’t be stored on the computer. For example, you can print them out. However, make sure not to lose them or let them be stolen.
A special, secure USB drive is considered to be one of the strongest forms of protection today. The drive must be activated for each account (in 2FA settings) and subsequently plugged into the computer for each login attempt. The USB drive acts solely as an authenticator — it does not store any data. If lost or stolen, it would be impossible to discover which account it belongs to.
Another alternative could be a built-in device key (e.g., smartphone or tablet). In this case, for proper functionality, Bluetooth connectivity is required.
This solution doesn’t rely on entering codes. Instead, when logging into a service via a new browser or device, your smartphone receives a prompt that you must approve.
Similar to the mobile app, an attacker would need physical access to your mobile device to access your accounts.
When logging into an account, you would receive a text message with a generated code that you then enter after your password. Numerous services routinely employ this method.
However, this is no longer considered to be the most secure solution. But why? As it turns out, a phone number can be transferred to a different SIM card, then its text message communications, location, or calls can all be monitored remotely.
TIP: Beware of scams
Two-factor authentication makes the jobs of hackers more difficult. So it’s no wonder they’re trying to foil even this security measure. Now they have begun to use the so-called social engineering methods to manipulate people into giving up personal information.
The attack can go something like this: the attacker requests a password reset when logging into your e-mail account. The e-mail account sends you, as an owner of the mailbox, an authentication code in the form of a text message. Simultaneously, the attacker sends you a message informing you of suspicious activity on your account, and requests the authentication code. If you send the code, the attacker can change your password and gain access to your mailbox.
Should you receive a similar message, and you did not request the code yourself, be very careful. You should also keep in mind that if requested, the code is entered directly in the app or the website, and you should not send it to anyone nor save it to your phone.
Do you use two-factor authentication? Which method works best for you?