Skip to main content

Two-factor authentication (2FA)

 Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. This process is done to better protect both the user's credentials and the resources the user can access. Two-factor authentication provides a higher level of security than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor -- typically, a password or passcode. Two-factor authentication methods rely on a user providing a password, as well as a second factor, usually either a security token or a biometric factor, such as a fingerprint or facial scan.

Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person's devices or online accounts because knowing the victim's password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online service providers are increasingly using 2FA to protect their users' credentials from being used by hackers who have stolen a password database or used phishing campaigns to obtain user passwords.

What are authentication factors?

There are several different ways in which someone can be authenticated using more than one authentication method. Currently, most authentication methods rely on knowledge factors, such as a traditional password, while two-factor authentication methods add either a possession factor or an inherence factor.

Authentication factors, listed in approximate order of adoption for computing, include the following:

1.     A knowledge factor is something the user knows, such as a password, a PIN (personal identification number) or some other type of shared secret.

2.     A possession factor is something the user has, such as an ID card, a security token, a cell phone, a mobile device or a smartphone app, to approve authentication requests.

3.     An inherence factor, more commonly called a biometric factor, is something inherent in the user's physical self. These may be personal attributes mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader. Other commonly used inherence factors include facial and voice recognition. They also include behavioural biometrics, such as keystroke dynamics, gait or speech patterns.

4.     A location factor, usually denoted by the location from which an authentication attempt is being made, can be enforced by limiting authentication attempts to specific devices in a particular location or, more commonly, by tracking the geographic source of an authentication attempt based on the source Internet Protocol (IP) address or some other geolocation information, such as Global Positioning System (GPS) data, derived from the user's mobile phone or other device.

5.     A time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.

It should be noted that the vast majority of two-factor authentication methods rely on the first three authentication factors, though systems requiring greater security may use them to implement multifactor authentication (MFA), which can rely on two or more independent credentials for more secure authentication.

How does two-factor authentication work?

Here's how two-factor authentication works:

1.     The user is prompted to log in by the application or the website.

2.     The user enters what they know -- usually, username and password. Then, the site's server finds a match and recognizes the user.

3.     For processes that don't require passwords, the website generates a unique security key for the user. The authentication tool processes the key, and the site's server validates it.

4.     The site then prompts the user to initiate the second login step. Although this step can take a number of forms, users have to prove that they have something only they would have, such as a security token, ID card, smartphone or other mobile device. This is the possession factor.

5.     Then, the user enters a one-time code that was generated during step four.

6.     After providing both factors, the user is authenticated and granted access to the application or website.

Elements of two-factor authentication

Two-factor authentication is a form of MFA. Technically, it is in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn't constitute 2FA; for example, requiring a password and a shared secret is still considered SFA as they both belong to the same authentication factor type: knowledge.

As far as SFA services go, user ID and password are not the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from many inside threats, like carelessly stored sticky notes with login credentials, old hard drives and social engineering exploits. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks.

Given enough time and resources, an attacker can usually breach password-based security systems and steal corporate data, including users' personal information. Passwords have remained the most common form of SFA because of their low cost, ease of implementation and familiarity. Multiple challenge-response questions can provide more security, depending on how they are implemented, and stand-alone biometric verification methods can also provide a more secure method of SFA.

Types of two-factor authentication products

There are many different devices and services for implementing 2FA -- from tokens to radio frequency identification (RFID) cards to smartphone apps.

Two-factor authentication products can be divided into two categories: tokens that are given to users to use when logging in and infrastructure or software that recognizes and authenticates access for users who are using their tokens correctly.

Authentication tokens may be physical devices, such as key fobs or smart cards, or they may exist in software as mobile or desktop apps that generate PIN codes for authentication. These authentication codes, also known as one-time passwords (OTPs), are usually generated by a server and can be recognized as authentic by an authentication device or app. The authentication code is a short sequence linked to a particular device, user or account and can be used once as part of an authentication process.

Organizations need to deploy a system to accept, process and allow -- or deny -- access to users authenticating with their tokens. This may be deployed in the form of server software, a dedicated hardware server or provided as a service by a third-party vendor.

An important aspect of 2FA is ensuring that the authenticated user is given access to all resources the user is approved for -- and only those resources. As a result, one key function of 2FA is linking the authentication system with an organization's authentication data. Microsoft provides some of the infrastructure necessary for organizations to support 2FA in Windows 10 through Windows Hello, which can operate with Microsoft accounts, as well as authenticating users through Microsoft Active Directory, Azure AD or Fast IDentity Online (FIDO 2.0).

Is two-factor authentication secure?

While two-factor authentication does improve security -- because the right to access no longer relies solely on the strength of a password -- two-factor authentication schemes are only as secure as their weakest component.

The account recovery process itself can also be subverted when it is used to defeat two-factor authentication because it often resets a user's current password and emails a temporary password to allow the user to log in again, bypassing the 2FA process.

Higher levels of authentication

Most attacks originate from remote internet connections, so 2FA makes these attacks less threatening. Obtaining passwords is not sufficient for access, and it is unlikely an attacker would also be able to obtain the second authentication factor associated with a user account. However, attackers sometimes break an authentication factor in the physical world.

This is why some high-security environments require a more demanding form of MFA, such as three-factor authentication (3FA), which typically involves possession of a physical token and a password used in conjunction with biometric data, such as fingerprint scans or voiceprints. Factors such as geolocation, type of device and time of day are also being used to help determine whether a user should be authenticated or blocked. Additionally, behavioural biometric identifiers, such as a user's keystroke length, typing speed and mouse movements, can also be discreetly monitored in real time to provide continuous authentication instead of a single one-off authentication check during login.

Push notifications for 2FA

A push notification is passwordless authentication that verifies a user by sending a notification directly to a secure app on the user's device, alerting the user that an authentication attempt is happening. The user can view details of the authentication attempt and either approve or deny access -- typically, with a single tap. If the user approves the authentication request, the server receives that request and logs the user in to the web app.

Push notifications authenticate the user by confirming that the device registered with the authentication system -- usually, a mobile device -- is in the possession of the user. If an attacker compromises the device, the push notifications are also compromised. Push notifications eliminate the opportunities for man-in-the-middle (MitM) attacks, unauthorized access, and phishing and social engineering attacks.

While push notifications are more secure than other forms of authentication methods, there are still security risks.

Future of authentication

Relying on passwords as the main method of authentication no longer offers the security or user experience (UX) that users demand. And, even though legacy security tools, such as a password manager and MFA, attempt to deal with the problems of usernames and passwords, they depend on an essentially outdated architecture: the password database.

Consequently, organizations looking to improve security in the future are exploring the use of passwordless authentication technologies to improve UX.

Passwordless authentication lets users authenticate themselves in their applications securely, without having to enter passwords. In business, that means employees can access their work without having to enter passwords -- and IT still maintains total control across every login.

Biometrics and secure protocols are a couple examples of passwordless authentication technologies.

Using biometrics as the passwordless authentication method at the user, application and device level can better assure companies that the employees logging in to the systems are who they say there.

Comments

Post a Comment

Popular posts from this blog

Understanding the Evolution: AI, ML, Deep Learning, and Gen AI

In the ever-evolving landscape of artificial intelligence (AI) and machine learning (ML), one of the most intriguing advancements is the emergence of General AI (Gen AI). To grasp its significance, it's essential to first distinguish between these interconnected but distinct technologies. AI, ML, and Deep Learning: The Building Blocks Artificial Intelligence refers to the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. Machine Learning, a subset of AI, empowers machines to learn from data and improve over time without explicit programming. Deep Learning, a specialized subset of ML, involves neural networks with many layers (hence "deep"), capable of learning intricate patterns from vast amounts of data. Enter General AI (Gen AI): Unraveling the Next Frontier Unlike traditional AI systems that excel in specific tasks (narrow AI), General AI aims to replicate human cognitive abilities across various domains. I...
Post a Comment
Read more

Normalization of Database

Database Normalisation is a technique of organizing the data in the database. Normalization is a systematic approach of decomposing tables to eliminate data redundancy and undesirable characteristics like Insertion, Update and Deletion Anamolies. It is a multi-step process that puts data into tabular form by removing duplicated data from the relation tables. Normalization is used for mainly two purpose, Eliminating reduntant(useless) data. Ensuring data dependencies make sense i.e data is logically stored. Problem Without Normalization Without Normalization, it becomes difficult to handle and update the database, without facing data loss. Insertion, Updation and Deletion Anamolies are very frequent if Database is not Normalized. To understand these anomalies let us take an example of  Student  table. S_id S_Name S_Address Subject_opted 401 Adam Noida Bio 402 Alex Panipat Maths 403 Stuart Jammu Maths 404 Adam Noida Physics Updation Anamoly :  To upda...
Post a Comment
Read more

How to deal with a toxic working environment

Handling a toxic working environment can be challenging, but there are steps you can take to address the situation and improve your experience at work: Recognize the Signs : Identify the specific behaviors or situations that contribute to the toxicity in your workplace. This could include bullying, harassment, micromanagement, negativity, or lack of support from management. Maintain Boundaries : Set boundaries to protect your mental and emotional well-being. This may involve limiting interactions with toxic individuals, avoiding gossip or negative conversations, and prioritizing self-care outside of work. Seek Support : Reach out to trusted colleagues, friends, or family members for support and advice. Sharing your experiences with others can help you feel less isolated and provide perspective on the situation. Document Incidents : Keep a record of any incidents or behaviors that contribute to the toxic environment, including dates, times, and specific details. This documentation may b...
Post a Comment
Read more