Two-Factor Authentication, Illustrated

Everyone, meet Alice.

“Hello, world!” — Alice, probably

The Good News

Alice uses the internet because she’s not living in a cave. Alice likes various services available to her online. Checking email, banking, hydraulic press videos — that kind of thing. These online services lack locality, meaning Alice can use them regardless of where she is in the world.

Checking email from anywhere. Neat.

The Bad News

While this ability to use services anywhere is cool, it also means that anyone else can try to impersonate Alice from wherever they happen to be, too. That’s where Mallory comes in.

“I will cut you.” — Mallory, probably

Mallory is full of malicious intent towards Alice. We know this because Mallory is a cat. Today, the spiteful feline has turned her focus on accessing a major hub of Alice’s online persona: her email. After all, every other online account she has is linked to and routed through her email in some way. If Mallory was ever to impersonate Alice, a good place to start would be her email account.

“Hello, world, I am Alice!” — Mallory

Once she can pretend to be Alice online, Mallory can turn Alice’s own accounts against her.

Mallory: “Give me Alice’s money!” Bank: “You bet, Alice!”

Passwords and Password Attacks

Online accounts are protected by a password. Everyone knows this. Passwords must be remembered, otherwise Alice will not be able to use it. (They don’t have to be. The best ones aren’t. But that’s not how people typically use them.) Unfortunately, memorable passwords make them easy to guess.

Mallory may be systematically guessing Alice’s password until she stumbles upon it (brute force).

She may also use details about Alice that she gleaned off the internet (e.g., the university she attended, or her pets’ names) as a basis for attack.

Remember that thing about passwords being memorable? It gets worse! Another thing Alice likes to do with passwords is reuse them. After all, remembering one password is easier than remembering a bajillion unique ones for every website out there, right?

Yes, but… this makes Mallory’s job nearly trivial. Now all Mallory needs is one of those services to suffer a security breach, scoop up Alice’s password there, and reuse it on her email service.

Enter Multi-Factor Authentication

Multi-factor authentication means supplying more than one piece of information to prove you are who you claim to be. Alice already does this when she speaks with her bank over the phone. First she gives her name, then social security number, and finally her address. With each correct answer the bank is increasingly confident they are really talking to Alice, and are willing to accommodate her ensuing requests.

Multi-factor authentication in action

Online this has taken many different forms. The most widely used solution is called one-time password (OTP) two-factor authentication (TFA or 2FA).

OTP means this special password can only be used one time. Once Alice has used the OTP, it cannot be used again to log in. Even if Mallory got her catty paws on one that had not been used, it would be useless after a brief period of time (usually 30–60 seconds.)

TFA means two pieces of information are required to authenticate. The first is your traditional password, and the second is the OTP.

How Two-Factor Authentication Works

Alice searched for and enabled two-factor authentication with her email provider. Thereafter (in addition to her password) Alice must now provide a one-time password (OTP) in order to log in.

OTP TFA FTW!

So if these OTPs can only be used once and expire quickly, where does Alice get them from? Why, her smartphone of course.

OTPs appear on her phone in one of two ways, depending on how the online service chooses to provide them. First, the service may send one after she has correctly entered in her password. This can be via SMS, an extension of the phone’s operating system, or a service-specific app. Alternatively, OTPs can be computed from a third-party OTP app like Google Authenticator or Authy. OTP apps use a known time-sensitive algorithm to generate OTP codes on the fly, which do not require a connection to a service.

The best of these services reinforce sending an OTP to a physical device, adding a layer of something you physically possess (your phone) on top of something you know (your password).

Conclusion

Passwords do not provide the level of security needed, especially for online services that house sensitive personal information. They are merely something known, and this knowledge can be derived by anyone with enough motivation and compute power.

Two-factor authentication adds several additional layers of security. In addition to it being a single-use, briefly viable password, it reintroduces the concept of locality to online authentication. With TFA, you have to prove your identity with something you know (your password) as well as something you have (an OTP provided by a device.)

Application

Much like your possessions in real life, there is no one singular panacea to bulletproof your online persona. Nevertheless, there are steps you can take to shrink your vulnerability online:

  • Purchase (and use!) a well-known password management application such as LastPass or 1Password.
  • Seriously, go buy one. Why? Because it makes the following points easier to adhere to.
  • Enable two-factor authentication wherever available. Primary consideration should be given to email, financial, and health related online services.
  • Never use the same password on more than one service.
  • Use lengthy (more than 15 characters, if possible), randomly-generated passwords that include punctuation, symbols, and, lower- and upper-case alphanumerics. (This means you’ll never be able to remember your passwords. You’re better for it.)
  • Immediately change your password on services you use when they report a security breach. Do this regardless of the breach’s reported size, risk, or if your account appears to be affected.
  • Never give out any password, OTP, or sensitive personal information online, over the phone, text, FaceTime, whatever, unless 1) you initiated the conversation, and 2) you know with whom you are speaking. No online service will ever spontaneously require authentication information from you.