What is 2FA and why you should enable it for all your accounts
We have all been guilty of using the same password to sign up for multiple accounts just for the sake of convenience. Even if a single account’s credentials are compromised, you risk losing access to all the accounts.
Okay, you use different passwords for all your accounts, you are still at risk of losing your account if the host server encounters a data breach and all passwords are leaked. Most websites we sign up for ask us to enable Two-Factor Authentication (2FA) when we sign up but we just press skip.
But what is 2FA?
Two-Factor Authentication (2FA) is also known as multiple-factor authentication. 2FAs adds an extra layer of security to your accounts. The first layer is generally your username and password. Adding one more step of authentication makes it tedious for an attacker to access your data.
Types of Authentication-
- Something you know- password, pin, security questions, etc
- Something you have- Mobile phone, Debit Card, USB stick, etc
- Something you are- Fingerprint, Face Recognition, Retina, etc
A combination of any two is considered safe enough.
Types of 2FA-
Worst: SMS, Calls-
Security experts have proved time and again that it is not difficult to break your cellular network. SMS are sent as plain text and it is not difficult to target and access your SMS. Furthermore, the attacker can call the cellular service provider and manipulate customer service to give them access to the account. Once done, the attackers can read text messages intended for the target’s phone number. Accessing an SMS 2FA code then gives attackers access to the account.
Bad: Email-
Receiving codes on email are slightly better than SMS, but it comes with its own challenges. Emails are not as easy to intercept as SMS but it is not difficult since email can still be attacked as they involve a third-party service provider and your personal computer that can be compromised. Still, emails are a middle ground between convenience and security.
Good: Authenticator App-
Authenticator apps stay on your phone and generate new codes every 30 seconds. This dynamic switching of codes makes Authenticator apps makes one of the safer methods for 2FA for most of the people. The disadvantage is that not all websites support this type of 2FA but most platforms do.
This type of 2FA includes scanning a QR code provided by the website using the Authenticator App and that’s it. The QR code consists of a randomly generated passcode linked to your account. The main advantage is that the authenticator app will work even if it is not connected to the internet ever. The app generates new codes by an algorithm that considers the passcode linked to your account and the current time.
Algorithm for generation-
Basically, the secret key and counter are combined and SHA1 of the combination is generated. The generated hash is then converted to Hexadecimal. Then by a process called dynamic truncation 6 digit code is generated. You can check this link where it is very well explained.
Some examples ofAuthentication Apps-
- Google Authenticator- Most convenient and recommended for most of the people. But the app is not open source and you have to trust Google with your security.
- Aegis Authenticator- Open source with neat UI and backup and restore functionality.
- andOTP- Open source with encrypted backup and restore functionality.(I personally use andOTP as my Authenticator App)
Best: Hardware Keys-
There is no substitute for a physical key. Just like a key to your house or car, these are keys to your online accounts. These hardware authentication keys turn the problem of authenticating into a physical device. Once set up, you need to physically plug the key into the computer or mobile to access your account.
Fun fact: Google gave all its employees security keys which reduced the phishing attacks happening on them to zero. (source)
Some examples of security keys-
- Solokeys- Open source and support the latest FIDO2 standards.
- Yubikey- Many different variants to choose from. Also supports Lightning port.
Conclusion-
Any 2FA is better than no 2FA. Enabling 2FA in every account takes time but it a step towards better security. You may not be interested in buying a security key but the least you can do is enable some sort of 2FA to have peace of mind.
Cheers.
References-
