Two-Factor Authentication

“The username or password you’ve entered is incorrect, please try again.”

We’ve all experienced the frustration associated with forgetting our passwords. At times, it may be nothing more than a simple lapse in memory. However, it seems to be a more frequently occurring issue than times past. Here’s why:

The security requirements vary significantly between websites. The requirements may range from a simple six-character minimum to something much more complex. For example, a password may require not only a six-character minimum but also an uppercase letter, lowercase letter, a number 0–9, and a special character. Adding to the frustration, some sites may forbid the use of special characters, making it more difficult to create a strong password.

Complex passwords create more combinations, which increases the difficulty for an attacker to compromise the account. For example, adding the uppercase letter requirement adds an additional 26 possibilities per character, greatly enhancing the passwords security. If a hacker were to attempt a brute force attack, the increased permutations would exponentially increase the difficulty. A simple password such as “password” may be compromised in as little as one hour. A complex password such as “A8o$kTN4” may take 80 years to crack, rendering a brute force attack useless.

From the standpoint of a hacker, it is safe to assume the password cannot be compromised by the traditional password-cracking methods. However, this in no way indicates the system cannot be compromised. There are simple alternative methods that can be used to discover passwords and other sensitive data. One relatively simple way is monitoring a victim’s network traffic. Wireshark is an open source, easy-to-use program that captures and interprets data packets. Accessing a target’s network or computer allows a hacker to potentially collect all of the target’s passwords for each website they have ever visited, along with a plethora of other vital information. Deleting the browser history, clearing the cache, and similar routine maintenance would not deter the attacker in any way.The complexity of the victim’s passwords would be meaningless once the network is compromised.

Two-Factor Authentication (2FA)

There are many security measures taken to ensure the protection of information. The password is the first line of defense. The more complex the password, the better first line of defense a person has. While this statement is true, it remains a poor measure of protection when used as the sole line of defense. Several companies, primarily those found in the Tech industry, offer a second line of defense known as Two-Factor Authentication. This is essentially a second password (also known as token or code) sent to a phone or email, which is controlled by the owner of the account. This token can be sent via SMS text, email, or a smartphone application such as Authy or Google Authenticator. The first password alone would prove useless without access to the second token. Even if a hacker was able to discover the account’s password it would be impossible to access the account.

If the token is sent via SMS text, the attacker would need physical access to the owners phone. If an application such as Authy or Google Authenticator is used, the security is increased even more. This is because even if the phone has a locking mechanism, it will usually still display SMS text on the front screen while locked. However, the apps both allow for an additional layer of protection. Once the app is opened, the token will display for a period 20 seconds. During that window of time, the code needs to be entered for a successful login. After 20 seconds the token will refresh and the new token will then be active for 20 seconds. Furthermore, upon each successful login using Google Authenticator, an email is sent to the account owner identifying that there has been a login.

Two-Factor Authentication will become the standard for all accounts where security is a concern. There are currently some companies using Two-Factor Authentication, for instance, Google.The Two-Factor Authentication (2FA) can be found as an option in the settings. It can be turned on or off as needed. To compromise a victim’s Gmail account with 2FA, the hacker would need to know the initial password, have access to the victim’s cell phone, and have the password for the cell phone (this technically provides three layers of defense).

The additional layers of defense provided by 2FA significantly increase an account’s security. The security is increased so much so that the initial password no longer needs the same degree of complexity. Having a locked smartphone combined with Authy or Google Authenticator completely secures account’s. Without physical access to the smartphone and the phone’s password, account’s protected by 2FA are virtually impenetrable. The importance of the initial password becomes significantly reduced. A person can use easily remembered passwords or even the same password, assured that a breach is nearly impossible.