Although the use of a combination of username and password no longer inspires trust, unfortunately, many do not realize the risks associated with this type of authentication until they become victims of cybercrime. Obviously, a data breach can be devastating for both the user and the website. For this reason, more and more companies are using two-factor authentication (2FA) to exclude access from unauthorized persons. Caltat Big Data platform co-founder Sharif Odinaev explained how 2FA works and assessed its ability to protect confidential data from being stolen by hackers.
Two-factor authentication (2FA) is a security measure that requires consumers to have two ways to verify their digital identity. This means that the system does not grant access to the account if the user cannot enter the correct username and password.
In addition to these two requirements, the multi-factor authentication process asks for additional information such as Google Authenticator, Magic Link or OTP to log into an account.
An example of such authentication is logging into the system using Instagram (*Meta is recognized as an extremist organization, banned in Russia). The first step is to enter personal information such as a password and username. After that, a security code is requested, which is sent to the person by e-mail or SMS.
Some websites also use authenticator apps to generate unique codes. In fact, this method is one of the highest levels of security you can get.
Three main factors explain how two-factor authentication works.
- Knowledge Factor. That’s what you know. It cannot be physically lost or found, but it can be copied – for example, a password or PIN.
- Property factor. It is what you physically possess. Something that cannot be easily copied, but can be stolen – for example, a bank card or a physical key.
- Biometric factor. It’s part of your identity, like a fingerprint or face ID.
To qualify as two-factor authentication, the two access methods used must come from two different types of factors. Using a username and password is therefore not suitable for 2FA because both factors are knowledge factors. Even an additional security question is not considered two-factor authentication, as it is also tied to the knowledge factor.
Here are some common examples of 2FA:
Withdraw money from an ATM:
- you know your PIN;
- you have a credit card.
Accessing online accounts using one-time SMS (OTP) verification codes:
- you know your username and password;
- you have a phone.
- Do you have a passport;
- your identity has been verified by facial recognition, fingerprints or retinal scans.
These examples prove why using two-factor authentication is essential to improving your personal security. With 2FA, a hacker can configure a keylogger (software or hardware device that records various user actions – keystrokes on a computer keyboard, mouse movements and clicks, etc.) to copy your password, but he will not be able to hack you without your phone to which a one-time use confirmation code is sent.
The requirements for two-factor authentication are the same regardless of context, which makes them so effective. The main factors of 2FA – to know (know), to have (to have) and to be (to be) – do not change, and it is extremely unlikely to have access to three of them at once.
One-time passwords are obviously not as secure as they used to be. Hackers can find many ways to crack them, using tactics such as password spraying (using common passwords to access multiple accounts on the same domain), keylogging, and attacks. by brute force (crack a password by trying all possible key combinations).
If you don’t want to enable 2FA for every account you use, you can use a random password generator to make it harder for hackers. And storing all the data in one of the password managers makes it much easier to keep track of them.
Hackers are always learning and eventually they can break 2FA as well. Message mirroring apps that can see your texts already exist. And now there are voice bots stealing two-factor authentication codes. However, according to recent statistics from Microsoft, 99.9% of hacked accounts did not use 2FA as a protective measure. Additionally, only 11% of organizations accounts involve it in business work. This suggests that the current target audience for cybercriminals is “light users” using traditional identification capabilities.
Of course, no login method is completely secure, but two-factor authentication is undeniably more secure than current alternatives. To circumvent 2FA, an attacker would have to interrupt two identification cycles, not just one. This feature will help you save time and detect hacking at an early stage.
So how do you prevent a 2FA hack? Follow these steps to protect your personal information:
- Look for emails stating that the account was used from a new or unknown device and verify if it is you. Also, don’t ignore other obvious red flags, such as emails notifying you of failed login attempts or password reset requests that don’t come from you.
- If you have a VKontakte account, check in the “Settings” -> “Security” -> “View activity history” section whether all the listed login attempts were implemented by you. Keep in mind that a “disabled” account can be restored if you use the “log in with your account” option somewhere.
- If you have a choice in authentication procedures, research known vulnerabilities and apply lessons learned. For example, weak token algorithms can be used by an attacker to predict the next token if he can see previous ones. Or using short tokens with no expiration date could leave you vulnerable to attacks.
- Teach yourself and those around you to recognize phishing attempts.
And, of course, don’t forget that the information security industry is advancing every day. As new versions of Complex Authentication become available, it is hoped that a perfect system without vulnerabilities will soon be built.
Add boring tech to your favorite sources