A great way to supplement a strong password is to use another form of authentication while signing into your accounts. You may often hear this called two-factor authentication(2FA) or multi-factor authentication. We will discuss in more detail what multi-factor authentication is and how it can help secure your accounts and devices. Furthermore, we will look at the different types of tokens you may come across. Lastly, recent developments and some ways to get started securing your accounts with multi-factor authentication.
What Is It?
Multi-factor authentication is a way to secure an account or a device by locking it behind some hurdles that the user must successfully pass to gain full access to the account. It is usually broken up by Something known which your password or pin would be (hopefully random and held in a *wink* password manager *wink*). Something you have which could be a hardware token or a phone. Lastly, something you are which could be a fingerprint, facial recognition, or audio print.
Two-step or two-factor authentication is an offshoot of multi-factor authentication. You can probably guess that only two of the three factors we discussed will be used to authenticate the person. For example, when checking out at the grocery store you use a mix of something you know and something you have. The something you have is your bank card while the something you know is the pin. In the online world, you are likely to see a mix of something you know being your account name and password and the something you have being a randomly generated password sent to a phone.
Example: Let’s say, Jerry, was a part of the LinkedIn breach a few years back and is now a part of a combo list of leaked emails and passwords. Since Jerry didn’t read my last post in time, he uses the same password for all his accounts. Yikes, Jerry! If someone wanted to gain access to his email account, it would be simple for a tech-savvy person. However, Jerry was smart enough to allow his email provider to text him a short password every time he tries to log into his account. Nice Jerry! Now Jerry placed a major hurdle in the way of the attacker, and they will likely not be able to gain access to his account.
Disconnected tokens are usually a fob that provides a six-digit password that must be entered to gain access to the account or device. This method requires a setup with an authentication server, so you won’t likely be using this type of token for your online accounts.
These tokens are usually a USB device that physically plugs into the computer and transmits the authentication data to the server or application. You may also see a hardware token as an RFID or NFC card. Companies like YUBIkey make a fairly advanced hardware token that has both an NFC method and a USB method of authentication. More and more security conscious companies are allowing the use of hardware tokens as an authentication method
These tokens are texted to a personal device after they sign in with a username and password. This method is the most widely available method of authentication for online accounts. However, it comes with some drawbacks like being forced to always have a data connection on a mobile device and being susceptible to attacks.
The two most secure tokens are the hardware and disconnected tokens due to them being totally offline and held on the person. Software tokens come in at a close second, if a secure application is being used. And lastly, SMS tokens, these tokens are widely available but flawed.
For example, let’s say Jerry has a motivated attacker trying to break into his accounts. The attacker just hit the major hurdle of an SMS authentication prompt. A motivated attacker can find Jerry’s phone provider and use a SIM swapping attack. Where the telephone provider gives the attacker a SIM card that gives access to Jerry’s telephone number. The attacker can then put the SIM into a new phone and then receive the SMS token, clearing the hurdle from before. By the time Jerry gets his phone number back, it will be too late.
Its important to note, if you only are given an option to use SMS for two-factor authentication you can either use it or you can pair the account with a VOIP number like Google voice provides and have future SMS tokens sent to that number. However, you only want to use the ladder option in advanced cases as there are some risks to this. You can email me at Tristians_Forensics@fastmail.com if you have any questions on if you should use the VOIP method to close the SMS security hole.
Future Developments And How To Get Started
Some cool developments have been made recently in Multi-factor authentication like using location at the time of login. This can help companies and the user assess risk. If you saw that someone was trying to sign into your email from another country you would be suspicious and would likely take steps to change your password. Also, some developments have been made using a device’s microphone. By using ambient noise from something like a computer and phone a provider could tell if the token is in the same room as the device.
I bet you are all excited to go sign into your accounts and enable multi-factor authentication. For some, however, this may seem like a chore. So, start today by ensuring it is enabled on your email and device accounts like Microsoft, Apple, Google, etc. Next, as you sign into your various accounts make sure multi-factor authentication is enabled until all your accounts are secured.
To add extra security to your accounts and devices it is a good idea to adopt a form of multi-factor authentication. There are many types of tokens that may be used to authenticate a user. However, its important to know that some methods have security risks and kinks. Start by using a by using a software token service like “Google Authenticator” or “Authy“. While trying to stay away from SMS tokens as much as possible. With a combination of strong random passwords and multi-factor authentication you will deter most attackers.
Thank you for reading!
Let me know if you have any questions, comments, ideas, or corrections.
You can reach me at Tristians_Forensics@fastmail.com
If you enjoyed this post maybe check out some of my other content on the website 🙂