Imagine waking up on a warm summers day, booting your pc and finding that you can’t access your online accounts. Your email has been hacked, your website, your most important work, is now gone, and your credit card was used for shady transactions.
There was a case just like this some 6 years ago.
It was caused by an ex employee, who had recently been fired. It was his way to get revenge.
Fortunately, he didn’t cause any unfixable damage. Ever since I’ve been trying to adopt every measure within reach in order to avoid future similar hacks. But I’ll share more on what I’ve learned from this experience in a separate article I’m writing.
This week’s cyber security guide is about something that, if it had been available back then, probably none of this would have happened: Two-Factor Authentication.
So, what exactly is Two-Factor Authentication?
Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism to double check that your identity is legitimate.
How does Two-Factor Authentication work?
When you want to sign into your account, you are prompted to authenticate with a username and a password – that’s the first verification layer.
Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity.
Its purpose is to make attackers’ life harder and reduce fraud risks. If you already follow basic password security measures, two-factor authentication will make it more difficult for cyber criminals to breach your account.
However, you shouldn’t expect it to work like a magic wand that will miraculously bulletproof your accounts. It can’t keep the bad guys away forever, but it does reduce their chance to succeed.
What are the authentication factors?
There are 3 main categories of authentication factors:
1. Something that you know – This could be a password, a PIN code or answer to a secret question.
2. Something that you have – This is always related to a physical device, such as a token, a mobile phone, a SIM, a USB stick, a key fob, an ID card.
3. Something that you are – This is a biological factor, such as a face or voice recognition, fingerprint, DNA, handwriting or retina scan. However, some of these are quite expensive, so, unless you work in a top secret / Mission Impossible kind of facility, you probably don’t have this kind of authentication method implemented.
Time and location factors can also be used. For example, if you log into your account and someone tries to log in from a different country 10 minutes later, the system could automatically block them.
Why should I activate Two-Factor Authentication?
Passwords on their own aren’t as infallible as we need them to be. Cyber attackers have the power to test billions of passwords combinations in a second.
What’s even worse, 65% of people use the same password everywhere. That’s pretty much similar to having only one key for your house and your car. (more concerning statistics here).
Answers to security questions are also easy to find out, especially now that we are willingly sharing all the details about our lives on social networks and blogs. Anyone that interacts with us on a daily basis can find out the answers to common security questions, such as the graduation year, the city that you grew up in or our first pet’s name.
Even if you don’t give these out in your Facebook profile, some can be found through public records, available for anyone who cares to look. Others can be cracked simply by entering common names.
This is where two-factor authentication comes in handy. It will offer you an extra layer of protection, besides passwords. It’s hard for cyber criminals to get the second authentication factor, they would have to be much closer to you. This drastically reduces their chances to succeed.
A few examples of Two-Factor Authentication methods that most likely you are already using:
- The token issued by your bank, which generates you a specific code at a specific time – you use it with your username and password for Internet banking.
- A one time password, that you receive as text message on your mobile phone and you use it when you want to log into your Google, Facebook or Twitter account.
- Similar to the one before: a random password generated by an app like Google Authenticator or Facebook Code Generator – you use it to log in to your email or social media account.
Two-factor authentication is a must-have for:
- online banking
- online shopping (Amazon, PayPal – though it’s only available for a few countries)
- email (Gmail, Yahoo, Outlook)
- cloud storage accounts (Dropbox, Box, Sync)
- accounts on social networks (Facebook, Twitter, Linkedin, Tumblr)
- productivity apps (Evernote, Trello)
- password managers (LastPass)
- communication apps (Slack, Skype, MailChimp)
How to get it working
Two-factor authentication using your mobile phone:
Because nowadays almost everybody has a mobile phone and carries it around, everywhere they go, it became one of the most popular methods for two-factor authentication.
In order to verify your identity, you can use a one time code that you receive on your mobile device through SMS, or you can generate it through a special mobile app.
SMS delivery has some big advantages, as well as disadvantages. On one hand, it’s easy to configure and you don’t need a smartphone to receive the codes via SMS. However, if you travel a lot, the delivery of the text message may be delayed. It won’t work at all if you are out of the network’s range.
This solution also depends on your phone’s security. An attacker may be able to clone the SIM card or redirect the traffic to a new number.
If you have multiple accounts where you activated two-factor authentication, you can skip receiving codes via SMS and instead use a mobile app to generate two-factor authentication codes.
Here are a few examples of mobile apps that you can use for two-factor authentication:
- Google Authenticator (available for Android, iOS, Blackberry)
- Authy (for Android, iOS, but also available as desktop app and browser extension)
- Microsoft Authenticator (Windows Phone 7)
These apps use Time-Based One-Time Password (TOTP) algorithm. They will generate you a unique, time-sensitive six digits code, that you can use to sign in to your account. A code will typically work only for 30 seconds – after that, the app will generate you a new one.
After the initial set up, you can use the app without a network connection.
Some of the accounts where we strongly encourage you to activate 2FA and how to do that:
1. Google / Gmail
This is probably one of the most important accounts that you have, and is usually linked to many others – from social networks to online shops, work documents, personal information, financial accounts, taxes and so on. It should be the first account where you activate two-step verification and make sure that you take advantage of all their security enhancing options.
After you set up two factor authentication, you will receive six digit codes via text message on your registered mobile phone number. Google will prompt you to enter the code every time you want to log in from a new device. You can save each new device for 30 days, and during this time you won’t have to recheck your identity on that device.
Make sure that you also set up backup phones and emails, in case that your primary ones are ever unavailable.
You can also generate backup codes – these are 8 digit codes that you can save and use if you travel a lot, have problems with your mobile network or simply cannot use the Google Authenticator mobile app. Each code can only be used once.
Alternatively, you can get codes through Google Authenticator mobile app. It works on Android, iPhone or BlackBerry, even when your device has no data or phone connectivity.
2. Facebook / Twitter / LinkedIn
Major social networks also have two-factor authentication available.
Facebook introduced Login Approvals in 2011. This security feature requires you to enter a six digit code every time you want to log in to your Facebook account from a new device. You will receive the security code via text message on your mobile phone.
Alternatively, you can activate the “Code Generator”, a feature integrated in Facebook app that allows you to get security codes on your phone.
Twitter introduced login verification a few years ago. After you log in, it will send you a SMS message with a code that you need to access your account.
If you ever lose access to your mobile phone, they also provide a backup code that you can use once to verify your identity.
Linkedin also added two-step authentication, that you can (and should) enable. Your mobile phone number will be used to send you verification codes via text each time you want to sign in to LinkedIn from a new device.
If you are using cloud services, you should also enable two factor authentication for them. Most likely, you store sensitive data in the cloud, right?
After you enable two factor authentication for Dropbox, it will require you a six-digit security code or a security key every time you sign in or add a new device.
Dropbox will also send you 10 8-digit backup codes, that you need to store somewhere safe – you can use these in case of emergency, if you don’t have access to your phone anymore.
You should also add a backup phone number.
Useful tool: You can find a compiled list of all the services that offer two-factor authentication on TwoFactorAuth.org .
Can it be cracked?
As all other security measures, multiple-factor verification methods are also vulnerable to attacks.
Their efficacy depends on many things, such as the chosen authentication method, the security of the channel that is used to deliver or submit the second-authentication factor.
A few scenarios or techniques that would allow an attacker to break or jump over the second-authentication step:
1. They could gain access to it. They could steal your phone, your card, your token. Text messages sent to your mobile phone can be intercepted.
2. Through a Man-in-the-Middle attack. They could use a Trojan horse to manipulate the communication between you and your web browser and launch the attack against the 2FA. This is how World of Warcraft players were targeted in 2014. INFOsec has a detailed article on this technique and what to do to prevent it.
3. With real-time phishing – the attacker will ask for the one-time password and use it immediately. LastPass users were recently targets to a severe phishing campaign, that not even two-factor authentication could have prevented. You can find out more about how to detect and prevent phishing from our dedicated article.
Basic password security
Remember that two-factor authentication it’s not worth the extra effort unless you use it complementary to strong passwords.
1. Use strong passwords.
They should be at least 12 characters long, contain upper and lower cases, numbers and symbols.
By weak passwords we mean:
- anything that contains the word “password”, “admin”, “querty”, your name or variations of it
- combinations of easy to guess numbers (“1234”, “1234567890”, “2016”, “0000”, “11111”
- your spouse’s name, your children’s or pet’s name or birth dates
- the default password that your service provider gave to you
- anything from this list of the most popular – and worst – 2015 passwords
2. Use unique passwords.
They should be different for every account of yours. Never recycle them.
This way, if an intruder gains access to one of your accounts, they won’t be able to breach into all of them. It’s the same principle behind not using the same key for your house and your car – if you’ll lose one of them, a criminal will be able to break into the other.
3. Change your passwords regularly.
…and never write them down – not in a document that you saved in Cloud or on your Desktop, not in a mail draft, not on a handwritten note that you keep on the desk.
You can use a Password Manager – it’s a service that will encrypt you all the saved passwords. This way, you’ll only have to remember one password, the one for your password manager service account.
If you follow these steps, together with some basic computer security, you can drastically reduce the chances of an attack.
Although it first appeared 28 years ago, two-factor authentication started to be implemented only recently and it’s not universally available (yet).
One of its main challenges is that it’s still quite expensive for companies to implement it. They have to cover all the possible scenarios – different devices, different usage habits, from different locations. It’s hard to estimate a transaction volume and the expenses for sending passwords through text messages depend on the locations.
Companies also use the excuse that users consider multiple-factor authentication to be an inconvenience.
Except for the ones that are security savvy or they’ve experienced an unpleasant episode related to their cyber security, people aren’t eager to jump in the two-factor authentication wagon. They don’t understand its importance and consider that performing the additional steps to turn on the two-factor authentication is not an easy thing to do.
As data breach cases become increasingly common, it will also be critical for companies to implement extra security layers, and for users to start embracing them. Even more, two-factor authentication should be mandatory and activated by default, right from the moment when a user wants to register.
Remember that joke about two friends that went camping and heard the bear growling?
One of them starts to put on his tennis shoes, when his other friend asks:
“What are you doing? You can’t outrun the bear!”.
The other one replies:
“I don’t have to outrun the bear, I just have to outrun you!”.
Well, it’s the same with the two-factor authentication.
Having a password and an extra factor authentication does not make your account 100% secure. It’s not a magic wand, that will make your account unhackable. No, it only makes it more difficult to breach.
Hopefully, an attacker will move on to another target, one that is less protected, rather than spend a lot of time on energy trying to breach your second-authentication factor.
But, as two-factor authentication methods will become more popular, new ways for attackers to crack them will also pop out. It’s just how the security game is played.