What is Two-Factor Authentication (2FA) Security and Why You Need to Use it?
It's not optional anymore
One of the appalling thoughts in today’s day-and-age, where data is the new oil, is the concern of getting our account(s) compromised or losing access to them altogether. While there are several factors that can be attributed to this concern, the most significant of all is the lack of security in place, which can be further broken down into negligence and inadequate security practices that most users advertently/inadvertently end up following.
A way out of this sitch is to follow appropriate security practices to have some peace of mind. The most significant of which is the need for a strong (and complex) password and a second verification factor in place. With the current scenario into perspective, of late, there has been an increase in the use of password managers, which suggests that the concern over the first factor is getting addressed — albeit slowly. But, when it comes to the second factor, referred to as Two-Factor Authentication (2FA) or Two-Step Verification (2SV), a lot of people are still not leveraging one of the most crucial security functionality — putting their accounts at risk. What’s even surprising here is that, in some cases, a lot of people are oblivious to two-factor authentication and its existence, which is already a bad start.
However, to ensure our accounts are less prone to attacks and have some peace of mind in this regard, using strong passwords and enabling two-factor authentication across all accounts (that offer the functionality) is one of the essential practices for a secure online presence.
Still not convinced?
Here’s a detailed explanation on 2FA, addressing questions like how it can help protect your accounts and why you need to use it. But, before we do that, let’s get a few basics out of the way to have a better pedestal moving forward.
What is Two-Factor Authentication (2FA)?
Two-Factor Authentication or 2FA is a form of multi-factor authentication mechanism that adds an extra layer of security to your account — a second factor, in the case of 2FA. Depending on the service implementing the mechanism, it can sometimes also be addressed as Two-Step Verification (2SV). However, even though the two are used interchangeably, the working tenet behind both is essentially the same.
In simpler terms, when you log in to a service using your username and password, the password acts as your first factor of authentication. And the service only grants access when the entered password matches the password set initially. Even though using a strong and complex password and unique passwords for different accounts is a good practice to keep your accounts secure, it still does not ensure absolute security. This is precisely where the second factor comes into rescue — to add an extra layer of security to your account — so it becomes a bit more difficult (and less susceptible) for someone to attack.
Essentially, the basic idea behind implementing two-factor authentication is to verify and ensure that the identity claimed by the user, who is requesting access to the service, is genuine and not a masquerading attempt made by a third-party.
How does Two-Factor Authentication (2FA) work?
As mentioned in the previous section, two-factor authentication is a security mechanism incorporated by a lot of online services these days to verify a user’s identity before granting them access to their account/profile. For this, it involves the use of a second factor (in addition to the password — first factor) to complete an identity check. To accomplish which, the services implementing multi-factor authentication require at least two of the following factors (or pieces of evidence) to be verified by the end-user:
i. Knowledge – something that you know
ii. Possession – something that you have
iii. Inherence – something that you are
Out of these three factors, at least two are required to perform identity verification before a user can log in and start using a service. To give you a better idea of what constitutes these different factors, in most scenarios, the Knowledge factor can be, say, your account password or PIN, whereas the Possession factor can include something like a USB security key or authenticator fob, and the Inherence factor can be your biometrics: fingerprint, retina, etc.
Once you have 2FA set up and running on any of your accounts, you will then be required to enter either of the two verifications factors, between Possession and Inherence, in addition to the Knowledge factor, to verify your identity on the service at the time of log in. Now, depending on what it is that you want to protect and the service you are using, you get two options to pick your preferred second authentication mechanism. You can either use Possession — any physical security key or a code generator app on your smartphone, which provides you with a one-time-use token that you can use to verify your identity. Or you can rely on Inherence — facial verification and the likes, as provided by some of the services these days, as a second security verification factor for your account.
Is Two-Factor Authentication foolproof? Are there any disadvantages to using 2FA?
Now that you have an understanding of what two-factor authentication is, and how it works, let us take a closer look at its implementation and the disadvantages (if any) of using it on your account.
To begin with, while the consensus around using two-factor authentication, with most experts, is by and large positive and provokes people into enabling 2FA on their accounts, there are certainly a few shortcomings with the mechanism’s implementation — like any other security practice/protocol — that prevent it from being a foolproof solution. These shortcomings (or rather vulnerabilities) are mostly a result of a bad implementation of 2FA by the services using them, which can, in itself, be flawed on various levels. To give you an idea of weak implementation, consider a scenario where you have 2FA enabled on your account using your mobile number. In this setup, the service sends you an OTP/token over SMS that you are required to use to verify your identity. However, since the second factor is sent over the carrier in this situation, it is subject to various kinds of attacks, and not that secure in itself. As a result, such an implementation can not be as effective as it should be at protecting your account.
Besides the above scenario, there are several other situations where 2FA could be vulnerable to all sorts of attacks. Some of these situations include instances when a website/app incorporating the mechanism: has a skewed implementation for token verification; lacks a rate limit that can allow someone to brute-force their way into the account; allows the same OTP to be sent over-and-over; relies on improper access control for backup codes, among others. All of which can lead to vulnerabilities that can allow someone — with the right knowledge and skillset — to find their way around the poorly implemented two-factor authentication and get access to the targeted account.
Similarly, another scenario where 2FA can be problematic is when you use it negligently. For instance, if you have two-factor authentication enabled on an account using a code-generator app, and you decide to switch to a new device, but forget to move the authenticator app to the new phone, you can be locked out of your account completely. And might end up in a situation where it is hard to recover access to such accounts. One more situation where 2FA can sometimes hurt you is when you use SMS to get your 2FA token. In this case, if you are traveling and move to a place with poor connectivity, you do not receive the one-time-use token via SMS, which can render your account inaccessible temporarily. Not to mention, you change carriers and still have the old mobile number linked to different accounts for 2FA.
However, with all that said, there is one crucial factor at play here, which is that, since most of us are average internet users and do not use our accounts for questionable use-cases, it is not very likely for a hacker to target our accounts as potential attacks. One of the obvious reasons for which is that an account of an average user is not bait-y enough and does not offer much to gain for someone to spend their time and energy into carrying out an attack. So in such a scenario, you end up getting the best out of 2FA security rather than coming across some of its extreme disadvantages, as stated earlier. In short, the advantages of 2FA outweigh the disadvantages for a majority of users — granted you are using it carefully.
Why you should use Two-Factor Authentication (2FA)?
As we sign up for more and more services online, we are, in some way, increasing the odds of getting our accounts compromised. Unless, of course, there are security checks in place to ensure the security of these accounts and keep threats at bay.
Over the past few years, data breaches of some of the popular services (with huge user base) have leaked tonnes of user credentials (email addresses and passwords) online, which has put the security of millions of users worldwide at risk, enabling a hacker (or any person with the know-how) to use the leaked credentials to access these accounts. While that itself is a big concern, things get worse when these accounts do not have two-factor authentication in place, as that makes the whole process straightforward and unsophisticated for a hacker. Thus, allowing for an easy takeover.
However, if you employ two-factor authentication on your account, you end up with an extra layer of security, which is difficult to bypass since it uses the Possession factor (something only you have) — an OTP or app/fob-generated token — to verify your identity. As a matter of fact, accounts that require an extra step to get into are usually not the ones on the radar of attackers (especially in large scale attacks), and are, therefore, comparatively more secure than the ones not employing 2FA. That said, there is no denying the fact that two-factor authentication does require you to perform an extra step to enter the authentication key/token every time you want to log in to a service. But the security and peace of mind you get in return is unarguably worth the hassle.
The scenario we discussed above is just one of the many different instances where having two-factor authentication enabled on your account can prove to be beneficial and can keep your account protected. But the general idea behind having a second factor is to make it reasonably difficult for a hacker to break into your account and access your data. That said, it is crucial to address it again that, even though 2FA adds to the security, it is not a foolproof solution in itself either, and therefore needs to be implemented correctly by the service, not to mention proper setup at the user’s end, which should be done carefully (taking a backup of all the recovery codes) to make the service work in your favor.
How to implement Two-Factor Authentication (2FA)?
Depending on the account you want to secure with two-factor authentication, you have to follow a set of steps to enable 2FA security on your account. Be it some of the popular social networking websites like Twitter, Facebook, and Instagram; messaging services like WhatsApp; or even your email account; these services do offer the ability to enable 2FA to improve your account security.
In our opinion, although using a strong and unique password for all your different accounts is rudimentary, you should not ignore two-factor authentication and should take advantage of it if a service provides the functionality — especially for your Gmail account, which is essentially linked to most of your other accounts as a recovery option. Talking about the best methods to enable two-factor authentication, one of the most secure ways is to use a hardware key that generates code at certain fixed intervals. However, for an average user, code-generator apps from the likes of Google, LastPass, and Authy, should work perfectly. Moreover, these days, you get certain password managers that offer both a vault and a token generator.
While most services require a similar set of steps to enable two-factor authentication, you can check out our guide on how to enable 2FA on your Google account and other social networking websites to find out how to properly set up two-factor authentication security on your account. And while you do that, make sure you have a copy of all the backup codes so that you do not get locked out of your account in case you do not receive tokens or loose access to the token generator.