An advert is currently running in which a man gets his password hacked because, the ad implies, he wasn’t using a VPN (virtual private network).
The man’s password? ‘John123’.
When you’re that hopeless at creating login credentials, there’s not much a VPN can do to help. Sooner rather than later, someone will guess your password and stumble into a wealth of sensitive information.
Sadly, it’s not as though John is a made-for-TV exaggeration. There are tens of millions of people who use even worse passwords, such as ‘Password’ or ‘123456’. Even comparatively strong phrases, such as ‘ITGovernance#1’, wouldn’t take too long for a password-cracking machine to guess.
Are we all so useless? Are we doomed never to use strong phrases, despite copious guidance on password creation?
And let’s say we do all get the hang of using passwords such as ‘T50-y-o-mct15:50t’: will it make any difference, given that crooks are increasingly adept at phishing scams, malware injection and hash cracking, in which they can access passwords without having to guess them?
Perhaps it’s time we put our faith in something more robust than a password. Perhaps it’s time we finally push for the widespread adoption of two-factor authentication.
What is two-factor authentication?
Two-factor authentication, also referred to as ‘TFA’ or ‘2FA’, is a method of verifying someone’s identity, using a combination of:
- A knowledge factor (something you know);
- A possession factor (something you have); and
- An inherent factor (something you are).
This may sound complicated, but anyone with a bank card has been using two-factor authentication for years. When you pay for goods or take money out at the ATM, you must provide something you have (your card) and then enter something you know (your PIN).
Authentication factor examples
Knowledge factors are usually the base form of authentication. You type in a password, a PIN or an answer to a secret question in order to access the second factor.
Possession factors (or ‘security tokens’) are essentially keys that are inserted into a ‘lock’ (your account). The key can be physical, such as a smart card; digital, such as an OTP (one-time password); or a combination of the two, as is the case with hardware tokens.
Physical factors require users to simply present the item to the lock.
With digital factors (or ‘software tokens’), the user’s login credentials are linked to another account, usually their phone number or email address. When attempting to log in, the user is sent an OTP that they must duplicate on the login screen.
Hardware tokens work in a similar way, but they use a dedicated device for creating OTPs. Users are required to a carry a USB-like stick, which can be activated to create an OTP.
Inherent factors are usually associated with biometrics, such as fingerprint scans, and face, voice and iris recognition.
Why you should use two-factor authentication
Two-factor authentication protects you from most cyber attacks, and makes accidental breaches and opportunist hacks almost impossible.
As Mark Stanislav explains in his book Two-Factor Authentication: “Imagine if someone stole your wallet at a bar one night. They might now have your debit card (something you had), but without the PIN (something you know) they are unable to withdraw funds.
“If, one day, someone saw your PIN over your shoulder as you entered it into an ATM, they may know the value but still not have the card they need to present to the machine.”
This is just as true when it comes to cyber crime. A crook may find your password on a piece of paper, access it via a keylogger or break into a database, but they still need to crack the second authentication factor before they can access any confidential information.
Accessing the second authentication factor is certainly possible. The crook could send a phishing email to access the user’s email address, launch an MITM (man-in-the-middle) attack or infect their device with malware. But these are all targeted attacks that require a lot of extra work.
Criminals might be willing to go to that effort for a high-value target, such as a chief executive or a public figure, but it will be too much effort in most cases.
What about multi-factor authentication and two-step verification?
Two-factor authentication is a subset of multi-factor authentication (MFA). The terms are often used interchangeably, with the only difference being that MFA can include more than two factors.
Another term that’s used alongside two-factor authentication is ‘two-step verification’ or ‘2SV’. This process requires users to provide two pieces of information, but not necessarily from separate factor classes. It usually consists of two different things you know, such as two passwords, or a password and the answer to a secret question.
‘Strong authentication’ is another common phrase. This is an umbrella term referring to any mechanism that requires users to provide something in addition to a password.
Security vs convenience
Two-factor authentication has always been a matter of offsetting security and convenience. Passwords are commonly used because they are simple and give users instant access to their accounts. There’s no need to carry around a security token and fumble around looking for it whenever you need to log on.
OTPs aren’t much more convenient, as you need to open your phone or email account, wait for the notification and then type it in.
But is that convenience worth the risk? We don’t think so, given that an estimated 2 billion data records were breached in 2018.
At some point, organisations and individuals must value the security of their information over convenience. Besides, is waiting a few seconds for an email containing an OTP any less inconvenient than remembering dozens of complex passwords or logging in to a password manager?
Want more information security advice?
Our book ‘Two-Factor Authentication‘ will give you an introduction to the topic of two-factor authentication, providing you with a comprehensive evaluation of popular secondary authentication methods and international examples of standards and regulations that make two-factor authentication a component of security guidance.
IT Governance is your one-stop shop for information security and regulatory compliance. Our range of books, toolkits, training courses, staff awareness solutions and consultancy services can help you with whatever you’re looking for, and our blog helps you stay informed of the latest industry news and advice.