Analysis Tech

What is two-factor authentication?

Everyone should be familiar with the term ‘two-factor authentication’ by now. Most major websites either require the user to set it up or 
provide the option for additional security when accessing a given account.

To make sure that we’re all on the same page; two-factor is a means of authentication by which a user requires a username (the account), the first factor (usually the password), and a second factor (usually a rotating 6 digit code) in order to be granted access to the account. This second factor can be delivered a few different ways. Generally, this is done by means of a hardware token (like an RSA device in the photo below), an app on a phone, or by receiving a code by text message.

laptop and rsa token

How does two-factor work? Math. Essentially, your account gets linked to a one-time password algorithm where the secret key is either shared with your device (token/phone app) or kept entirely on the remote system which sends you a code when requested (text message-based codes). Without getting too technical, most systems incorporate the time as part of the algorithm which is how they rotate and expire.

Businesses use this a bit differently. Fun fact: certain audit standards require that in-scope businesses implement multi-factor authentication for sensitive functions, such as high level administration. This, in theory, helps protect against criminals from gaining corporate credentials and having their way with the business.

But, like everything technical, there are problems.

rsa token offline

I don’t want to focus on the problems of the technology, because two factor is absolutely an important security feature. That said, I think we understand what it is for now. So, where are we seeing problems with the concept?

One fun fact that I learned at DefCon this year is that Duo, a popular two-factor authentication solution has a rather concerning “feature”. Now, before I throw Duo under the bus, I want to emphasize that this issue occurs with the default settings. If the application administrator has changed this particular setting, this is no longer an issue. Changing that default, however, prioritizes security over convenience — not something that is very common in the workplace.

So, the issue: with default settings, Duo “fails open” under certain circumstances. Failing open, in this case, means that it will bypass the need for the second factor and let you in with just the first. The certain circumstance? When it can’t reach its home servers. So, kill network connectivity to Duo’s servers, and you’ve bypassed the need for it entirely. This is a huge help to skilled attackers, but still makes their job harder.

Another interesting example is when the Social Security Administration recently ran a trial of using two-factor codes delivered via text messages. Around the same time, stories began to surface of people mysteriously losing their cell phone numbers. That is — having them ported off of their accounts without authorizing it. As it turns out, the bad guys were porting phone numbers in order to receive the two-factor code that would then be messaged to the criminal. Nasty stuff. The good news here is that this is a very uncommon attack and takes significantly more time for the attacker.

In Summary

Regardless of these concerns, it is important to remember that ANY action that can be taken to make the bad guy’s job more difficult is preferable to leaving it easy. If there’s an extra step to access your accounts compared to someone else – you’re much less likely to be a victim.

The moral of the story: please use two-factor authentication when possible!

young couple using technology multitasking smartphone tablet and notebook in the street

Pictures courtesy of Pixabay, Wikimedia Commons, and StoryBlocks.

Please Login to comment
avatar
  Subscribe  
newest oldest most voted
Notify of
Mic-Mac
Member
Mic-Mac

Thank you Alex. I started using two factor authentication about a year ago. It is an inconvenience sometimes but worth it for that extra peace of mind.

georgehand
Member

Sweet write, Alex! I use duel-factor with two of the online resources available to me in the human traffic hunt. Fun fact: RSA stands for Rivest Shamir Adelman, the mathemeticians and cryptography geniuses who invented the Public Key Exchange (PKE) system used in the original PGP (Pretty Good Privacy) encryption program. These days it is the basis of encryption in the cryptocurrency blockchain build.

Thanks for posting, Alex; you’re obviously a force in technology.
geo sends

Mic-Mac
Member
Mic-Mac

Do either of you cyber security knowledgeable tech guru’s feel it is better to use an app or hard token type 2FA? Which? I use text messages, and I am aware that cell phone numbers can and do get hacked.

Susan B
Member

Glad you are up on this stuff. I have to run hard and grab on to someone’s coat tails to drag myself along. 🙂 I still can’t figure out how to make this stupid star light up when I want to like something. Sheesh!!

Susan B
Member

like the extra info, Geo. Especially the PGP. Who the heck was Rivest Shamir Adelman? lol

georgehand
Member

Alex, I was following the links in your article and thought you might like the latest article I wrote for NewsRep on smartphone security just two weeks prior: https://thenewsrep.com/111096/the-smartphone-privacy-conspiracy-whos-spying-on-you-and-why-part-i/

geo sends

Susan B
Member

🙁 Won’t let me see it.

%d bloggers like this: