Today we all know how digital devices such as the smartphone have become a pervasive tool in our lives, both at work as well as in our private life. We use dozens of accounts on our devices not only to log in to our social media, but also for online banking, shopping, or managing our domains. In this process, passwords play an important role in securing our accounts. But when it comes to sensitive and personal data, such as payment services, or cloud storage, an extra layer of protection is highly recommended. Many companies from Facebook to PayPal or Google, just to name the most famous ones, offer two-factor authentication services. And InterNetX does just the same. Let's find out more about digital account security while trying to hash out the level of protection offered by two-factor authentication (2FA) methods.
What is two-factor authentication (2FA)?
To protect yourself against unauthorized access, two-factor authentication allows for greater security. This is a process that involves the joint use of multiple individual methods. Thus the authentication is based not only on a username and password. The additional security layer is based on one or more of the following criteria:
- Knowledge: This is the most used factor. It proves knowledge of a "secret" such as an extra password, or the answer to an already set question.
- Possession: It should be something only the user has access to. Here the security layer is embodied by a device such as a smartphone or a hardware token.
- Inherent: These factors are personal characteristics associated with the user. Usually biometrical ones such as fingerprints or iris.
- Location & time: Lately, the physical location of the user and actual time are becoming authentication factors, as well. A user could be authenticated for example only when using the local network of the company and to a specific time window.
The most used methods those days are the first three and they usually involve sending a one-time password (OTP) according to RFC 6238. This consists of six or eight digits available for a short amount of time such as about 30 seconds.
To apply a two-factor authentication, the user must set up the two factors with the service provider. Of course, information should always be transmitted via a secure connection, such as HTTPS. After activating two-factor authentication, it is no longer possible to log in with a username and password only as the second factor will always be required. However, you can reset the login to one security level only, if needed.
Why does a password not offer sufficient security?
It's no doubt that strong and complex passwords are the prerequisites for digital security. It is very hard nowadays to remember all the passwords we need for all the online services we use. This is the reason why many rely on password managers or write the passwords down on paper or in a file stored in their computer. These are all measures with very low-security levels. Not to forget, the danger presented by a keylogger, software that can read and record keystrokes. This way a hacker can still get your password very easily despite a high degree of password difficulty.
This risk becomes even greater when using public networks such as Wi-Fi in a coffee shop, on public transport, or computers in libraries or an internet café. Always check you are surfing encrypted websites or providing an SSL certificate for your own web presence to ensure encrypted communications.
Why is the username not enough for 2FA?
A username such as the name of a person, of an organization, or an email address, is not to be considered a security element. The username plays a mere role of "label" or "personal identifier". It is often a piece of information potentially known, publicly available or it can be easily guessed. Playing the role of an identifier, one or two additional factors are needed to achieve a safer authentication process.
Why is your electronic mailbox not 100% safe?
Like the username, the email address is often considered a personal identifier used by a person. Like a smartphone that is used to receive an SMS, the electronic mailbox is used to receive emails. But unlike the smartphone that you physically own in the offline world, email is a product of the internet and suffers from the most common problems related to digital security. The possession of an email address cannot, therefore, be compared to that of hardware. This is why it is largely excluded as a method for 2FA.
For higher digital security in your email communications, you can apply the S/MIME technology. This certificate signs and encrypts your emails and guarantees the integrity of emails and ensures message privacy.
These four methods can be used as an authentication factor
You have various options to apply an additional authentication factor and create a better security environment around your digital accounts. Let's dive into further details and take a look at the most used means available for 2FA purposes.
1- SMS on a smartphone
The token for the second level of security is often sent to a mobile device via SMS. This is a very convenient and easy-to-use method.
However, it has some disadvantages: notifications are also often displayed on the smartphone lock screen, which means that the token can be read by unauthorized third parties, as well. Besides, SIM cards can be duplicated through social engineering and the network on which the cell phone communication is based can be interrupted. SMS can also be easily intercepted by hackers. In short, the use of SMS is certainly easy and comfortable for the user, but it is not the safest method out there.
2- App on a smartphone
Today, a wide range of smartphone apps allow two-factor authentication, such as Google Authenticator or Yandex.Key. These apps are based on the same principle: generating a single-use token and fall into the Open Authentication architecture (OATH).
This method is particularly advantageous since its operation does not rely on a telephone connection. The only problem is the possible loss of the smartphone or a defect that prevents its use. In the worst case, you will need to contact your service provider and delete or reset two-factor authentication to access the service.
Which app should you choose for two-factor authentication? An open-source app is always recommended because its source code is public. This increases its safety greatly since it allows everyone to track any changes made by the developers, so backdoors cannot be added for example.
3- Hardware token
Hardware tokens are two-factor authentication methods used extensively mostly in online banking and finance. These are small hardware devices that compute tokens internally. This system has one main advantage: the tokens are stored offline and therefore they are not linked to any digital security risks. Still, they can be stolen or accessed by third parties. Therefore, it is important to place them in a safe place away from prying eyes.
4- Biometric functions
In recent years, other methods based on unique personal characteristics are becoming increasingly popular. For example, fingerprint or iris recognition. Many smartphones and computers now have built-in fingerprint scanners so they can be used as an extra layer of personal protection when accessing accounts or apps.
5- Push-based notifications
To verify the login attempt was made by the owner of the account, some systems sent a notification. Usually, they indicate that someone is trying to log in, an estimated location and time, sometimes an IP address. You can then say it was you to log in or deny the attempt. This method is very easy and convenient for the user since there is no need to receive and type a password. It is also more resistant to phishing attacks. Push-based 2FA has not been standardized so you can't centralize the operations. Furthermore, it always requires a data connection.
What is the security level of two-factor authentication?
To answer this question you need to consider and examine the method employed since the level of security guaranteed by 2FA varies accordingly. The use of SMS is the least secure as it has the greatest risks of interception. The hacker can employ a Trojan launched on the smartphone or can manage to get a second SIM card from the telephone service provider.
Authentication apps are also not 100% secure. If the attacker has managed to remotely access the device, for example, thanks to malware, they will have no problem accessing the second security factor or even generating the tokens by themselves.
The highest security level is offered by hardware tokens, which are often protected by a PIN code offering an extra level of security locally. And all of this, in an offline environment and therefore not digitally tampered with.
2FA is still vulnerable, yet it offers extra protection
All in all, 2FA remains vulnerable to phishing, man-in-the-browser, and man-in-the-middle attacks. It could also be ineffective against modern threats such as ATM skimming and malware. For example in May 2017, the German telephone provider O2-Telefonica had to admit vulnerability in the Signaling System 7 protocol (SS7) which allowed attackers to spam out malware to the victim's computer. Eventually, they were able to collect information such as bank account balance, login details, and mobile number and drain Telefonica customers' bank accounts.
So why 2FA? Although it can't assure 100% digital protection, using 2FA even with a less safe method offers a higher level of security than not using any second factor at all! Too many users still have an passive attitude towards digital security and do not treat their usernames and passwords with the appropriate care and attention. No doubt that adding a level of protection allows you to better protect your accounts.
Active 2FA in AutoDNS and protect your domains
In our domain management platform, AutoDNS, you can choose the authentication method you want for the login process. You have the choice between the standard setting that uses a username and password or two-factor authentication that uses an additional 6-character token that is generated by a smartphone application. For the two-factor authentication, a smartphone and corresponding authentication application is required.
Pick up your smartphone and download and then open your authentication application.
- Scan the QR-Code in the form "Manage Authentication Method" with the app. Alternatively, you can enter the key manually into the app. Click the triangle next to Secret to show the key.
- The app displays the token. Enter the token and your login password in the fields at the bottom of the form.
- Click Confirm Two-Factor Authentication. A page containing ten service tokens is shown.
The authentication application generates a new token every minute that you can then enter into the token input field. Please keep these service tokens stored in a secure place to protect your account from unauthorized persons. Before switching to a new smartphone, please deactivate the 2FA in your account and restart it from the new smartphone.