Two-factor authentication (2FA) is the least complex version of multi-factor authorization (MFA) and was invented to add an extra layer of security to the – now considered old-fashioned and insecure – simple login procedure using a username and a password. Given the number of leaked login credentials for various websites (Yahoo, LinkedIn, Twitter to name a few), this extra layer is very much needed. One of the most well-known examples will occur when you try to login on a site from a different machine or from a different location (resulting in a different IP). With 2FA-enabled login procedures, you may receive a text message providing you with a verification code. That code is needed to complete the login procedure.
Definition of two-factor authentication
By definition 2FA depends on two different methods of identity confirmation of the user. In the example above, the user knows the login credentials and has control over the phone that receives the text. Other factors that are often used are:
- Knowing a PIN or TAN code (ATM withdrawals, money transfers)
- Having access to an email account (when verification codes are sent by mail)
- Secret questions (often frowned upon as they are sometimes easy to guess)
- Physical keys (card readers, USB keys)
- Biometrics (fingerprint readers, iris scanners)
- Mobile devices that can scan barcodes or QR codes and calculate a login code for one time use (Authy, Google Authenticator)
Alternatives to 2FA
There are some alternatives for 2FA that can also be used in combination with 2FA or as one of the factors. Some examples are:
- Single Sign On (SSO): this is mostly used as a method to dampen the impact of using 2FA methods, particularly when given an authenticated user access to several resources. The idea is that once the user has been identified and approved, the SSO software provides access to all platforms tied to the SSO. Given the possible impact of a breach the login procedure for a SSO system is usually done by using a MFA procedure. Another consideration when choosing a SSO system is the consequences of a failure. If the SSO software goes offline, will this block the user from all the underlying resources?
- Time-based One-time Password (TOTP): this is a special authentication method that uses an algorithm that calculates a one-time login code based on the time. The server and the user that wants to login both run simultaneous calculations with the same seed and time-stamp. If the results match, the user is granted access. Obviously the clocks need to be synchronized, although there usually is some leniency built into the procedure (up to a one minute difference is generally allowed). Since losing the machine that runs the algorithm or any other way that leaks the algorithm could allow access to the wrong person, this method is generally used as one factor in a MFA method.
- Token Authentication: besides physical tokens, other tokens can be used as a means of authentication. Consider, for example, apps that run on your smartphone and can show an image to your webcam or play a sound which can be compared to an original. As this is not a very strong authentication method (for now) it is advisable to be used as one of the authentication factors and not the sole one.
Summary
Although a strong password is still a very effective means of authentication, there have been so many breaches resulting in leaked passwords, that methods have been developed to combine with or replace the use of passwords. The combination of two authentication methods is called 2FA and when we use more than two it’s called MFA.
This one makes you want to tear your hair out.
Take Yahoo`s site which I logged in with no bother until it said your password or username is invalid.
I knew it was not.
I used the phone method which gave me a pin code that only I knew.
I tried it again but NO! it didn`t work and I was running backwards and forwards from my email box and Yahoo kept sending me a different code.
In the end I just did not go back to my Yahoo account and they contacted me and then I could sign in again.
I heard through the news that Yahoo had a big security breach and that must have been the trouble,but now I am keeping away from Yahoo.
One famous company used a password that you would never use.
The manager had to ask an assistant for the password I over heard all this which I should`t have.
They should have went to a place to discuss this matter.
It`s only common sense that I can`t divulge it on here.
It`s still a nightmare.
One famous guy said that codes were made to be broken and that`s true.
I am a new user of Apple Smartphone 6, and am bitterly sorry I ever got involved with them. I had what I needed with Desktop for communication and sitres, and Flip phone for road emergencies. But no…I had to join the Club.
No insructions; basic “classes” in noisy environment; little use. Apple only cares about selling product; no support. Haven’t been able to access sites for nearly two months because it doesn’t recognize my CORRECT password! Phone “advisors” keeps trying; they told me 2-step authentication might be the problem.
Naturally, I will never buy another Apple product!
As for Yahoo (on desktop) I left them long ago.
Need clear example(s) of what I need to do………….. Do not want to be a ‘pioneer’ ever again
Never used them. T.G.