Saturday, December 3, 2016

What is 2 Factor Authentication ?



We often use a combination of username and password to authenticate ourselves. But, this is not secure enough. We often get to hear about data breaches using weak passwords or password reuse. We are also aware of malware like keyloggers that can steal passwords of users. And, a feasible way to address that problem is to use 2 Factor Authentication.




What is 2 Factor Authentication ?


We often use several pieces of information to prove our identity at the time of authentication, such that no unauthorized person can know the information. These are called factors of authentication. For example, a password, a PIN, a security question etc are authentication factors.


There are mainly three types of factors that are commonly used for the purpose of authentication.


  • Knowledge Factor
  • Possession Factor
  • Inherence Factor


Knowledge Factor


A knowledge factor refers to a piece of information that the user only knows. For example, a password or a PIN is considered to be a knowledge factor. A security question is also a knowledge factor, though it is considered to be a weak factor. An attacker can do enough research on the victim and find the information used.


Possession Factor


A possession factor refers to something that the user has. A hardware token used at the time of authentication can be considered to be a possession factor. Authentication using ATM card is also a good example of possession factor. As anyone without physically possessing the possession factor cannot authenticate, authentication using possession factor is considered to be quite secure. But, it may prove to be inconvenient at times as the user always has to keep the possession factor along with him in order to authenticate himself.


Inherence Factor


Inherence factor refers to something that is an essential characteristic of the user. Authentication using biometrics like fingerprints, iris or voice can be a good example of inherence factor. This method of authentication is supposed to be quite secure.




Any authentication process that uses only one of the above factors is called a single factor authentication. A multifactor authentication is an authentication process that uses more than one of the above factors. And, a 2 Factor Authentication or 2FA is authentication using two of the above three factors.


Authentication using ATM card and PIN is a good example of 2FA. Here, the ATM card is the possession factor and the PIN is the knowledge factor. Authentication using password and One Time Password (OTP) sent to the user’s mobile phone is also an example of 2FA. Here, the password is the knowledge factor and the user’s mobile is the possession factor.




How secure is 2 Factor Authentication using OTP sent to mobile phones ?


Many websites use 2FA using password and an OTP or One Time Password that is sent to the mobile phone of the user at the time of authentication. This can be considered as 2FA, though it does not provide very strong security. Attackers can infect the user’s mobile phone with malware or perpetrate a Man-In-The-Middle Attack to steal the OTP from the user’s mobile phone and authenticate to the system without physically possessing the mobile phone. 2FA using a hardware token instead is considered to be more secure.


Another option that users can use for 2FA is using Google Authenticator. In this method, the user has to install the Google Authenticator application in his mobile phone and do some setup beforehead. Later, when the user wants to authenticate to any website, he has to run the application. The application will show a 6 digit code and sends the same code to the website at the same time. The website then asks the user to enter the 6 digit code and verifies it with the sent code. As the website has to provide a shared secret key to the user to store it in the application at the time of setup, an attacker will need to get the shared secret key or physically possess the mobile phone to be able to authenticate to the account.


Thus, 2 Factor Authentication using mobile phones does not provide very strong security. But, surely it is more secure than using single factor authentication and more convenient than using a hardware token.


Nowadays, many website provide the option of using 2FA. Users should enable it wherever possible to secure the account in a better way.

No comments:

Post a Comment