Two-factor or multi-factor authentication, also called strong authentication, is today an indispensable protection system to protect our accounts. Here's why and how to use it
Two-factor or multi-factor authentication, also called "strong authentication" or 2FA and MFA (Two-Factor Authentication and Multi-Factor Authentication) should no longer be an option, but it is now a necessity that everyone should adopt on their personal or business accounts.
Why two-factor authentication is necessary
It should be known to everyone that the security of accounts depends on the strength of the password.
In a previous article we have already explained what the rules for a strong and secure password are (and above all always different in the various accounts).
We also talked about the Password Manager, the most useful and secure tool today to store the many passwords that each user has to manage in his digital life.
But all this cannot be enough, because any password – however strong it is – could be stolen or discovered, perhaps thanks to social engineering techniques, with phishing emails or through keyloggers, in addition, any account could be vulnerable to brute-force attacks.
For this reason, password-only authentication is inherently weak, even if the password you set is strong, because account security depends on only one factor, the password.
The risk of account compromise is also increased by the bad habit of many users to use the same password on different systems and accounts.
By activating a two-factor authentication system, this type of risk is greatly reduced. Even if the user credentials were acquired with social engineering techniques, the attacker would still not have access to the second authentication factor.
Unfortunately, two-factor authentication is still little known and little adopted by most users. This is reported by the recent report "THE 3RD Annual Global Password Security Report" published by LastPass, one of the most well-known password managers made by LogMeIn.
The report indicates that the overall use of MFA is increasing worldwide, especially in the business sector, but this virtuous trend is not recorded in some countries, including Italy.
MFA usage is highest in Denmark, closely followed by the Netherlands and Switzerland. While in countries such as Italy, Sweden, Spain and France, the use of MFA is significantly lower.
As often happens when it comes to cyber security, we see that Italy ranks last in this ranking: only 20% of company users have activated MFA.
How to achieve two-factor authentication
In most cases, authentication uses only one factor, which is typically a password.
If you are using MFA, the factors for authentication must use at least two of the following:
Something the user knows: this is generally a password, but it can be any information known only to the user.
Something that the user owns: it could be a smartphone, a hardware key, a USB stick or a token provided by the bank.
Something that is part of the same user: it is typically a biometric data such as fingerprints, voice, iris.
Where the user is: This fourth authentication method is sometimes used by credit card operators to check if the user's location is compatible with the payment they are making.
You get 2FA/MFA if you use at least two of the factors listed above. But that's not all: the condition for it to be defined as "two-factor authentication" occurs only when the two factors used are of different matrix: in other words, if for example, you use "One thing you know" + "One thing you have".
While it cannot be strictly considered 2FA an authentication made with two passwords (because two factors of the same nature).
Using at least two of the authentication factors just seen, the chances of an attacker gaining access to both components are statistically very low.
A study presented by Microsoft at the RSA Conference 2020 in San Francisco showed that, out of a sample of more than 1.2 million compromised accounts, more than 99.9% of these had not activated MFA.
MFA is mandatory for bank and credit card accounts, due to Directive (EU) 2015/2366 (PSD2), while in many other sites it is optional: it is up to the user to choose to activate it.
We recommend that you always adopt it for the most important sites and accounts, such as email accounts, business ones such as VPN, and even for your social profiles.
The latter are subject to very frequent violations and thefts (especially Instagram and Facebook), the consequences of which can be serious for the owner of the social profile.
The risk is not only that of no longer having access to your profile, but the much more serious one is that the attacker uses the profile to carry out scams in our name.
An additional benefit of using 2FA: if we activate it, we will no longer be asked for deprecated security questions.
The choice of the type of the second factor is not indifferent, that is, not all authentication factors guarantee the same level of security, as we will see now.
SMS authentication
With SMS and voice-based two-factor authentication, users provide phone numbers when they sign up, and each time they need to log into their account, a one-time code (OTP "One Time Password" typically six-digit) is generated and sent to the phone number they registered with (via a text message or even an automated phone call).
Among all the possible options, this is the most widespread solution, easy to use and that does not require devices such as smartphones to work (it is sufficient to have a feature phone capable of receiving SMS), but it represents the least secure choice.
While it is always better to have MFA with SMS rather than not having it at all, being able to choose (and generally the choice is possible) it is advisable to use other modes.
The protocol used to send SMS to the user – Signalling System No. 7 (SS7) – is a very old protocol, developed even in the 70s, is vulnerable and has been violated. So, OTP codes sent to smartphones could potentially be intercepted.
But there is an even worse risk: SIM swapping or SIM cloning. It means that an attacker could obtain a SIM card with the victim's phone number. He can do this with simple social engineering techniques at a phone shop or even online, perhaps using a forged document.
With this technique he will receive the SMS with the authentication codes, obviously to carry out fraudulent banking arrangements.
The cloning of the SIM is a serious problem that in recent years has caused significant damage to users who have found themselves with the current account drained.
For this reason, SMS-based authentication has been deprecated by NIST (National Institute of Standards and Technology) in document SP 800-63B "Digital Identity Guidelines – Authentication and Lifecycle Management" published in June 2017, in chapter 5.1.3.3.
Banks are obviously aware of this risk, so why do they still make the MFA option with SMS available?
It is obviously a commercial choice not to lose those customers who cannot or do not want to use a smartphone with a dedicated application: in this case the SMS becomes the obligatory option.
Today the SIM swap has become less easy for the attacker, following the intervention carried out specifically by the Authority for Guarantees in Communications for the change of the SIM.
This is AGCOM resolution 86/21/CIR of July 2021, subsequently updated following the work of the Technical Table composed of AGCOM, banks and telephone operators. That update was published on 1 March 2022 and entered into force no later than 15 November 2022.
After this date many users will have experienced how much more complicated it has become (even for an honest citizen!) to make a SIM change.
2FA with dedicated applications: authenticators
2FA authentication with "something you have" can use the object we always have with us: our phone.
These applications are called "Software Tokens", in practice they behave exactly like SMS: they generate a 6-digit OTP, associated with a specific account.
This 2FA solution requires the user to download and install an authenticator app on their smartphone (some are also available for desktop). There are many and all free, as we will see.
How authenticators work
The use is very simple: if a site offers this type of 2FA with the Authenticator app (i.e. the developers of the site must have made this option available), the user can activate 2FA within the site settings.
At this point we will be shown on the screen a QR code containing the secret key. The QR code must be scanned by the application installed on your smartphone.
This scan is called Enrollment, or registration, during which a unique key (a seed) is exchanged that will allow to distinguish in the future the specific session of the account on the browser or the specific instance of the app.
Once the QR code is scanned, the application will produce a new six-digit code that will change every 30 seconds also called TOTP (Time-Based One-Time Password).
In cases where the QRcode is not available, it is possible, alternatively, to manually enter the secret key (obviously provided by the site or app on which we intend to activate the 2FA) and create the TOTP code.
With any compatible site and 2FA set up, users can log in by entering a username and password, and then log into the authenticator app to read a unique access code generated by the software needed to complete the login attempt.
The advantage of this type of two-factor authentication is that you do not need to be connected to a mobile network and you do not even need to communicate our phone number to the site. If a hacker redirects our phone number to theirs with a SIM swap, he will not have our QR codes anyway.
How does that work
It is important to know that these apps are equivalent, that is, they use the same algorithm of operation, because the TOTP code that is created is not a random number.
TOTP is generated by an algorithm – based on HOTP (HMAC-based One Time Password) – that produces a one-time password (OTP) from a shared secret key K (the one exchanged with the QRcode reading) and based on the current timestamp T of the device using a hash function H (of type SHA-1). Therefore:
TOTP = HOTP(K, T) ove T = (Current Unix time – T0)/X
where X is the time phase in seconds (typically default X=30 sec.) .
This process was standardized by RFC-6238 "TOTP: Time-Based One-Time Password Algorithm" published in 2011 by the Internet Engineering Task Force (IETF). Authenticator apps are available for both Android and iOS, we list here some of the best known:
OTP auth (Apple devices only)
Step Two
Twilio by Authy
Google Authenticator
Microsoft Authenticator
Cisco Duo Mobile
FreeOTP (open-source)
AuthPoint di WatchGuard
Authentication di Eset
andOTP (Android only)
The best password managers (e.g. 1Password) also offer two-factor authentication by default as an additional feature within the password manager.
There is also an authenticator built into iOS and macOS. Starting with iOS 15, a built-in 2FA code generator is available on iPhone. You can find it on Settings → Password, select a stored account (or create a new one), and under the heading Account Options select "Configure verification code": at this point you can scan the QRcode, as for the apps already mentioned and create the TOTP code.
2FA with hardware tokens: the FIDO system
This is an authentication standard defined by the FIDO ("Fast IDentity Online") Alliance, founded in 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon and Agnitio and which has standardized these authentication protocols.
The FIDO2 specification is the World Wide Web Consortium (W3C) Web Authentication (WebAuthn) specification and the corresponding FIDO Alliance Client-to-Authenticator Protocol (CTAP).
They can be used as a passwordless authentication protocol or as a protocol for dual-authentication hardware devices.
In 2013, Google, Yubico and NXP joined the FIDO Alliance and brought an authentication protocol developed for 2FA using hardware sticks.
There are numerous models of these keys, made according to the FIDO2 standard by numerous manufacturers, which we can find on the FIDO Alliance website.
The simplest require insertion into a USB port, the most advanced ones (for example YubiKey) also work with NFC (Near Field Communication) or via Bluetooth such as Google's Titan Security Key (so they can also be used with smartphones that do not have a USB port).
These keys, whose activation requires an unlock PIN for security, must be associated with the account to be authenticated and represent the second authentication factor. The authentication code is saved inside the dongle and this represents a very high level of security.
Their use is not yet widespread in companies, also because they involve management costs, risk of loss by users and for this reason it would be advisable to have a backup copy of the stick.
It is certainly not the cheapest system, although the level of security is also higher than that offered by authenticator apps.
We add that FIDO protocols can also be used for passwordless authentication.
Apple, Google and Microsoft announced in 2022 their intention to expand support for a common passwordless access standard created by the FIDO Alliance and the World Wide Web Consortium (W3C).
The new feature will enable websites and apps to offer consumers password-free, secure and simple access across all devices and platforms.
The project is called Passkeys and is described on the FIDO Alliance website.
Can two-factor authentication be hacked?
We come to what all of you readers have been waiting for.
While it's possible for two-factor authentication to be hacked, the chances are very low, and 2FA is the best practice for keeping accounts and systems secure. One way two-factor authentication could be cracked is by SIM swapping, but it only works if 2FA uses sending a TOTP code to the user's phone number via SMS or an automated call.
There is another technique defined as "MFA fatigue", which leverages social engineering.
An MFA fatigue attack consists of incessantly bombarding an account owner with MFA push notifications until they fail or are psychologically worn out and approve the access request.
With more and more applications and services adopting multi-factor authentication, approving MFA push notifications can become a routine task when account owners need to approve MFA requests multiple times a day. In the end, daily approval of MFA push notifications can make account owners inattentive.
Sources
Your opinion matters What do you think of this article?
If you have reached this point let us know what you think of the article by leaving a comment.
Comments