2FA: Two Factor Authentication

Introduction

Two-factor authentication (also known as 2FA or 2-Step Verification) is a technology that enables confirmation of a user’s claimed identity by utilizing a combination of two different user factors.

Factors includes

  • Something which user knows (Knowledge)

Ex: User Ids, Passwords, ATM PINS, Security Images etc

  • Something which user has (Possession)

Ex: ATM Cards, Mobile Devices, RFIDs etc

  • Something which user is (Inherent)

Ex: Finger Prints, Typing Speed etc.

Two Factor authentication uses a combination of any two of the above three factors.

Why 2FA?

  • Credential based authentication is not enough powerful to protect against identity theft
  • Since a password is more likely to be lost or forgotten, many people remember them by noting down or choosing weak password therefore exposing them to hackers
  • Two-factor authentication is one of the best ways to protect against remote attacks such as phishing, credential exploitation and other attempts to takeover accounts.
  • By choosing two different channels of authentication, you can protect user logins from remote attacks that may exploit stolen credentials.
  • Without the physical device, remote attackers can’t pretend to be one, he/she is not
  • With technological advance 2FA is easy to implement and cost effective

2FA can be implemented without any extra hardware cost by the provider.

Different Approaches

The most popular method for enabling the use of 2FA is through the addition of something you have, typically in the form of a piece of hardware or a software application on a smartphone, that is carried by the person at all times that generates a random One-Time Passcode (OTP).

Approaches Include:

  • Hardware Devices like RFIDs, USB Connectors etc.
  • OTPs delivered through SMS
  • In House Smart Phone App to send Push Notifications
  • Time Based – OTP (TOTP) through open source Smart Phones Apps

Pros & Cons

Approach Pros Cons
Hardware Devices like RFIDs, USB Connectors etc. •Many Service Providers Available

•Do not require a Smart Phone

•User has to carry the device all time

•Cost associated with distribution and maintenance

•Few incidents of hacks in the past

OTPs delivered through SMS •Many SMS Service Providers Available

•Do not require a Smart Phone

•Not required to carry a separate hardware device all time

•Cost associated for SMS service

•OPT delivery depends on the Service Provider

•Text messages to mobile phones using SMS are insecure and can be intercepted

In House Smart Phone App to send Push Notifications •In house mobile app with no interaction with other service providers

•Secure and Reliable

•Requires a Smart Phone

•Mobile app development and maintenance

Time Based – OTP (TOTP) through open source Smart Phones Apps •Time Based OTPs are independently generated in App without any interaction with the Web Application

•As they are constantly changed, dynamically generated OTPs are safer to use than fixed (static) log-in information

•Easy to implement in any web application without any extra hardware or software

•Requires a Smart Phone

•OTPs are usually based on Time which requires the web application and mobile app to not have a time difference of more than 30 seconds

Implementation

Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It has been adopted as Internet Engineering Task Force standard RFC 6238, is the cornerstone of  Initiative For Open Authentication (OATH), and is used in a number of  two-factor authentication  systems.2FA

Conclusion

  • With the continued improvements in mobile technology, the ability to use smart phones as a second factor of authentication is becoming more trustworthy.
  • Many open source libraries are available to implement TOTP in web applications to provide 2FA
  • Free apps like Google Authenticator, Authy can be used by users to generate TOTP on the fly
  • 2FA can be easily enhanced to Multi Factor Authentication with use of other mobile information like location, IP address, voice recognition etc.

References:

  • 2 Factor Authentication:

https://en.wikipedia.org/wiki/Two-factor_authentication

  • TOTP

https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

https://tools.ietf.org/html/rfc6238

  • Implementation of TOTP in Java EE based applications

https://blog.shinetech.com/2015/05/01/securing-your-spring-app-using-2fa/

http://thegreyblog.blogspot.sg/2011/12/google-authenticator-using-it-in-your.html

https://oneminutedistraction.wordpress.com/2014/02/14/integrating-totp-with-java-ees-container-managed-security/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s