Ozgur's Blog

Random ramblings of personal nature

Two Factor Authentication - 20 Mins


Introduction

This is a new concept I am trying to develop. These articles under the category 20Mins will be written in 20 mins. No more, no less. With this concept I want to tell you what a concept is in its bare minimum. The information you can work with and change your digital life (I hope)

Two factor authentication is a validation scheme that requires an input from a device other than your computer. The logic here is, even though the username/password combination might be exposed in various ways; validating yourself from another device you have provides a better means of security. So we can say that it combines:

  • Something you know: Username/Password
  • Something you have: The 2FA factor

In the old days of yore it was done via specialized devices with digital screens, I distinctly remember them called as One time password (otp) devices but today we can use our mobile phones to do that.

It is no means a silver bullet. But it significantly increases the security of our accounts.

How does it work

From a user's perspective it works like this:

  • Download of a 2FA key generator like Google Authenticator or Authy
  • Enabling the 2FA on the web service we are trying to increase security
  • Scanning the QR code the service shows us by our 2FA generator and entering the generated key OR entering the code that's sent via SMS from the service
  • Recording the recovery codes generated by the service in case of 2FA device loss or other shenanigans.
  • On login user enters the key generated by his 2FA app or sent via SMS

As you can see the weakest link here is the device we have. If somehow an attacker, a very dedicated attacker can somehow gain access to your device and control it s/he may access the 2FA token and use it in combination with the username/password data. For SMS, attackers may clone the SIM card or somehow convince the service provider you use to generate them a new sim card with your number.

Conclusion

If you value your account's safety you should enable 2FA if the web service you are using offers it. It damage controls if the username/pass combinations get exposed to unauthorized third parties and it is a nifty way of validating who you are. The 2FA methods vary from service to service - most of them can be generated via Google Authenticator but Yandex, for example, uses its own app to generate one time passwords for your accounts, making the login in one step. Speaking of Google, they also have changed their 2FA login method, now they send a notification to your phone - letting you accept or deny the login request without entering a code.

Thanks for reading!