Table of Contents
Two-factor authentication (2FA), also known as two-step verification or two-factor authentication, is a security tool whereby the user is required to provide two different authentication factors to verify their identity. It can be used to grant (or deny) access to any type of resource: web sites and services, financial or banking accounts, security boxes, apartments and offices doors & gates, and so on.
In this article we'll do our best to explain the characteristics of this access mode, the reasons that make it significantly safer than traditional authentication tools and how it can be used to protect our online and offline resources.
Why the password is not enough
As you most likely already know, the vast majority of websites in 2019 still rely on the good old "username & password" authentication method, which is among the worst possible techniques to protect our data. Here's a list of reasons explaining why such method shouldn't be used anymore in 2019:
- Weak or stolen user credentials are hackers' weapon of choice, used in 95 percent of all web site attacks.
- Password theft is constantly evolving as hackers employ methods like keylogging, phishing, pharming and so on.
- The vast number of password we need to use (and memorize) during our everyday (personal + business) life pushes users and employees to perform a lot of unsecure behaviours, such as: using easy to remember (and therefore weak) passwords; store their credentials in their browsers/devices; write them in insecure places; and so on.
Even if most of these threats can be mitigated by using a strong password, the real weakness of such approach lies in the fact that there is only a single layer of protection between the intruder and our data: a single mistake on our part is all it takes to allow unauthorized access from virtually anyone.
An authentication factor is a way to acknowledge the identity of a user by a security device in order to grant (or deny) access to the requested resource(s). There are generally three recognized types of authentication factors nowadays:
- Type 1 - Something You Know: includes passwords, PINs, combinations, passphrases, secret words, gestures and so on. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
- Type 2 - Something You Have: includes any kind of physical object: keys, smart phones, smart cards, USB drives, token devices, authentication apps (such as Google Authenticator) and so on.
- Type 3 – Something You Are: includes any part of the human body that can be used to verify the owner's identity, such as: fingerprints, retina scan, iris scan, palm scan, facial recognition, voice recognition and so on.
As we can easily understand, each of these measures can be theoretically "cracked" by a criminal: password and PINs can be guessed, inferred or obtained through spying techniques or malicious software; physical object can be stolen or cloned; if you're into theft-related movies or books, you know that even the human body parts are not 100% secure, since they can be "stolen", cloned or forged as well.
The "username & password" approach we described early on clearly falls into the type 1 single-factor authentication methods, which is among the less secure ones. However, any single-factor authentication approach is potentially weak, as the intruder only has to have a single attack skill and wage a single successful attack to impersonate the victim; conversely, combining (at least) two factors from the above categories will greatly increase the level of security, as the whole authentication process will become much more difficult to overcome: the intruder must have multiple attack skills and/or wage multiple successful attacks simultaneously: doing that is much more difficult, resulting in a more resilient solution from a security perspective.
Two-Factor vs Multi-Factor
The difference between Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) should be already clear by now: 2FA is nothing more, nothing less than an implementation of multi-factor authentication which requires two different factor types from those listed above. Three-Factor Authentication (3FA) is also a type of MFA which requires all the three factors identified above.
2FA and MFA should not be confused with Multi-Password Authentication (MPA) mechanisms, which require the user to insert multiple sets of credentials (different usernames/passwords) in order to access a specific resource. A typical example of Multi-Password Authentication is a password-protected client software installed on a user profile within a desktop PC, which can only be accessed by performing the Windows login and then the client login. Another good example is a Remote Desktop through VPN, where the user must first login to the VPN server (using the VPN credentials) and then initiate the RDP session through authentication to the networking environment (Active Directory, VNC, SSH and so on).
Despite being more secure than single-password approaches, all multi-password authentication processes still falls into the Single-Factor Authentication (SFA) world, thus being potentially insecure from attacks coming from experienced hacker (which can exploit unexperienced end-users).
Authentication vs Authorization
To better understand the need to switch from a single factor authentication method to a two (or more) factor process, it may be useful to analyze the difference between the modern authentication and authorization concepts.
Generally speaking, the term authentication refers to any process of verification that someone, be it a human being or an automated system, is who (or what) it claims to be. This is also true within the context of the World Wide Web (WWW), where that same word is mostly used to denote any technique used by a website or service to collect a set of login info from a user agent, typically a web browser, and authenticate them using a membership and/or identity service.
Authentication should never be confused with Authorization, as it is a different process and is in charge of a very different task: to give a quick definition, we could say that the purpose of authorization is to confirm that the requesting user is allowed to have access to the action they want to perform. In other words, while authentication is about who he is, authorization is about what he’s allowed to do.
To better understand the distance between these two apparently similar concepts, we could think of two real-world scenarios:
- A free, yet registered account trying to gain access to a paid or premium only service or feature: this is a common example of authenticated, yet not-authorized access; we know who he is, yet he’s not allowed to go there.
- An anonymous user trying to gain access to a publicly available page or file: this is an example of not-authenticated, yet authorized access; we don’t know who he is, yet he can access public resources just like everyone else.
As we can easily understand, the main problem with Single-Factor Authentication lies in the fact that it's not strong enough to confirm that the requesting user is who he claims to be: therefore, it could easily end up authorizing a whole different human being, thus granting him (or her) access to private data or privacy-sensible resources. This has become rather common in standard password-based websites nowadays, where passwords are frequently stolen and - more than often - even willingly given by the owner to others (co-workers, family, etc.) to act on their behalf: have you ever ordered a meal or performed any e-shop transaction using a friend or company account? If you did, you know what we're talking about.
Now, although such behaviour could be somewhat "acceptable" if the website does not contain privacy sensitive info, it definitely cannot be done for services hosting personal data: from our banking account to our government website's personal page, from our office gate to our home door, we could definitely benefit from a Multi-Factor Authentication method to better secure our stuff. Such approach is also required by the Global Data Protection Regulation (GDPR) European Law (Art. 32 - Security of Processing), which instructs the controller and processor to take the appropriate steps to restrict access to personal data to the authorized personnel only.