Two Factor Authentication

We have already read about ‘authentication’ and its role in security domains and software technologies.  Defining authentication yet again, ‘Authentication’ is specifying who you are to access protected resources. We will elaborate this concept to discuss 2FA or ‘Two factor authentication’ in this blog post.

Why 2FA?

Before we see what is meant by 2FA, let us see the reasons behind implementing 2FA.

Data breaches are not new but the magnanimity of the breaches is growing each year. In 2014 alone, more than 1 billion personal records were accessed illegally. (zdnet.com)The ‘Anthem’ data breach, the IRS data breach are the most recent data breaches that affected thousands of customers in the US. The Amazon password breach and the VTech breach in 2015, has enabled consumers and organizations to step up their authentication processes. (Amazon Forces Password Resets after Possible Security Breach)

All these reasons and more necessitate the implementation of two factor authentication that might reduce data breaches related to weak passwords.

What is 2FA?

2FA is omnipresent in our digital lives without us knowing it. ‘Authentication’ in its simplest form is implemented by the traditional ‘username’ and ‘password’ combination. Most of us have been told repeatedly to keep passwords complicated enough so that it does not get hacked. But having a combination of having upper and lower case alphabets, numbers and symbols for different websites stumps us, more than the hackers! We ultimately forget the different usernames and passwords leaving us annoyed and frustrated.

 2FA or ‘two factor authentication’ solves this problem by providing a second layer of security to authenticate the user. In addition to the username and password, we also add a second layer of security in the form of SMS passcodes or hardware tokens or push notifications according to each individual’s smart phone authentication app services.

two-factor

How is it implemented?  

2FA is implemented by

  1. “something you know” (the ‘username’ and password combination)
  2. “something you have” (a smartphone that receives SMS passcodes as an example) “Smartphones” fits the bill of “something that you have” since one possesses a smartphone all the time.

This second layer of authentication is in tune with the ‘layered security’ approach adopted by security professionals to bolster a personal or professional environment. In a ‘layered security’ approach, even if the first layer of security is compromised, it assumes that the second layer will provide adequate defense, such the resources are not compromised in any way.

Types of 2FA authentication:

“Hardware tokens”, “SMS notifications” , “Push notifications”, “Phone callbacks”, “Mobile passcodes” and “wearable devices” are a few of the different authentication types. Let us discuss a few of them below:

Hardware tokens:

“Tokens” are generated on a device, which are then entered into the prompt. One of the disadvantages of this type of authentication is that the device that is used to generate the token must be always present with the user. If the token generating device is pressed multiple times, tokens can get out of sync with the one that is needed to login.

hardware

 

SMS passcodes:

SMS passcodes are the most familiar form of 2FA implementation. SMS passcodes are sent to the registered mobile device which is then used to authenticate the user.

Phone callbacks:

Phone callbacks are another familiar form of 2FA – wherein, the method calls the user. The user is then expected answer the call and press any button to authenticate himself. 

Organizations that have adopted 2FA:

Apple, Facebook, LinkedIn, Twitter, Google are examples of some organizations that have implemented 2FA. For a complete list of organizations that have enabled 2FA or are in the process of implementing it, visit: ‘https://twofactorauth.org/’.

Two factor authentication technologies are growing hoping to stop the widespread data breaches. The human factor is the only thing that will make it truly successful!

Bibliography
(n.d.). Retrieved from zdnet.com: http://www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2015/
Amazon Forces Password Resets after Possible Security Breach. (n.d.). Retrieved from Securityweek: http://www.securityweek.com/amazon-forces-password-resets-after-possible-security-breach

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top