Most of us keep passwords on our mobile phones, but some find it annoying. So, this new two-factor authentication may be cumbersome for them. But, the comment from security experts is, it is one of the best way to protect every type of online account. As two-factor authentication (2FA) is dual authentication or two-step verification which simply adds a second step to user’s log-in process. This protects user’s credentials as well as the resource a user is accessing. In simpler terms, when a user enters username and password, he/she will be promoted to enter a code received on an email or text message or sometime a push notification on phone to confirm the person is authorized to log in.
In all, this process just adds a few extra seconds but reinforces the log in activity. This second step of authentication intricate breaching for hackers. As breaking a password is becoming easier for hackers by following phishing or other methods and sometimes even devices containing some malware or harmful websites. Trending “credential stuffing” or brute-force attacks eases hacker’s work to hijack online accounts in bulk. That happens all the time, even Apple iCloud accounts have fallen victim to credential-stuffing attacks. However, two-factor accounts were able to escape the mishap. The two-factor code is only followed by legitimate websites. Two-factor authentication have following four types, ranked in order of their effectiveness:
A text message code: Usually, a two-factor code is sent by SMS which doesn’t even demand a smartphone. This method is easy to start with but text messages are considered least secure. As hackers are able exploit the phone network weakness to hack the SMS two-factor codes. Due the lack of encryption in SMS messages, they are vulnerable to easy leak. So, it’s better to use text message code than two-factor verification.
An authenticator app code: Similar to text message, except installing an app on the smartphone. Whenever a user log in, a code is sent to this app. Many other authenticator apps are available on web like Duo, Google Authenticator and Authy. A little difference but with strong impact is these are sent over a HTTPS connection which makes it impossible for anyone to steal or snoop in the code before using it.
A biometric: Now-a-days, every other organization asks for biometrics such as fingerprints, an iris scan and facial recognition to have authorized access to the workspace. These devices are usually designed with specialized hardware or software. However, there is an unavoidable drawback to this technology, as it is easily spoofed by developing a clone of fingerprint or a 3D-printed head.
A physical key: Last but not the least, the most robust option is a physical for all two-factor authentication methods. As Google confirmed that till day, there is not a single account takeover. These security keys are USB sticks which could be kept on keyring. When a user log in to their account, they are promoted to insert cryptographically unique key to their devices (commonly computers). Even when password is stolen, device is not accessible without this key.
Create a checklist of most valuable accounts and start switching to two-factor authentication. Consider two-factor as an investment in security to save valuable accounts from world of trouble.