Online apps and services provide a level of flexibility and convenience that was hard to imagine just a few decades ago. However, they also leave users vulnerable to hacks, phishing attacks and other digital mischief. Often, the only thing guarding your personal and sensitive information is a simple password. This level of safety is simply not enough anymore, as a determined hacker can easily gain access and wreak havoc on your accounts.
As hackers and other online criminals are becoming more proficient and sophisticated, so is online security. Two factor authentication provides an additional level of online protection, and is quickly becoming a standard in the IT world. Although it is not perfect, using 2FA is a whole lot better than going without it. 2FA, sometimes referred to as dual factor authentication, is a security system that requires users to provide two different authentication factors in order to log into an account.
2FA vs. 2SA
Before diving into the pros and cons of various authentication methods, it is important to make a distinction between two factor authentication (2FA) and two step authentication (2SA). These two terms are often used interchangeably, and this can cause confusion. As the name suggests, 2FA uses two different factors to protect your account. A factor can be biometric (fingerprint, face and voice recognition etc.), something you know (a password, pin, or security question), or something you own (like a security token, smartphone or ID card). Factors can also be location and time sensitive. For example, some services can only be accessed at a certain time and/or from a specific predefined location.
On the other hand, two step authentication has two steps but both the factors are the same. Protecting your account with a password and a security question is an example of two step authentication. So 2FA is a type of 2SA, but not the other way around. With this in mind, it is easy to see that two factor is a lot more secure than two step authentication. Let’s move on to the pros and cons of different 2FA methods.
Seeing as most of us carry around our mobile phones all the time, they can be a perfect tool for an extra level of security. All a user needs to do is provide their phone number when they sign up, and activate SMS authentication. When you try to sign in to your account, an SMS message with a randomly generated code is sent to your mobile device. You input this code, along with your password to sign in. This code is single use and always has a defined expiration time.
The biggest advantage of SMS authentication is its convenience. The message arrives almost instantaneously, and at no cost to you. However, this layer of security comes with quite a few risks. First off, sharing your phone number with a company or app requires a lot of trust, as some shady services can easily sell your number or use it for annoying unsolicited advertising. The worst case scenario is a SIM swap, the same process you would use if you lose your phone. A hacker can claim to be you by providing personal data, and have the cell company literally give them your number.
Biometric security can be in the form of fingerprint, voice or face recognition. Retina recognition is also showing a lot of promise, but it is still a long way from mass use. All of these methods require specific hardware, either on a mobile device, PC or laptop. An advantage of biometrics over other types of protection is that you do not have to carry any additional keys with you, and you do not have to worry about forgetting your password. Even though fingerprints, faces and voices are unique to every individual, biometric protection is not hackerproof.
For one, all the sensitive data (fingerprints, face and voice samples) is stored on the same device, meaning that hackers can access it if they get a hold of your tech. What’s more, there are even methods of forging your fingerprints by lifting them from a flat surface and using 3D prints of them to physically unlock your account. This is why most security experts recommend using an additional PIN code along with their biometric signature.
One Time Passwords
Time based one-time passwords are more secure, as they do not rely on SMS or cell phone companies. OTP works by assigning your account a secret key that is used in conjunction with a code generating app like Google Authenticator. Your secret key is loaded into the app by scanning a QR code. This generates a one-time security code, usually six digits long, that expires every 30-60 seconds.
A big advantage of OTP is that they are generated based on the current time and your secret key, so the method works even when you have no reception or internet access. Seeing as your secret key is stored on your device, there is no way to redirect or intercept it, as is the case with SMS authentication. A glaring downside of this method is that you will be unable to sign in if you lose your device, if it stops working, or runs out of battery. There is also a chance that internal clocks of your device and service can become desynchronized, and this leads to invalid codes. The only way around this is to print out backup codes and keep them in a safe place.
U2F stands for Universal 2nd Factor and it is an open standard that is used in many devices including USBs, NFCs and smart cards. Of all the authentication methods we have covered, using U2F is the simplest; you just plug in your USB, swipe your card or bump your NFC, depending on which one you are using. U2F keys provide extremely effective resistance to credentials theft techniques like keylogging and phishing attacks through the use of dedicated user authentication hardware. The fact that Google recommends using U2F keys is strong proof that it is amongst the safest security measures out there.
U2F does have some downsides, but they are all a result of the fact that this is a relatively new technology. As such, it is still not as widely supported as other security methods, so you will probably face quite a few “U2F not supported” errors. USB keys, for example, currently work only on Chrome and Firefox, but several other browsers are close to implementing U2F. NFC keys were limited to Android devices, but Apple is also jumping on the bandwagon. The other slight disadvantage of U2F compared to other methods is that is not free. U2F keys cost 20$ on average, but some more well-built models can be significantly more expensive.