This page was made with ClickFunnels - Create Marketing Funnels in Minutes! Click here to get a free 14 day trial account. Your page? Want to remove this banner?
Double Your Security with Double Factor Authentication 
Written by Grant Hunter,  28 November 2017
What is two factor authentication?

Also known as Two Factor Authentication, 2FA, or TFA, Double Factor Authentication is a type of Multi-Factor Authentication. It is a method of confirming your claimed identity by utilizing a combination of two different components. Basically, 2FA, adds a second level of authentication to the log-in of an account (when you have to enter only your username and one password, that's considered a single-factor authentication). It requires you to have two out of the three following types of credentials before being able to access an account:

  •  Knowledge Factors: such as a personal identification number (PIN), password or a pattern.
  • Possession Factors: such as an ATM card, phone, fob/hard token.
  • Inherence Factors: such as a bio-metric like a fingerprint, retina or voice print.
Single Factor (SFA) Vs Double Factor (2FA)

As far as SFA services go, user ID and password are the least secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords are usually, personally relevant to you as we saw in the Passwords/Passphrases article, therefore highly susceptible to hackers using brute-force attacks; especially ones using anything drawing information from pop-culture or digital literature. 

Given enough time and resources, an attacker can usually breach password-based security systems with relative ease, even though passwords have remained the most common form of SFA because of their low cost, ease of implementation and familiarity. 

Multiple challenge-response questions can provide more security, depending on how they are implemented, and stand-alone biometric verification methods can also provide a more secure method of single-factor authentication.
This is why it is important for your online security, that you look into getting at least a second device for account verification.
Types of 2FA

Not all 2FA systems provide the same level of security. It is worth noting these and their relative strengths as there are many different devices and services for implementation; from tokens, to RFID cards, to smartphone apps to SMS confirmation.

  •  Avoid: SMS is the easiest to deploy and use. However, it has been at the center of a lot of two-factor hacks. High-security accounts are already moving away from it, but a frightening number of services still keep it as an option, giving anyone who compromises your carrier account an easy way in.
  •  More secure: A dedicated app like Authy or Google Authenticator, (which you can download onto your smartphone for free). They can sometimes have account reset issues, but they’re an easy way to get most of the protection two-factor has to offer.
  •  Most secure: The most secure form of two-factor is a hardware token or biometric capture. A popular hardware token is the Yubikey, which works for Google, Facebook, and a bunch of other major services. Thanks to the FIDO spec, it can’t be spoofed even if you stick it in the wrong computer. Samsung’s Knox offers biometric capture for fingerprint, face and iris with their newer devices.
How a typical hardware token works

There are all sorts of hardware tokens supporting various methods of authentication. For example, the YubiKey, is a small USB device that supports one-time passwords (OTP), public key encryption / authentication, and the Universal 2nd Factor protocol (U2F) developed by the FIDO Alliance. (Many companies including Microsoft, Google, Dropbox and PayPal currently support FIDO authentication).

Using a YubiKey is relatively easy. When you want to log into an online service, such as Gmail, or WordPress, you insert the YubiKey into the USB port of your device, enter your password, click in the YubiKey field and touch the YubiKey button. The YubiKey generates an OTP and enters it in the field.

(The OTP is a 44-character, single-use password; the first 12 characters are a unique ID that identifies the security key registered with the account. The remaining 32 characters contain information that is encrypted using a key only shared between the device and Yubico's servers, which was generated during the initial account registration).

The OTP is sent from the online service to Yubico for authentication checking. Once the OTP is validated, the Yubico authentication server sends back a message confirming this is the right token for you - the 2FA is complete.

At this point it is worth noting that both the Ledger Nano S and Trezor hardware wallets offer FIDO authentication - another great feature of these devices.

2FA for mobile devices

It isn’t always convenient to carry around an extra USB device for 2FA, plus there is the added risk of losing such a small piece of hardware. For this reason, 2FA using mobile phones has become increasingly popular. Although 2FA was first adopted by Google 2011, it’s only recently that we have seen the move into biometric methods with the increased level of technology in smartphones now. Smartphones offer a variety of possibilities for 2FA, allowing companies to use what works best for them. Some devices have screens/buttons capable of recognising fingerprints; a built-in camera can be used for facial recognition or iris scanning and the microphone can be used for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. 

Apple iOS, Google Android, Windows 10 and BlackBerry OS all have apps which support 2FA, allowing the phone itself to serve as the physical device to satisfy the possession factor. These authenticator apps replace the need to obtain a verification code via text, voice call or email (the weakest form of 2FA).

For example, to accessing a website or web-based service that supports Google Authenticator is as easy as downloading an app and taking a photo! First of all, you download the app and then link the site/service to the app by typing the generated key when prompted or scanning a QR Code. The account is now linked. At login you then type in your username and password - the knowledge factor. You will then be prompted to enter a six-digit number. This is number is randomly generated by the app and is seeded every thirty seconds. By entering the correct number, you prove possession of the correct device - the possession factor. Your double factor authentication is complete.
Is 2FA secure?

2FA schemes are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer, and one of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA Security reported its SecurID authentication tokens had been hacked. 
The account-recovery process itself can also be subverted when it is used to defeat two-factor authentication, because it often resets your current password and emails a temporary password to allow the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.
Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it is vulnerable to numerous attacks. In fact, The National Institute of Standards and Technology quietly withdrew support for SMS-based 2FA in August 2017, concluding one-time passwords sent via SMS are too vulnerable due to mobile phone number portability, numerous successful attacks against mobile phone carriers, and malware that can intercept or redirect text messages.
In conclusion

Double factor authentication does improve security, because the right to access no longer relies on the strength of a password alone. There is no single step you can take, and there is no ‘one size fits all’ approach to absolutely lock down your account security. Therefore it is important that you assess your individual situation, take several steps that can be considered ‘best practice’
  • Apply the practices discussed in our Passwords/Passphrases Article ‘here’.
  • If your bank or any organisation give you the option of using a hardware token for their accounts, use it.
  •  Download a dedicated app like Google Authenticator and use it wherever possible.
  •  If you own a device like a Ledger or Trezor hardware wallet, then use the FIDO application they come with wherever possible.
  •  Set up a different email address (ideally with a different service provider) for all your cryptocurrency logins to add another ‘veil’ to the rest of your personal/business life.
  •  If your smartphone utilises biometric verification, use it.
  •  Don’t share your login information with anyone, or click links to any sites you don’t know and trust.
  •  Avoid SMS verification for your high value accounts.
  •  Consider regularly changing the passwords to your accounts.
  •  Consider using a password manager application.
Here at Cypherpunks2.0 we aim to provide you with interesting and informative articles.  If you enjoy reading and see the value, please share this post with you friends!

BTC - 1KssP7Y47doZMFKf4ke5b7qAPiYyXLaN82
ETH - 0x8cb45afeffd7c26818f27be3d198dc59a6bd7490
LTC - LfnmBLtnogxNEBq4wS62y9DDvUTpddK8S3

About Author: Grant Hunter

Blogger, privacy advocate and content contributor. Grant is a deep philosophical thinker, an arm-chair economist, a cryptocurrency expert and a Cypherpunk! 
FB Comments Will Be Here (placeholder) - All Rights Reserved - Terms Of Service
support at
Powered By