5 two-factor authentication methods, their advantages and disadvantages
Technologies / / December 19, 2019
On the use of two-factor authentication for secure protection of their data on the web today are thinking more and more people. Many stops the complexity and incomprehensibility of the technology, it is no wonder, because there are several options for its implementation. We will look at all of them, reviewing the advantages and disadvantages of each.
At the heart of the two-factor authentication is the use of not only traditional bundles "login-password", but also an additional layer protection - the so-called second factor, the possession of which is necessary to confirm to gain access to an account or other data.
The simplest example of two-factor authentication, which is constantly faced by each of us - a cash withdrawal at an ATM. To get money, you need a card that only you have, and the PIN-code that only you know. After securing your card, the attacker will not be able to withdraw cash without knowing the PIN-code and just can not get the money knowing it, but not having the card.
By the same principle of two-factor authentication provides access to your accounts in social networks, to e-mail and other services. The first factor is the combination of user name and password, as well as a second can act following 5 things.
SMS-codes
Confirmation through SMS-code works very simply. You, as usual, enter your username and password, and your phone number will receive SMS with a code that must be entered to access your account. It's all. The next input is sent to a different SMS-code, valid only for the current session.
Benefits
- Generate new codes for each input. If an attacker to hijack your username and password, they can not do anything without a code.
- Binding to a phone number. Input can not be without your phone.
disadvantages
- If there is no network coverage, you will not be able to login.
- There is a theoretical possibility of substitution of numbers by a service operator or employees of the salons of connection.
- If you are authorized and get codes to the same device (eg, smartphone), it ceases to be a two-factor protection.
Applications authenticators
This embodiment is largely similar to the previous one, with the only difference that, instead of receiving SMS codes, they are generated on the device using a special application (google Authenticator, Authy). During setup, you receive a primary key (most often - in the form of a QR-code), on the basis of which a using cryptographic algorithms time passwords generated with a validity of 30 to 60 seconds. Even if we assume that attackers will be able to intercept the 10, 100 or even 1000 passwords to predict with them, what will be the next password, simply impossible.
Benefits
- For the authenticator does not need a cellular signal, it is sufficient to connect to the internet during the initial setup.
- Support for multiple accounts in a single authenticator.
disadvantages
- If attackers gain access to the primary key on your device or by hacking the server, they will be able to generate future passwords.
- If using an authenticator on the same device, with which the input, two-factor is lost.
Checking login using mobile apps
This type of authentication can be called a grab-bag of all the previous ones. In this case, instead of the request codes, or one-time passwords, you must confirm your entry with the mobile devices with the service application. It is stored on the device private key, which is checked at each input. It operates in Twitter, Snapchat, and a variety of online games. For example, when entering your Twitter-account in a web version, you enter a login and password, and then on the smartphone receive a notification with a request for input after confirming that your browser opens tape.
Benefits
- You do not need to enter anything at the entrance.
- Independence from the cellular network.
- Support for multiple accounts in one application.
disadvantages
- If an attacker to hijack the private key, they can impersonate you.
- The meaning of the two-factor authentication is lost when using the same device to login.
hardware tokens
The physical (or hardware) tokens are the most reliable method of two-factor authentication. As separate devices, hardware tokens, in contrast to all the methods listed above, for any scenario will not lose its two factor component. Most often, they are presented in the form of a USB-stick with its own processor, generating cryptographic keys, which are automatically entered when you connect to a computer. Selection of the key depends on the particular service. Google, for example, recommends use the standard tokens FIDO U2F, whose prices start at $ 6 excluding delivery.
Benefits
- No SMS and applications.
- There is no need in the mobile device.
- It is completely independent devices.
disadvantages
- You need to buy separately.
- Not supported in all services.
- When using multiple accounts will have to wear a whole bunch of tokens.
Back-up keys
In fact, it is not a separate process and a fallback in the event of loss or theft of a smartphone, which accounts for one-time password or verification code. When you set up two-factor authentication in every service you are given several backup keys for emergency use. With their help, you can log into your account, unlink configured devices and add new ones. These keys should be stored in a safe place, not in the form of a screenshot on your phone or a text file on your computer.
As you can see, the use of two-factor authentication, there are some nuances, but they seem to be difficult only at first glance. What should be the ideal balance between protection and convenience, each decides for himself. But in any case, all the troubles are more than justified when it comes to the security of payment data or personal information is not intended for prying eyes.
Where can and should enable two-factor authentication, as well as what her services support, can be read here.