Tuesday, August 1, 2017

Methods of two factor authentication

Most people are used to logging into a website using a username and password, however a number of security breaches have been caused by the weaknesses in the username/password login methods.

To combat these breaches most online organisations offer some form of 2nd factor login methods.  2nd factor (sometimes called two step) means providing a secondary method of authentication of a different type than the initial verification, eg. using a password and a thumbprint, or a password and a number provided by an SMS message.  This allows for the password to have been discovered by a third party by some method, but the account to remain secure.  It is important to note that the 2nd factor needs to be provided by some other method than the original factor, having a password and a pin number would not be useful as they would probably be exposed by the same weaknesses.

There are a number of two factor authentication methods that online organisations use in addition to passwords and I will take a look at three of the most popular methods for private 2 Factor authentication.

Authentication App

There are a number of authentication apps that you install on your mobile phone and then synchronise with the website with some method.

These offer time-based codes that change every thirty seconds or so, usually 6 digits long.  The user logs in with their username and password and is then presented with a request for the authentication code, the user opens the app and enters the authentication code for that website.  Most of these apps offer a countdown of the number of seconds left that the code is valid for so the user can wait until the next time slot if the current one is running out.

Once the app is installed on the phone setting up for websites that use this method is straightforward.  More than one website’s authentication code can be stored in the app so there is some flexibility.

A few apps and websites allow a slightly different method, when you log into the website a pop-up appears on your phone telling you someone is logging into your account and asks you whether to approve or block the login.

This is my prefered method of 2nd factor for websites, as it is simple and a lot of websites are supporting this method.  Twitter and Facebook have an authentication code app installed in their mobile apps that you can use to authenticate with their services.

Hardware token

Corporate organisations have used hardware tokens for a number of years for remote workers, the most common of these is the RSA token which was a small device with an LED display which displayed a code, similar to the authenticator apps, the main problem with these devices were that they are locked to one system so if you have to authenticate to multiple systems you need multiple keys.

Over the last few year a standard has been created called Universal 2nd Factor (U2F) has been created and has been implemented by online services, the U2F devices are low cost physical devices that use USB or NFC chips to present an authentication code to the service.

Physically they come in a number of shapes, some like small traditional USB sticks, others as flat sheets with just the USB pins at one end.  Often they have a push button or sensitive pad that you press to send the code, there is even one available with a fingerprint reader for extra security.
Yubikey U2F key

Initial setup requires that you register the device with the website or service that you wish to authenticate to and then the next time you need to authenticate with the service you are asked to insert the key, once inserted tapping the activation pad inputs a time sensitive code into the device that provides the authentication.

SMS messages

Often websites offer SMS message authentication, this is simply where you register your mobile number with the website and after you have entered your username and password the website sends you a text message with a login code, enter this code and the login is complete.

If this is the only option available on the website then using it is better than not using it however due to the nature of SMS, it not being encrypted and a few other faults it has been used in a number of banking frauds.  If there is a different option for 2 factor authentication then SMS codes should be disabled.


When enabling 2 factor authentication, a backup method of logging in should be set up and maintained just in case the authentication device is lost or has failed.  Most sites offer a set up backup login codes which you can print off and lock away in a safe.  Also you can use additional methods of 2 factor, such as an authenticator app and a hardware token.

In summary

If you haven’t turned on 2 factor authentication when it is available, please give it a try, the above methods are fairly straightforward to set up and use and provide a huge increase in the level of protection available to your data. have a list of websites that support 2nd factor.

If you only enable it for one or two websites, please set it up for your main email account or the one that receives all your password reset links to.