The Complete Guide to Two-Factor Authentication
What is 2FA and why should you use it?
This paragraph will give you an overview of what 2FA is and why it’s essential to use this extra layer of security for your services.
Different forms of 2FA
Two-factor authentication comes in many different shapes and forms. You’ll find a comprehensive overview of all the forms of 2FA with pros and cons for each.
2FA uses and best practices
If you want to be sure that the authentication is secure and efficient, you need to follow some best practices. Here’s a list of things you should do for three main forms of authentication and some general best practices.
Strong Customer Authentication and Legislation
With customer data, there’s always a legal aspect involved – SCA, PSD2, GDPR. You’ll find what these legislations are and what you need to do to comply with them.
Every story needs an ending. Here are some key takeaways from this guide.
What is 2FA and why should you use it?
In itself, 2FA is not a security measure based on any new technologies and it is a security measure that is already used by some service providers handling extremely personal information, for example, Google and Facebook. Moreover, the number of service providers using 2FA is ever-growing as a result of legislative pressure and the need for more user security when personal information is concerned.
This is where 2FA, or Two-Factor Authentication, mitigates the threat of unlawful access and although it still is not 100% safe, it adds another solid layer of security to your online data and makes it more difficult for hackers to access your email account or steal your private information online.
Social engineering has become one of the favoured methods of gaining access to a person’s accounts via using snippets of information found online and then leveraging those to gain access to additional information. This information often includes your family relations and work information shown on Facebook. Hackers then use this information when contacting a customer service rep at your local utility provider to gain access to your social security number or your spouse’s personal information (this method is known as pretexting).
So, what exactly is Two-Factor Authentication (2FA)?
Two-Factor Authentication is a method of authentication that uses two different layers of security for identifying you online. When you type in your username and password, you are using the first layer of authentication. The second layer is independent of the first one and is used to vastly decrease the risk of your account falling into the wrong hands.
This makes it more difficult for a hacker to impersonate someone else and access their accounts or resources. Simply getting hold of your regular password and username will not be enough. If the hacker somehow obtains the information and login credentials, they still need the device or the person’s fingerprints to gain access to the account. This is far beyond what a regular hacker is capable of as they need to have physical access to you, not just your online information.
The authentication factors of a multi-factor authentication system may include:
A physical object in the user’s possession, such as a mobile phone, a USB stick with a secret token, a bank card, a key, etc.
A secret that is known to the user, such as a password, PIN, TAN, etc.
A physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
Somewhere that you are, such as a connection to a specific computing network (specific VPN connection) or utilizing a GPS signal to identify the location.
These are used in a multitude of ways and provide combinations to authenticate people, transactions, and provide access to services or devices. Usually, we have our first experiences with global services that we sign up for, such as Facebook, Instagram or Google, that recommend setting up one or several forms of 2FA for your account to ensure additional security.
Another possibility is applying for loans or making transactions online where banks, lenders or service providers verify your phone number and the fact that you have that particular device. Most phones nowadays also have biometric scanners for the face or fingerprints, allowing only the owner with the specific authenticated biometric features to access the device.
In addition, passcodes, passwords, security questions, and everything else connected to any knowledge factors are the base layer of nearly every service, tool, device or system we have in our lives today.
A good example of describing 2FA in terms of a real-life situation is to have two locks on your home door. That counts as 2FA as well, since there are two forms of authentication (keys) that are used to generate access to the person’s home (possession).
Why should I care?
Your online identity is quickly becoming a bigger part of your identity than the one we present to our friends and family. We take a look at our Facebook friends list and find a number reaching hundreds, if not thousands for some, which is usually many times higher than the actual amount of people we interact with daily.
As we project our thoughts, ideas, likes and interests, dislikes and opinions to the world, a vast majority of people know us by our online persona, rather than our physical presence. Moreover, the information that we share becomes our personal information that can be used for us (to create better services) or against us by providing hackers with the information necessary to obtain access to our personal information to commit fraud on our behalf or even blackmail us.
Having control and security when it comes to our information is crucial, particularly when considering the increasing effects that our online presence has on our everyday lives. Consequently, this effect becomes more evident, so do the security risks concerned, should this information be obtained by someone with criminal and/or ill intentions.
General passwords are vulnerable
Even if the string is long and complicated, it’s still just one piece of information that can be obtained, copied, hacked, and leaked, leaving our information unprotected. Leaks on a major scale have become more frequent over the past few years. At this point, it seems that new leaks occur almost weekly and the scale keeps ramping up. As data security keeps evolving, unfortunately, so do methods of data theft. So, leaks are unlikely to disappear.
Additionally, as the number of passwords usage increases, the reusing of passwords also occurs, which makes the password more memorable and, therefore, even more vulnerable.
So, as we put more personal data online every day, we can’t just rely on the good old password to protect our account. Statistics show that “123456” is, unfortunately, still the most used password and most certainly the worst. Thus, levelling up the complexity of a password is the first thing to do but it also isn’t enough anymore to meet the minimum-security requirements.
That being said, it is highly recommended that you activate 2FA on sites that are already using it and if you have a business that stores any user data about your clients, please be responsible and keep the information safe with 2FA.
Moreover, if you’re in the European Economic Area or provide services for European citizens, you pretty much have to have a 2FA system in place to protect their data and process it securely.
Users pay more and more attention to data security, not just the legislature
If we are asked whether we would want our personal data to be 100% secure, the answer is almost always yes. In practice, people would sacrifice some security for added convenience. The question remains, to what extent would it make sense for the inconvenience to sacrifice the use of added security measures designed to make sure that data is kept safe?
We wouldn’t trust a bank whose online banking environment only uses regular passwords. It puts into question their entire security system and protocols. The thought alone that the only thing standing between a hacker and my money is knowing the name of my goldfish would make me take my business elsewhere.
The recurring major hacks and leaks have made users fearful and rightfully so. More security features, strong cryptography, and the use of multi-factor authentication are required as companies that draw attention to these aspects are more likely to gain the users’ business.
We already have GDPR and PSD2 in Europe, pushing the companies to opt for more secure solutions but the users themselves in many cases still need to put the tools in action and secure their accounts with the 2FA option provided, as well as choose strong passwords.
Different forms of 2FA
The use of multiple authentication factors to prove one's identity is based on the premise that an unauthorized person is unlikely to be able to supply the factors required for access. If in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset (e.g., a building, or data) being protected by multi-factor authentication remains blocked.
Even two doors with different locks are considered multi-factor authentication, though, for the purposes of this guide, we’ll take a more in-depth look into the multiple ways that our data is protected when online services are concerned.
Knowledge factors are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret in order to receive authentication and, therefore, access, so anything from a password or PIN code to your mother’s maiden name is considered a knowledge factor.
However, any password and PIN strength used for authentication needs to be high. Longer strings of multiple unconnected characters combined with lower and higher cases as well as special characters and numbers are recommended.
Many secret questions such as "Where were you born?" are poor examples of a knowledge factor because they may be known to a wide group of people or may be easily found on the Internet (e.g. Facebook). Social engineering as a means of gaining unlawful access to a person’s personal information such as credit card details and social security numbers relies on predictable information that one can find hints for in social media. For example, your mother’s or dog’s name, birthday, the bank you use, etc.
Possession factors (something only the user has) have been used for authentication for years, in the form of a key to a lock. The basic principle is that the key embodies a secret, which is shared between the lock and the key and the same principle underlies possession factor authentication in computer systems.
A security token is an example of a possession factor, same goes for a mobile phone. The latter can create some issues though, as it needs to be secured by multiple layers since we often access our personal services and authenticate the second layer via our phone as well. So, if it’s stolen and access is gained, it also means that the multiple factors are negated if they exist on the same handset. Thus, hard passcodes, biometric protection, and multiple different passcodes on the authentication layers are important to have.
These also include PIN codes that are sent to a mobile device such as SMS codes or OTPs that are currently the most popular means of multi-factor authentication when combined with a username and passcode.
Disconnected tokens have no connections to the client’s computer. They typically use a built-in screen to display the generated authentication data, which is manually typed in by the user. These are usually called passcode calculators.
Connected tokens are devices that are physically connected to the computer to be used. Those devices transmit data automatically. There are several different types, including card readers, wireless tags, and USB tokens.
Software tokens (a.k.a. soft token) are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. It may not be a device that the user interacts with. A certificate loaded onto the device and stored securely may serve this purpose as well. This means that only a certain specific device can access the network, regardless of the location of the device.
These are factors are associated with the user and are usually biometric methods, including fingerprint, face, voice, or iris recognition. Behavioural biometrics such as keystroke dynamics can also be used.
Increasingly, a fourth factor is coming into play involving the physical location of the user. While hard wired to the corporate network, a user could be allowed to log in utilizing only a pin code. While off the network, entering a code from a soft token could be required. This could be seen as an acceptable standard where access into the office is controlled.
Systems for network admission control work in similar ways where your level of network access can be contingent on the specific network your device is connected to, such as WIFI as opposed to wired connectivity. This also allows a user to move between offices and dynamically receive the same level of network access in each. It is still recommended to have an office network and company toolset access to be covered by additional passwords that are different from the network ones as well as have additional multi-factor authentication methods in use.
There are several ways to create multiple layers of protection for your services and tools, some are easier to implement while others are more difficult, yet the more complex options offer certain advantages as far as security is concerned. If ever possible, stacking multiple layers on top of each other and protecting the layers themselves is the best way to go. Though do keep the user experience in mind.
2FA uses and best practices
Authentication is used in a variety of ways but they usually fall under three categories: granting access, verifying a transaction or verifying a device/person. Within all these categories, there is a multitude of sub-uses and best practices that accompany these categories, both for every form of authentication used as well as the second layer used thereafter. Examples of these follow:
The most common form of authentication is granting a person or device access to some kind of information, tool, place or network. Thus, this covers the usual account logins but also unlocking your phone, your house door, etc.
In addition, the most common form of granting access for our online purposes is using the username and password combination to log in to an account, e.g. Facebook. While there are no strong requirements for the crucial best practices for the username, there are several crucial things to consider when choosing a password or security question.
Passwords are generally a familiar concept but we often use weak or predictable passwords and codes to lock our devices such as “password”, “12345”, “My dog”, “admin” or something else along those lines.
A password or passcode should be more complicated and longer, for example: “3! 5PokmnhT54eSX&/”. This version uses both numbers and letters as well as special characters, has lower and uppercase letters, is more than 15 characters long and is not a word, phrase or a distinguishable pattern.
So, in this case, you can’t guess the password without prior knowledge as to the method used and even then, it’s hard to figure out. The length also means that brute force attacks are much harder to do since the number of possible combinations is very high.
There are several places where you can test your password strength, such as Passwordmeter or Howsecureismypassword. Though, you have to keep in mind that they do not evaluate the randomness of the password, rather, they only evaluate the combination of letters and characters, therefore, “Yourname34!65” is still considered as secure.
For passcodes where letters or special characters can’t be used, using a long random string is best. It‘s important to have it be somewhat random, as your birthday or social security number can be guessed. One good way to tackle this is to choose a word such as “Ground” and use a phone’s keyboard to get the corresponding string: 477766688663. This way, the passcode is still long but a bit easier to remember. If you can think of a random word, that’s even better, such as “rackor” - 777222255666777.
Security questions are a bit trickier though, especially because they are rarely used as the main login knowledge check. They are rather used either as a second layer or an additional security measure used as certain access steps. It makes things trickier because the security question itself should not have the actual answer that it usually would have. So, for “What’s your mother’s maiden name?” the answer should not be your mother's actual maiden name such as “Meadows”, it should rather be a random word or another strong password that can’t be guessed.
The problem here is that if the security question doesn’t come up very often (I’ve used them around 3-5 times in my life), you forget the answer and if it’s a long string, you won’t be able to guess or remember the answer either. So, using a random word that somehow associates with your mother’s maiden name but is obvious only to you, would be the best way to go. Though, if you can avoid them, don’t use the security questions. Most of the time, they lead to the option of actually inserting the correct answer, which results in it being easily predictable.
Furthermore, access can, of course, be granted by using a physical or digital key by opening a trick latch or by knowing that the door is open (be it a digital or physical door).
The companies or online services implementing transactional confirmations should consider the following:
The security of the tool used
Email might not be the most secure as it is subject to phishing schemes and if access is gained to an online service, the likelihood of a repeated password makes the email account more vulnerable.
The user’s access to the second layer
Most people have a phone capable of receiving an SMS but data connections and app supporting phones might be less frequent, the same goes for biometrics and its associated scanners.
The simplicity of the user experience
Receiving an SMS is easy, however, opening an app, registering the app to the service, and then opening the app each time might be more of a hassle, though, it might be more secure.
The optimal way to go about this would be to use a common tool such as an SMS TOTP (Time-Based One-Time Password) combined with an additional measure such as a secondary password to add another level of security and protect against SIM-swap or SMS-interception situations, should they occur (however, many of these are somewhat overblown in the press).
This method is secure, inexpensive to implement, easy to use, and accessible since most phones can receive an SMS.
Verifying a person
Verifying a person could be one of the forms of authentication that we are most associated with and use most frequently, depending on the device you have. Since every time we use a fingerprint scanner on our phone or facial recognition, we are asked to verify our person as the accurate person in order to gain access to the device.
Veriff is also an example of an online service used for identity verification via document and your webcam picture analysis ensuring that the document and your picture on it match your face on the camera screen in addition to no fraudulent details being detected. While a secure method is verifying the person, the possession of the document, and the document itself at the same time, it is a bit more of a hassle for the user (have I mentioned that it’s really easy to receive an SMS).
Some additional apps and scanners can also be used for person verification. They usually rely on verifying some biometric credentials such as fingerprints or the iris of the eye. The downside is the expensiveness of the implementation of such a system (developing your own app for your specific needs for example or the additional data security requirements that require more time and money) and the access to these potential tools is more limited as well (not all phones have fingerprint readers).
If the person specifically needs to be verified (excluding their signatures, possession of a specific phone number linked to them or the knowledge of the specific passwords) using a system that makes the verification process as seamless as possible is key while ensuring security and the ease of implementation.
Overall best practices and conclusion
It’s generally agreed upon that having multiple layers of data security on both the access to a service as well as specific actions conducted within those services is a good idea. However, overcomplicating the process is not recommended as it might lead to customers opting to use a competitor’s service that has a better service flow and makes the actions quicker and more seamless. Thus, reaching the balance is key.
Here’s one way to go about setting up a security system that combines multiple layers:
Keeping oneself up to date with the latest bigger breaches is a good idea as well. These can highlight some of the most common issues any company might stumble upon and highlight aspects we don’t often consider such as employee training to subvert phishing or pretexting attempts and secure practices in setting up passwords and granting other people access to their devices.
Strong Customer Authentication and Legislation
Personal data security, related hacks, breaches, and identity theft have become a frequent aspect of our everyday lives. It seems not a week goes past without another minor or major data breach leaving thousands, if not millions of people vulnerable with their data in the hands of criminals looking to exploit the data for their own gains, be it stealing your money, blackmailing you or just creating chaos for the fun of it.
As such, the protection of that information has become a crucial topic as well, be it via strengthened customer authentication, encryption or the good old “not putting personal stuff up on the internet” method. Whatever the case, it was really up to the user to ensure their own safety. However, since the introduction of the General Data Protection Regulation (GDPR) and the Second Payment Services Directive (PSD2), the European Union’s legislative body has decided to shift the obligations onto the service providers as they now must ensure that the data is processed, managed, shared, and stored securely.
Strong Customer Authentication is brought out as a specific term in the PSD2 as well as the requirements for it (we covered them in more detail in the RTS whitepaper). But, what’s the bigger story around this?
Watch our webinar about Strong Customer Authentication under GDPR and PSD2
2FA and GDPR
GDPR was designed to replace a more than a 20-year-old piece of legislation that had long since become obsolete in its ability to regulate the new information age. This new tool was created with this century and the future requirements in mind. As such, the security of personal data was brought to the forefront.
Data processing has to be secure, limited, and steps need to be taken to ensure that the data management process itself is designed in a manner that takes into consideration the multiple risks associated and combats them with the most up-to-date measures.
For companies, this means that they have to build, monitor, and update their systems while taking the latest security standards into consideration as well as constantly assess new possible risks. This includes, of course, the procedures for 2FA (two-factor authentication) or multi-factor authentication.
2FA and MFA are methods of account security where the user has to have a minimum of two (for 2FA) or more (for MFA) of either piece of information (knowledge) devices (possession) or a physical feature (inheritance). So, in other words, know a password, have a phone that can receive PIN codes, or be a person with unique fingerprints or eyes.
While the application of 2FA or MFA under GDPR is not strictly mandatory, it does leave little room for debate in that regard, as stated in Article 32 section 1 and 2:
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes
of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,
the controller and the processor shall implement appropriate technical and organisational measures to ensure a level
of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
So, section 1 makes it mandatory to assess the associated risks and use the provided measures as well as additional ones when the risk is present. Furthermore, section 2 highlights access to personal data transmission, storage or any other type of processing as a key risk factor.
There are few tools that are as well known, easy to implement, and still provide a solid foundation of security as 2FA. Just by adding another layer of security on top of the usual knowledge factor (username and password) adds a significant portion of security to the data management process and limits the risk of unlawful access.
It also helps with breach detection because 2FA often comes with additional notifications if another device attempted to access the account. As such, 2FA is one of the crucial tools to help reach compliance by providing a simple addition to the security toolset. It’s also a fairly common and known system for users and it helps with the monitoring portion of the equation.
2FA and PSD2
Where GDPR eludes at the need of a 2FA system to be set in place, PSD2 demands the need from payment service providers in Article 97:
- Member States shall ensure that a payment service provider applies strong customer authentication where the payer:
- accesses its payment account online;
- initiates an electronic payment transaction;
- carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.
- With regard to the initiation of electronic payment transactions as referred to in point (b) of paragraph 1, Member States shall ensure that, for electronic remote payment transactions, payment service providers apply strong customer authentication that includes elements, which dynamically link the transaction to a specific amount and a specific payee.
The requirements become more specific in the Regulatory Technical Standards document (explained in detail on our whitepaper) where the requirements for Strong Customer Authentication (their definition for 2FA and MFA) are laid out in detail as to which methods should be used, in which manner they should be used, and when they should be used.
2FA and compliance
While these two pieces of legislature only affect companies that provide services within the European Economic Area (EEA) or to any European citizen, that does mean that any global service provider that happens to have one EU citizen using their service will need to meet the requirements of GDPR and payment service providers will need to tackle PSD2 as well.
However, 2FA has bigger considerations in addition to the two abovementioned acts. Fraud prevention measures are quite often a requirement for most companies providing services online. Be it in the EU or elsewhere, having measures in place to prevent fraud makes sense to the business as well. Fraudulent claims, account thefts, and disputed purchases can be challenging for any business, thus, having a multi-layered authentication procedure to tackle these challenges makes sense from a business perspective, not just a legal perspective.
Having 2FA on the company’s internal systems make sense, too. Just recently, the Cancer Treatment Centers of America were subject to a data breach via a phishing scheme that 2FA could have prevented. As the user’s security credentials (the password and username) were compromised, the access to the general database was immediate; no secondary security measures needed tackling. If 2FA had been in place, a second step would have bought time for the user to change their password, regain access or realize that the sent email was fraudulent.
2FA is mandatory for payment service providers in the EEA. It is strongly recommended and most likely mandatory for any service provider in the EEA as a tool to help fight fraud and breaches for every company in the world that has even a small amount of sensitive data stored somewhere on the internet or in any accessible data storage vehicle that requires security credentials to gain access.
Even though 2FA is not a new technology, the need for it is greater than ever. Increasing the demand are the privacy laws that are being implemented throughout Europe. Hackers who are looking for every little vulnerability they can find constantly target businesses. Most of which could be prevented by two-factor authentication. Although it’s not 100% safe, it adds another solid layer of security to your online data and makes it much more difficult for the hackers to get access to your information.
Make sure that you choose the form of 2FA that fits your business needs. We recommend using SMS, as it’s low cost and universal. Also, keep in mind the best practices involved with it, so you don’t compromise the security of the system.
Hopefully, this guide will help you get started without too much of a hassle. You can always come back to it if you need to remind yourself of any information.
Also, you can download the PDF version for easy access. Feel free to contact us if you have questions that you can’t find answers to in this guide. We’ll gladly help you.