The Complete Guide to Two-Factor Authentication
What is 2FA and why should you use it?
This paragraph will give you an overview of what 2FA is and why it’s essential to use this extra layer of security for your services.
Different forms of 2FA
Two-factor authentication comes in many different shapes and forms. You’ll find a comprehensive overview of all the forms of 2FA with pros and cons for each.
2FA uses and best practices
If you want to be sure that the authentication is secure and efficient, you need to follow some best practices. Here’s a list of things you should do for three main forms of authentication and some general best practices.
Strong Customer Authentication and Legislation
With customer data, there’s always a legal aspect involved – SCA, PSD2, GDPR. You’ll find what these legislations are and what you need to do to comply with them.
Every story needs an ending. Here are some key takeaways from this guide.
What is 2FA and why should you use it?
Two-factor authentication is not a new method of increasing the strength of account security. It is already used by some service providers handling extremely personal information such as Google and Facebook.
Many service providers use two-factor authentication as a result of legislative pressure and the need for more user security when personal information is concerned.
This is where two-factor authentication comes in. It mitigates the threat of unlawful access and although it still is not 100% safe, it still adds another solid layer of security to your online data and makes it more difficult for hackers to access your email account or steal your private information online.
Social engineering has become one of the favoured methods of gaining access to a person’s accounts by using snippets of information found online and then leveraging those to gain access to additional information. This information often includes your family relations and work information shown on Facebook. Hackers then use this information when contacting a customer service rep at your local utility provider to gain access to your social security number or your spouse’s personal information. This method is known as pretexting.
So, what exactly is Two-Factor Authentication (2FA)?
Two-Factor Authentication is a method of authentication that uses two different layers of security for identifying you online.
When you type in your username and password, you are using the first layer of authentication. The second layer is independent of the first one and is used to vastly decrease the risk of your account falling into the wrong hands.
If the hacker somehow obtains the information and login credentials, they will need the person's mobile device or fingerprints to access the account. This is far beyond what a regular hacker is capable of, as they need to have physical access to you, not just your online information.
The authentication factors of a multi-factor authentication system may include:
A physical object in the user’s possession, such as a mobile phone, a USB stick with a secret token, a bank card, a key, etc.
A secret that is known to the user, such as a password, PIN, TAN, etc.
A physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
Somewhere that you are located, such as a connection to a specific computing network (specific VPN connection) or utilizing a GPS signal to identify the location.
These are used in a multitude of ways in two-factor authentication to authenticate people, transactions, and provide access to services or devices. Usually, we have our first experiences with global services that we sign up for, such as Facebook, Instagram, or Google, that recommend setting up one or several forms of two-factor authentication for your account to ensure additional security.
Another possibility is applying for loans or making transactions online where banks, lenders, or service providers verify your phone number and the fact that you own that particular device. Most phones nowadays also have biometric scanners for the face or fingerprints, allowing only the owner with the specific authenticated biometric features to access the device.
Two-factor authentication in a real-life situation would be having two locks on your home door. There are two forms of authentication (keys) that are used to access the person’s home (possession).
Why should I care?
Your online identity is quickly becoming a bigger part of who you are.
As we project our thoughts, ideas, and opinions to the world, a vast majority of people know us by our online persona, rather than our physical presence.
The information that we share becomes our personal information that can be used for us (to create better services) or against us by providing hackers with the information necessary to obtain access to our personal information to commit fraud on our behalf or even blackmail us.
Having control of the security of our personal information is crucial. Especially considering the effects that our online presence has on our everyday lives. As this effect becomes more evident, so do the security risks.
General passwords are vulnerable
Even if the string is long and complicated, it’s still just one piece of information that can be obtained, copied, hacked, and leaked, leaving our information unprotected. Leaks on a major scale have become more frequent over the past few years. At this point, it seems that new leaks occur almost weekly. As data security keeps evolving, so do methods of data theft. So, leaks are unlikely to disappear.
Additionally, as the number of passwords usage increases, people are more likely to reuse the same password. Making accounts that use the same password more vulnerable.
We can’t just rely on the good old password to protect our accounts. Statistics show that “123456” is the most used password and most certainly the worst.
Increasing the complexity of a password is the first thing you should do. But more can be done.
It is highly recommended that you activate two-factor authentication on sites that offer it. If you are a business, consider implementing two-factor authentication to protect your user's data.
If you’re in the European Economic Area or provide services for European citizens, you have to have a two-factor authentication system in place to protect their data and process it securely.
Users pay more and more attention to data security, not just the legislature
In practice, people would sacrifice some security for added convenience.
To what extent would it make sense to sacrifice the security of data for convenience?
We wouldn’t trust a bank whose online banking environment only uses regular passwords. It puts into question their entire security system and protocols.
We already have GDPR and PSD2 in Europe, pushing companies to opt for more secure solutions but the users themselves in many cases still need to put the tools in action and secure their accounts with the two-factor authentication option provided, as well as choose strong passwords.
Different forms of 2FA
The use of multiple authentication factors to prove one's identity is based on the premise that an unauthorized person is unlikely to be able to supply the factors required for access.
In an authentication attempt, if one of the components is missing or incorrect, the user's identity is not established. Access to the asset being protected by multi-factor authentication remains blocked.
Let's take a more in-depth look at the multiple ways our data is protected when online services are concerned.
Knowledge factors are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret in order to receive authentication and get access. Anything from a password or PIN code to your mother’s maiden name is considered a knowledge factor.
Any password and PIN strength used for authentication needs to be high. Longer strings of multiple unconnected characters combined with lower and higher cases as well as special characters and numbers are recommended.
Many secret questions such as "Where were you born?" are poor examples of a knowledge factor because they may be known to a wide group of people or easily found on the Internet (e.g. Facebook).
Social media oftentimes supplies answers to personal information questions. Predictable information provides hackers with access to credit card details and social security numbers. For example, your mother’s or dog’s name, birthday, the bank you use, etc.
Possession factors (something only the user has) have been used in two-factor authentication for years, in the form of a key to a lock. The basic principle is that the key embodies a secret, which is shared between the lock. The same principle underlies possession factor authentication in computer systems.
A security token is an example of a possession factor, such as a mobile phone. Possession factors are difficult to hack because they require the user to access the phone. Multiple layers of security guarantee the user to easily move through security checks. If a phone is stolen and access gained, it also means that the multiple factors are negated should they exist on the same handset. Hard passcodes, biometric protection, and multiple different passcodes on the authentication layers are important to have set up.
These also include PIN codes that are sent to a phone number on a mobile device such as SMS codes or OTPs that are currently the most popular means of multi-factor authentication when combined with a username and passcode.
Disconnected tokens have no connections to the client’s computer. They typically use a built-in screen to display the generated authentication data, which is manually typed in by the user. These are usually called passcode calculators.
Connected tokens are devices that are physically connected to the computer to be used. Those devices transmit data automatically. There are several different types, including card readers, wireless tags, and USB tokens.
Software tokens (a.k.a. soft token) are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. It may not be a device that the user interacts with. A certificate loaded onto the device and stored securely may serve this purpose as well. This means that only a certain specific device can access the network, regardless of the location of the device.
These are factors associated with the user and are usually biometric methods, including fingerprint, face, voice, or iris recognition. Behavioural biometrics such as keystroke dynamics can also be used.
Increasingly, a fourth factor is coming into play involving the physical location of the user. While hard wired to the corporate network, a user could be allowed to log in utilizing only a pin code. While off the network, entering a code from a soft token could be required. This could be seen as an acceptable standard where access to the office is controlled.
Systems for network admission control work in similar ways where your level of network access can be contingent on the specific network your device is connected to, such as WIFI as opposed to wired connectivity. This also allows a user to move between offices and dynamically receive the same level of network access in each. It is still recommended to have an office network and company toolset access to be covered by additional passwords that are different from the network ones as well as have additional multi-factor authentication methods in use.
There are several ways to create multiple layers of protection for your services and tools, some are easier to implement while others are more difficult, yet the more complex options offer certain advantages as far as security is concerned. If ever possible, stacking multiple layers on top of each other and protecting the layers themselves is the best way to go. Though do keep the user experience in mind.
2FA uses and best practices
Two-factor authentication is used in a variety of ways but they usually fall under three categories: granting access, verifying a transaction, or verifying a device/person. Within all these categories, there is a multitude of sub-uses and best practices that accompany these categories, both for every form of authentication used as well as the second layer used thereafter. Examples of these follow:
The most common form of two-factor authentication is granting a person or device access to some kind of information, tool, or network. This covers the usual account logins but also unlocking your phone, your house door, etc.
In addition, the most common form of granting access for our online purposes is using the username and password combination to log in to an account, e.g. Facebook. While there are no strong requirements for the crucial best practices for the username, there are several crucial things to consider when choosing a password or security question.
Passwords are generally a familiar concept but we often use weak or predictable passwords and codes to lock our devices such as “password”, “12345”, “My dog”, “admin”, or something else along those lines.
A password or passcode should be more complicated and longer, for example: “3! 5PokmnhT54eSX&/”. This version uses both numbers and letters as well as special characters, has lower and uppercase letters, is more than 15 characters long, and is not a word, phrase, or a distinguishable pattern.
So, in this case, you can’t guess the password without prior knowledge as to the method used and even then, it’s hard to figure out. The length also means that brute force attacks are much harder to do since the number of possible combinations is very high.
There are several places where you can test your password strength, such as Passwordmeter or Howsecureismypassword. Though you have to keep in mind that they do not evaluate the randomness of the password, rather, they only evaluate the combination of letters and characters, therefore, “Yourname34!65” is still considered secure.
For passcodes where letters or special characters can’t be used, using a long random string is best. It‘s important to have it be somewhat random, as your birthday or social security number can be guessed. One good way to tackle this is to choose a word such as “Ground” and use a phone’s keyboard to get the corresponding string: 477766688663. This way, the passcode is still long but a bit easier to remember. If you can think of a random word, that’s even better, such as “rackor” - 777222255666777.
Security questions are a bit trickier though, especially because they are rarely used as the main login knowledge check. They are used either as a second layer or an additional security measure used as certain access steps. It makes things trickier because the security question itself should not have the actual answer that it usually would have. So, for “What’s your mother’s maiden name?” the answer should not be your mother's actual maiden name such as “Meadows”, it should rather be a random word or another strong password that can’t be guessed.
The problem here is that if the security question doesn’t come up very often (I’ve used them around 3-5 times in my life), you forget the answer and if it’s a long string, you won’t be able to guess or remember the answer either. So, using a random word that somehow associates with your mother’s maiden name but is obvious only to you, would be the best way to go. Though, if you can avoid them, don’t use the security questions. Most of the time, they lead to the option of actually inserting the correct answer, which results in it being easily predictable.
Furthermore, access can, of course, be granted by using a physical or digital key by opening a trick latch, or by knowing that the door is open (be it a digital or physical door).
The companies or online services implementing transactional confirmations should consider the following:
The security of the tool used
Email might not be the most secure as it is subject to phishing schemes and if access is gained to an online service, the likelihood of a repeated password makes the email account more vulnerable.
The user’s access to the second layer
Most people have a phone capable of receiving an SMS but data connections and app supporting phones might be less frequent, the same goes for biometrics and its associated scanners.
The simplicity of the user experience
Receiving an SMS is easy, however, opening an app, registering the app to the service, and then opening the app each time might be more of a hassle, though, it might be more secure.
The optimal way to go about this would be to use a common tool such as an SMS TOTP (Time-Based One-Time Password) combined with an additional two-factor authentication measure such as a secondary password to add another level of security and protect against SIM-swap or SMS-interception situations, should they occur (however, many of these are somewhat overblown in the press).
This method is secure, inexpensive to implement, easy to use, and accessible since most phones can receive an SMS.
Verifying a person
Verifying a person could be one of the forms of two-factor authentication that we are most associated with and use most frequently, depending on the device you have. Since every time we use a fingerprint scanner on our phone or facial recognition, we are asked to verify our person as the accurate person in order to gain access to the device.
Veriff is also an example of an online service used for identity verification via document and webcam picture analysis, ensuring that the document and your picture on it match your face on the camera screen in addition to no fraudulent details being detected. While a secure method is verifying the person, the possession of the document, and the document itself at the same time, it is a bit more of a hassle for the user (have I mentioned that it’s really easy to receive an SMS).
Some additional apps and scanners can also be used for person verification. They usually rely on verifying some biometric credentials such as fingerprints or the iris of the eye. The downside is the expensiveness of the implementation of such a system (developing your own app for your specific needs for example or the additional data security requirements that require more time and money) and the access to these potential tools is more limited as well (not all phones have fingerprint readers).
If the person specifically needs to be verified (excluding their signatures, possession of a specific phone number linked to them, or the knowledge of the specific passwords) using a system that makes the verification process as seamless as possible is key while ensuring security and the ease of implementation.
Overall best practices and conclusion
It’s generally agreed upon that having multiple layers of data security on both the access to a service, as well as specific actions conducted within those services is a good idea. Overcomplicating the process is not recommended as it might lead to customers opting to use a competitor’s service that has a better service flow and makes the actions quicker and more seamless. Reaching the balance is key.
Here’s one way to go about setting up a security system that combines multiple layers:
Strong Customer Authentication and Legislation
Personal data security, related hacks, breaches, and identity theft have become a frequent aspect of our everyday lives. It seems not a week goes past without another minor or major data breach leaving thousands, if not millions of people vulnerable with their data in the hands of criminals looking to exploit the data for their own gains, be it stealing your money, blackmailing you, or just creating chaos for the fun of it.
As such, the protection of that information has become a crucial topic as well, be it via strengthened customer authentication, encryption, or the good old “not putting personal stuff up on the internet” method. Whatever the case, it was really up to the user to ensure their own safety. However, since the introduction of the General Data Protection Regulation (GDPR) and the Second Payment Services Directive (PSD2), the European Union’s legislative body has decided to shift the obligations onto the service providers as they now must ensure that the data is processed, managed, shared, and stored securely.
Strong Customer Authentication is brought out as a specific term in the PSD2 as well as the requirements for it (we covered them in more detail in the RTS whitepaper). But, what’s the bigger story around this?
Watch our webinar about Strong Customer Authentication under GDPR and PSD2
2FA and GDPR
GDPR was designed to replace more than a 20-year-old piece of legislation that had long since become obsolete in its ability to regulate the new information age. This new tool was created with this century and the future requirements in mind. As such, the security of personal data was brought to the forefront.
Data processing has to be secure, limited, and steps need to be taken to ensure that the data management process itself is designed in a manner that takes into consideration the multiple risks associated and combats them with the most up-to-date measures.
For companies, this means that they have to build, monitor, and update their systems while taking the latest security standards into consideration as well as constantly assess new possible risks. This includes, of course, the procedures for 2FA (two-factor authentication) or multi-factor authentication.
2FA and MFA are methods of account security where the user has to have a minimum of two (for 2FA) or more (for MFA) of either a piece of information (knowledge) devices (possession) or a physical feature (inheritance). So, in other words, know a password, have a phone that can receive PIN codes, or be a person with unique fingerprints or eyes.
While the application of 2FA or MFA under GDPR is not strictly mandatory, it does leave little room for debate in that regard, as stated in Article 32 section 1 and 2:
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes
of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons,
the controller and the processor shall implement appropriate technical and organisational measures to ensure a level
of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
So, section 1 makes it mandatory to assess the associated risks and use the provided measures as well as additional ones when the risk is present. Furthermore, section 2 highlights access to personal data transmission, storage, or any other type of processing as a key risk factor.
There are few tools that are as well known, easy to implement, and still provide a solid foundation of security as 2FA. Just adding another layer of security on top of the usual knowledge factor (username and password) adds a significant portion of security to the data management process and limits the risk of unlawful access.
It also helps with breach detection because 2FA often comes with additional notifications if another device attempts to access the account. As such, 2FA is one of the crucial tools to help reach compliance by providing a simple addition to the security toolset. It’s also a fairly common and known system for users and it helps with the monitoring portion of the equation.
2FA and PSD2
Where GDPR eludes at the need of a 2FA system to be set in place, PSD2 demands the need from payment service providers in Article 97:
- Member States shall ensure that a payment service provider applies strong customer authentication where the payer:
- accesses its payment account online;
- initiates an electronic payment transaction;
- carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.
- With regard to the initiation of electronic payment transactions as referred to in point (b) of paragraph 1, Member States shall ensure that, for electronic remote payment transactions, payment service providers apply strong customer authentication that includes elements, which dynamically link the transaction to a specific amount and a specific payee.
The requirements become more specific in the Regulatory Technical Standards document (explained in detail on our whitepaper) where the requirements for Strong Customer Authentication (their definition for 2FA and MFA) are laid out in detail as to which methods should be used, in which manner they should be used, and when they should be used.
2FA and compliance
While these two pieces of the legislature only affect companies that provide services within the European Economic Area (EEA) or to any European citizen, that does mean that any global service provider that happens to have one EU citizen using their service will need to meet the requirements of GDPR and payment service providers will need to tackle PSD2 as well.
However, 2FA has bigger considerations in addition to the two above-mentioned acts. Fraud prevention measures are quite often a requirement for most companies providing services online. Be it in the EU or elsewhere, having measures in place to prevent fraud makes sense to the business as well. Fraudulent claims, account thefts, and disputed purchases can be challenging for any business, thus, having a multi-layered authentication procedure to tackle these challenges makes sense from a business perspective, not just a legal perspective.
Having 2FA on the company’s internal systems makes sense, too. Just recently, the Cancer Treatment Centers of America were subject to a data breach via a phishing scheme that 2FA could have prevented. As the user’s security credentials (the password and username) were compromised, the access to the general database was immediate; no secondary security measures needed tackling. If 2FA had been in place, a second step would have bought time for the user to change their password, regain access or realize that the sent email was fraudulent.
2FA is mandatory for payment service providers in the EEA. It is strongly recommended and most likely mandatory for any service provider in the EEA as a tool to help fight fraud and breaches for every company in the world that has even a small amount of sensitive data stored somewhere on the internet or in any accessible data storage vehicle that requires security credentials to gain access.
Even though 2FA is not a new technology, the need for it is greater than ever. Increasing the demand are privacy laws being implemented throughout Europe. Hackers who are looking for every little vulnerability they can find constantly target businesses, most of which could be prevented by two-factor authentication. Although it’s not 100% safe, it adds another solid layer of security to your online data and makes it much more difficult for hackers to get access to your information.
Make sure that you choose the form of 2FA that fits your business needs. We recommend using SMS, as it’s low cost and universal. Also, keep in mind the best practices involved with it, so you don’t compromise the security of the system.
Hopefully, this guide will help you get started without too much of a hassle. You can always come back to it if you need to remind yourself of any information.
Also, you can download the PDF version for easy access. Feel free to contact us if you have questions that you can’t find answers to in this guide. We’ll gladly help you.