Internet security is gaining more relevance as breaches increase. Society is turning mobile, which means that both private and work related information is being stored on and accessed through our devices. This of course also implicates a broader “market position” for hackers and cybercriminals, as they’re simultaneously becoming more and better.
There’s no doubt, security should be considered, especially within the industry sector being particularly targeted, and in the best of worlds – before damage is done. The bad news is that a password is, no matter how ingenious, simply not enough to stay safe from breaches. The good news is that, by iterating an old method, it can be strengthened easier than you think.
Two Factor Authentication (2FA) is nothing new, but a great way of protecting your various online accounts. Basically, Two Factor Authentication is about adding a second layer of protection by combining something you know with something you have: usually, a password combined with a token.
A token is a physical possession of the user, often a One Time Password (OTP) token which generates a unique code for one-time logins, enabled by dynamic algorithms. The form varies from the traditional online banking digipass or other key fobs to USBs, plastic cards, smart card chips or even watches, and it all rests on the idea of making one “factor” (e.g. a pin code) useless without the other (e.g. a credit card).
However great the Two Factor Authentication may be, it’s original state of carrying around a digipass or similar is clearly an invention from before the mobile era. What we see is a growing market demand of the ubiquity and ease that comes with all-in-one solutions. There’s no future for expensive stand-alone tokens, such as the digipass. Instead Two Factor Authentication is becoming tokenless and fully integrated to our mobile devices, made possible with SMS or voice verification.
Let the giants lead the way
Hence, the most common way of using Two Factor Authentication today is “tokenless”, or mobile: Google’s has deployed a 2-Step Verification feature that lets the user choose between receiving a code by text, voice or through an app. In combination with a normal password, this strengthens the security of the user’s account, and the same goes for Microsoft. Facebook calls it Login Approvals, but the functionality is all the same: an extra layer, asking for a unique security code that’s sent as a text to the user’s phone, every time the user logs in to his or her FB account from an unknown device.
Click on the picture to get the tutorial for building your own authenticator app
Undeniably, there’s been an increased interest in Two Factor Authentication during the last 5 to 6 years, and a lot of it is thanks to the big enterprises actually doing something about it. Around the time when Dropbox rolled out Two factor Authentication in 2012 because of reported spam mails and stolen accounts, the curve peaked tremendously, and the following years were (and are, according to the forecast) heading one clear direction.
Google Trend Chart of Two Factor Authentication Interest Over Time + Forecast
In may 2013, Twitter launched its Two Factor Authentication after several high-profile accounts got hacked, including a fake story about an explosion in the White House posted from the Associated Press’ account. Other majors, such as Apple and Yahoo, has enabled Two Factor Authentication, and the way to set it up is being both taught and encouraged. Even Snapchat has followed the trend, with its recently added feature called “Login Verification”, to let users keep precious snaps for the intended audience only.
Teens can be risky
There are arguments against Two Factor Authentication though. Except for myths that are easily cracked, data security company Vasco claims Two Factor Authentication to be obsolete, and nothing more than a “security tick box”, pointing at security problems such as SIM card cloning. Others point at Two Factor Authentication cons such as the risk of losing your device or the fact that you’re compromising privacy by disclosing your phone number. Lastly, there’s always that risk of clever teens, like 17-year-old Joshua Rogers, messing with the system.
Two Factor Authentication is not perfect. It is however a damn good way of protecting information from being hijacked, whether it regards social, banking or things inbetween. With Two Factor Authentication turning “tokenless” (i.e. mobile), the bother of carrying around an extra device no longer exists, and the solution is both cheap, ubiquitous, and easy to deploy since there is great help out there, that only requires you writing a few lines of code!
I started of by stating that Two Factor Authentication is about “what you know and what you have”. Well, now you know what you should have.
We’ve got a new tutorial for you! Our resident petrol head Christian Jensen has been on a steep learning curve, hanging out at racetracks and coming up with a really cool way to use SMS to manage signups and… read more
Since 1957, when a five-year-old boy with perfect pitch first phreaked AT&T switches and invented phreaking, phones have been a target for different types of fraud that costs customers and phone companies billions of dollars. However, if you’re using the… read more