We are all familiar with passwords. We know they are easy to forget and to share, and likely easy to steal.

User names are almost always email addresses, and thus quasi public information. In practice, users often reuse passwords between websites, adopt easy to guess passwords based on common words and dates combination, etc. Such passwords may be long but are very easy to guess in an automated manner.

This is why an additional step for authentication is now recommended for digital services. You may have encountered this already. For instance when connecting to your online banking, some government portal or your employer IT system.
This additional step is an interactive challenge, so that the answer is different each time. This is more difficult to steal and not reusable.

The first authentication step consists of the user name and password combination. It is non-interactive: this information could be saved on a computer and replayed automatically.

The second step is called Second Factor Authentication. The second factor is something you have, the code. It is interactive because the time at which it is requested matters. Thus it cannot be repeated easily by software.

Together, the first factor (something you know) and second factor (something you have) form two-factor authentication, abbreviated as 2FA.

There are several ways to implement 2FA. We recommend you setup more than one, to make it easier to recover your account.

Many readers will be familiar with codes sent by text to their phones, or to their email accounts. These text based or email based approaches are very easy to setup and greatly improve security compared to password only authentication.

However, both methods expose the user to some risks.

First, some mobile operators make it easy to steal a phone number by requesting a transfer to another operator. It is also sometimes possible to hack the voice mail by using a default PIN code. It becomes trivial to access this way voice 2FA codes.

Second, email accounts can also be hacked. This is why setting up 2FA on your email account is critical.

Even then, it is difficult to protect from company employees who may have access to all SMS data or email inboxes. This is a more specialised but realistic attack vector.

A more advanced example is 2FA TOTP. This consists of a mobile app generating single use codes every 60 seconds. The most popular apps are Google Authenticator, Microsoft Mobile Phone Authenticator, 2FAS, Authy, etc.

When setting up a new service, the user scans a confidential QR code to store a secret key into the mobile application. This key is used to generate the codes.

2FA TOTP is a great improvement to SMS 2FA or email 2FA as it does not rely on a mobile operator or an email provider.

The company making the app would have to build a specific version of the app to target the end user to be hacked, and add custom code to send these codes to a server. This is a more sophisticated attack that requires engineering effort and likely a team if not the whole company.

Specialised state level hacking software such as Pegasus form another attack vector. This type of software has been used against senior politicians in many European countries.

Most people do not need to worry about such attacks.

Can TOTP 2FA be further improved? Absolutely!

By introducing a physical token such as a YubiKey, the secret key is now stored on a separate independent physical device with minimal or no operating system, not connected to the Internet, excepted when generating a code. 2FA devices do not run large amounts of apps and offer much fewer API to developers. This makes them significantly more difficult to hack. The biggest security improvement is that they are almost never connected to the Internet. This is called air gap.

This approach is slightly more inconvenient to the end user as the token must be carried separately. And connected regularly by USB for signing in.

To recap, 2FA is an additional step to improve the security of password only authentication, which is problematic.

The most common forms are SMS or email based.

A mobile app (TOTP 2FA) is even better and will provide a great level of security for most people.

To avoid being locked out, setup two 2FA methods whenever possible.

For those who need the highest level of security, try using a physical device such as a Yubikey.

Did you encounter challenges while deploying 2FA? Let us know!