2 factor authentication is being hailed all over the internet as the next big security thing. It’s the smartest way to make sure that passwords aren’t cracked, phished, keylogged or guessed (or stolen in any other conceivable manner) and is fast becoming the online business and networking safety net that large and small corporations are coming to rely on.
It works in a simple enough manner: it uses dual factor authentication to strengthen the security blocks in a login process. Consider this: just introducing a second step in the login process could fortify the login process with an extra password: that’s one extra layer of hacking/ breaking in/ stealing/ cracking/ phishing that counts! But it’s not as simple as just adding an extra layer: two factor authentication takes security layering to a new level because it works on the principle that the second layer ought to be something that you have, are, know or are near. This is basically internet protection up several notches, and it’s clear with the alarming number of hacks into top traffic websites, that we need it.
So how does this work? After you enter in the initial (Step 1) password, you may be either asked to:
1. Enter in another password that you know (something you chose previously, got sent to you on your phone using the One Time Password format or generated for you on a key fob)
2. Use an app or any other phone based software to generate real time passwords applicable to the website you are trying to access
3. Speak or scan your fingers or eyes (using biometric data is the new level of authentication that could take a few years to bring to the mainstream)
4. Allow the access mechanism to analyse for proximity, especially if hackers are traditionally known to hack from far-off remote locations.
Some people say that 2 factor authentication is being given too much credit, and that it really doesn’t work. The argument is that 2FA (the abbreviation by which two factor authentication is commonly known) does not protect against Man In The Middle or Man In The Browser attacks (these attacks occur when vulnerabilities in the browser can help trojan horses to create security breaches by modifying content or transactions in a subtle way that both user and host web application cannot recognize). MITM attacks CAN be effectively prevented by 2FA, with token two factor authentication by sending a phone call or SMS with a one time password to the user, and also by verifying the phone number to quickly assess risk. That way, any phone numbers that do not look kosher can be banned or stopped from accessing the customer’s login page.
The best part is that 2FA can be easily integrated with more layers or security to provide a more robust login infrastructure. Of course, this could make it inconvenient to users depending on the kind of protection that is really required, but some combination systems allow the introduction of reputation and attributes of the devices the user is using. Information about the login attempts (and any risk assessment) is shared with the customer and a database of cyber security experts who use this information to proactively handle security concerns. In fact, reputation managers can even expose associations between devices and users to show fraud rings that would have previously been “invisible” to the average customer.
Just as fraudsters will continually work to break through the tightest security nets, at this point, 2FA is the strongest and most easily accessible form of multi-layered cyber security net available to medium and large businesses. Some of these fraud rings are being used in permutations by criminals around the world who are fine tuning trojan code to get into infected computers and steal the information they find relevant. If you’re looking for a way to up the security quotient on your website, now is the time to use two factor authentication. Any later, and you just may be too late!
Steven E. Collins is a web enthusiast and a baseball fan living in Los Angeles, CA. He has extensive experience in the field of Internet Security. He likes to share his knowledge through articles and blog posts on implementing security systems for online businesses. You can find him writing anything from best practices for online transactions to prevention of online fraud.