As we move our lives online, we find that the criminals have also changed their territory and modus operandi and they are adopting technology to break into our social media accounts, bank accounts, email, messaging apps, etc. When Internet was in its infancy, the humble password was good enough to provide all the security, but then we started putting more of our lives on the Net. Accounts on Google, Yahoo, Outlook, Facebook, SnapChat, Instagram, banking accounts, accounts with insurance companies, travel sites, all these now became the territory for the cyber criminal to feast on. The humble 8 – 12 letter password with capital and small alphabets and numeric digits and special characters is no longer safe. Passwords can be guessed if you use a password like ‘123456’, or your vehicle registration number, name of spouse, dog or cat’s name, or common phrases like ‘ILOVEU’, ‘password’, ‘qwerty’, etc. These passwords are not safe and the sooner you change them, the safer is your account.
But even the most complex passwords are not safe. Hackers have algorithms to get to these passwords by various techniques, among them the simplest being the brute-force technique. Low cost wireless keyboards can be exploited to collect passwords, security questions, credit/debit card information, bank account details, etc. Wireless keyboards transmit their data in an unencrypted format to the dongle connected to the laptop or desktop. An attacker can eavesdrop on the victim’s keystrokes, and inject malicious keystroke commands into the victim’s computer, and then perform action like installing malware. Bluetooth and wired keyboards are generally not affected by this problem of keyboard sniffing.
So are we doomed to rely on passwords that will be guessed, hacked, forgotten? No. Trust technologists to look at the way we lock our home – one lock is not enough, we need two. So there you have it. 2FA or Two Factor Authentication is a technique to give strength to your password. Think of it like Security++. 2FA relies on two pieces of data before someone can log into your account. The first piece of data is still the password, which may even be known to the hacker, and the second piece of data could be a numeric or alphabetic or a alphanumeric code that you receive via a SMS on your mobile phone. Now here is how the security is enhanced. When you create an account on, say, Google or Microsoft, or open a bank account, you will be asked to register your mobile phone number with them. Since the mobile phone will be physically with you most of the times, the SMS received on that number will also be known only to you. So after you input your password, an SMS will be sent to you on your registered mobile phone. This SMS message contains a One Time Password (OTP) and you must type in this OTP as the second layer of security so as to make doubly sure that its you who is accessing the account and not a hacker. If the OTP number is not entered or wrong PIN is entered, access is not granted. This OTP may be numeric, or alphabetic and will usually have 4 to 7 digits or alphabets or it may be alphanumeric.
What other techniques are there for this 2 factor authentication? One of the techniques used by some banks takes this 2FA to the next higher level. So you will (i) enter the password, (ii) You will receive a 6 digit OTP whose first 3 digits are received on your registered email address, and the next 3 digits are received on your mobile phone. So even assuming your email address is also hacked, you still have 3 digits coming as a SMS, and unless all these pieces of information are entered correctly, access is not granted. Voice-based 2FA relies on delivering the OTP through a voice call to the user.
Another system relies on asking for the password followed by one of many security questions. These security questions and your answers to them were captured at the time of creating the account. So after typing the password, you will be asked one of the security questions and you must type the correct answer, to be granted access. The drawback of this system is that usually you cannot create your own question. So the questions are usually of the type that ask for your date / place of birth, your pet’s name, car registration number, your favourite colour, etc and the answers to most of these questions can be guessed, atleast by people who are close to you.
Unfortunately, OTP through SMS and Voice call are not the safest ways to provide 2FA. A modification of of this OTP method uses a software-generated and time-based, one-time passcode (also called “soft-token”). Before using this a user must install a free 2FA app on their smartphone or desktop. User can then use this app with any site that supports this type of authentication. At sign-in, the user enters username and password, and then enter the code shown on the app. Such a soft-token is typically valid for less than a minute. Hence it is more secure.
All the above techniques rely on the fact that the user must enter the password and OTP. Some websites do not rely on the receipt and entry of a 2FA token; instead they send the user a push notification that an authentication attempt is taking place. The device owner views the details and can approve or deny access. Google uses this technique as one of the authentication methods. Since there is now a direct and secure connection push notification eliminates chances of phishing and interception attacks.
Biometric authentication involves password at level 1 and then at level 2, the user’s fingerprint, retina patterns, facial recognition, voice matching are used. Many mobile phones already contain finger print locks and bank staff use password plus fingerprint recognition techniques to log into their account.
Some of the sites that support 2FA are google.com, yahoo.com, outlook.com, Amazon.com, and many more. If you want to see a list of websites that support 2FA, check the site https://twofactorauth.org/ for details. And enable 2FA for your all your online accounts.