In the Internet, which casts a shadow over the whole world,securityHe speaks first. Two-factor authentication is one of the security options in the web world that greatly increases the security of your accounts. In this post, we explain everything you need to know about this method in simple language. Stay with digital currency.
What is two-factor authentication?
Two-factor authentication, abbreviated as 2FA, is a method of logging into a user account in which the system, in order to make sure that the person trying to log in is the user himself (and not, for example, a hacker), from The user requires two different factors for authentication.
These two factors are:
- Something the system knows (like your password)
- Something that proves that you entered the password yourself and not someone else. The second factor can be a one-time password that is separate from the password, or email confirmation or SMS confirmation.
In Persian texts, the name of two-step/two-factor authentication is also used for this method.
In other words, using this method, the user first enters his username and password, then instead of immediately accessing the account, he is asked to provide additional information to prove that he is the owner of the account. Enter another.
For example, if you enable two-step authentication in your email (such as a Gmail account), you will be asked to provide your identity through your mobile phone (or any other way) in addition to your password when you request to log into the account. confirm.
Information that only the user knows
This type of two-step authentication is information that is related to the user and that the user must know. For example, the answer to a series of private questions, or the pattern of hitting a certain key, etc. can be used as one of the authentication methods.
Features that the user has
Typically, a user can perform this authentication using one of their electronic devices, such as a credit card, smartphone, or a small hardware device, also known as a hardware token.
Physical information that the user has
This type of authentication is slightly more advanced as well as more secure and includes biometric patterns such as fingerprints, iris scans, and other such authentications.
Why should we use two-factor authentication?
The expansion of the use of the Internet and the increase in attempts to hack user accounts have shown that passwords alone cannot ensure the security of an Internet account.
The following are some of the reasons that show why using a password cannot provide 100% security for users.
Simple and predictable passwords
According to a recent research, 1.4 billion of the hacked passwords were very simple phrases that anyone could guess.
Among these simple phrases as passwords, using phrases like “111111”, “123456”, “123456789” were very stupid and predictable.
Cracking is one of the common ways to get the passwords of different accounts. In this method, crackers gain access to different accounts by using special software and testing a large number of passwords.
Malware and social engineering
Even if you use complex and unpredictable combinations for the passwords of your accounts that crackers cannot test, the risk of obtaining your password is still there.
After infecting the victim’s system, malware such as RAT, Trojan, and keylogger can easily copy the passwords that the victim entered when logging into his account. No matter what password you use, a malware will copy it completely and give it to the hacker.
It is also possible through social engineering (egPhishing) be fooled and give the password to a hacker or fraudster yourself.
With two-factor authentication, even if someone knows your password, they cannot log into your account.
Common two-factor authentication (2FA) methods
Today, several different methods are used for two-step authentication; Some of them are more secure and more powerful, and some are more complicated to use. But they all offer more security than just using a password.
In the following, we will examine some of the most common types of two-step verification together.
Using hardware equipment
The oldest form of two-step authentication is electronic equipment that is very small in size and generates a new numerical code every few seconds. When the user wants to access his account, he looks at this electronic device and enters the 2FA code displayed on the site or application to enter his account. These devices have different types that are not included in this article.
Many Iranian banks have been offering these hardware tokens to customers who wanted their account security to be high for years.
Today, with the spread of mobile phones and easier, cheaper and safer solutions, this method is not used much.
Using text and voice messages
Using the SMS method for two-step authentication is directly related to the user’s mobile phone. After receiving the username and password, a unique one-time password will be sent to the user’s mobile phone via SMS.
Similar to the process that happens when using the hardware equipment method for verification, that is, after receiving the code on his mobile phone, the user must enter it on the site or application to access his account. The same thing happens here.
Similarly, in the 2FA method using a voice message, a number calls the user’s mobile phone and the 2FA code is told to him by voice. Although the use of this method is not very common, it is still used in countries where smart phones are expensive or mobile service is poor.
For online activities that are not highly sensitive, authentication via text or voice message can meet your security needs. But for websites that store your personal information, such as many companies, banks or email accounts, this level of two-factor authentication (2FA) may not be secure and reliable enough.
In fact, using text messages (SMS) or voice messages for two-step authentication provides the lowest level of security among authentication methods for users. For this reason, many companies have gone above and beyond to provide more secure methods for two-step login.
Using software
The most popular form of two-step verification used as an alternative to authentication using text and voice messages is the use of software that generates a one-time code.
To use this method, the user must first download one of the 2FA applications (such as Google Authenticator) and install it on his mobile phone or laptop. Then he can use this application on any website that supports this type of two-step authentication.
When logging into the site, the user first enters their username and password, and then enters the code displayed in the 2FA application to access their account.
Similar to hardware devices where each code they generate is only valid for a short period of time (usually 30 or 60 seconds), the same is true for two-factor authentication applications. This means that each code displayed in the application is only valid for 1 minute, and as a result, the user has only 1 minute to enter it.
Since in this method the code is generated and displayed on the user’s mobile phone, there is no longer any major concern that we had with the two-step authentication method using text message or voice message, and the chances of hackers tracking the 2FA code. In this way, it is lost.
Most importantly, since 2FA applications are available for both mobile and desktop, and even work without an internet connection, user authentication with this method is available almost anywhere and in any situation.
If we want to briefly mention the advantages of using applications for two-step authentication:
- They have higher security than other 2FA methods.
- They have both mobile and desktop versions.
- They also work offline without the need for internet.
With the expansion of phishing of bank accounts in Iran, Iranian banks are also looking for a plan to create a second one-time password, in which the user is given a second one-time password when shopping online, so that if the second password is leaked, after a few seconds the previous password become invalid and cannot be misused.
How to enable two-factor authentication?
Each website or software can have its own method for two-factor authentication, but usually most of the reliable platforms support the Google Authenticator software. In this way, the user must download the software and then activate this feature by scanning a QR code from the Security section of his user account.
These websites give the user a unique key that they can use to recover their account if they lose their mobile phone or somehow the software is wiped from their phone. Therefore, this key should be well protected.
