The field of cybercrime is something that shows no signs of weakening anytime soon, so the focus on cyber security could not be more relevant. However, whilst the importance of online security, logins, usernames and passwords are often discussed, the phrase "Two Factor Authentication" (TFA) isn't exactly common knowledge, even though we actually use it every day.
With all accounts we set up, whether that's online banking or social media, we always need to jump through certain security 'hoops' to be able to use the account. However, with a lot of these services just wanting a username and password, it is becoming increasingly easy for hackers to gain unauthorised access to important information in the aim of making a profit.
Whilst strong passwords are key to improving online security, TFA is definitely something that cannot be forgotten, even if most of us have no idea it even existed!
What is TFA?
TFA refers to an extra piece of personal information that the user hands over when they are creating an account, alongside a standard password and username. So whilst single factor authentication refers to one piece of information, typically a password, the TFA adds on another piece of information. Serving as an extra layer of security, also known as "multi factor authentication" or "two step verification", it strengthens the links that users have to their account to reduce the chances of hackers working their way in.
Hackers have generated software that can makes thousands of password attempts each second, so to have an added piece of security to bind you to your information, hackers are less likely to gain unauthorised access.
TFA reduces the number of online identity theft cases because the hackers would need more than just the username and password of their target. This has led more and more online services to introduce TFA to prevent their users' data from being accessed.
The most prominent example of TFA is through hardware tokens such as key fobs or card readers. However, due to the cost of production and time taken to get them out to customers, it is now more common to see mobile phones being used as a form of authentication instead. The mobile SMS technology is a quick and easy way for companies to gain confirmation that it is you they are dealing with, and as a result the security is strengthened.
Sometimes a factor could be something knowledge based such as a PIN or shared secret. It can even be something the user is. In order words, this could be a personal attribute through physical characteristics such as a fingerprint, facial recognition, or voice.
Security of TFA
There is no doubt that TFA improves online security, but it must be stressed that it is only as secure its weakest component. Hardware token serve as a strong reminder of this when in 2011, the security company RSA security, reported its tokens to have been hacked. This happened as a result of the token algorithm being disclosed. This means that the security to link from the SecurID tokens to the customer accounts being disclosed, and therefore the tokens became worthless and insecure in their purpose of verification.
Additionally, the SMS-based TFA has its flaws. It may be quick and easy to implement because of how much we use our phones now, but it is actually the portability of the devices that mean they become vulnerable to hackers. Attacks against the mobile phone networks, as well as malware strains such as 'Eurograbber' can intercept and redirect text messages all without the user knowing.
These concerns around TFA mean that some high-security environments are taking it up a notch, to three-factor authentication. This involves the user not only having a username and password, but also being in possession of a physical token, as well as biometric data like a fingerprint. Stepping it up so hackers have three layers of security to go up against.