What is 2FA and how can you secure your account with it?

What is 2FA and how can you secure your account with it?

25-09-2018 12:08:40

2FA stands for ‘Two Factor Authentication’ and yes, 2FA adds a meaningful threshold to the security of an account.

2FA, what is it?

Two Factor Authentication (2FA) combines two separate and independent components for the verification of an authorised user. For a short while now, BIT-Portal, as well as other online environments, gives you the option to add an extra question to the access control. In this blog you will read what 2FA is exactly, how it works and what the added value is. In addition, we will dive a little into the way the technology is applied at BIT right now, what the advantages of this extra measure are and which considerations should be made.

Because, supposedly, there is a lack of abbreviations in the IT world, the concept 2FA has been created with the eventual goal, of course, of more efficient communication by only using abbreviations. Idk/care d^. A two factor authentication, in practice, means that two factors will be used to verify the authenticity of the alleged identity during the access control. A factor can have many different meanings, but in this case it would encompass something that the user knows, like the combination of a username and password. But the word factor in the context of access control can also be used to refer to something the user owns, like an (encryption)key. The access control does not automatically have a 2FA by adding a second step. For example, if asking a user for its favourite letter in a second screen after entering their username and password, it is considered an addition to that other factor: something the user knows.

On the internet the second factor often consists of a generated numeric code. This numeric code is generated by a series of instructions, also called code or algorithm. The algorithm for the numeric code makes a combination of a string of symbols and the current time in the series of instructions. Eventually, the algorithm ends up with a numeric code. The algorithm is public knowledge and has multiple implementations for different kinds of (computer)systems. The result of one implementation is equal to the result of another implementation with the same input. This allows for a check of this same input without revealing it in the communication.

The string of symbols is the first thing that is exchanged between the provider and the user of the stronger authentication method. Both parties have shared a ‘secret’ with that string of symbols that can be used in the algorithm. It is still important, of course, to make sure that this sharing has gone well, so the secret is temporarily saved and only becomes permanent after checking whether the exchange of the string of symbols, or the ‘secret’, has gone well. This check exists because the user passes on the outcome of the algorithm or numeric code to the provider and the provider checks the input with the numeric code de provider has generated himself.

The second factor

In fashion as the second factor: TOTP
The algorithm that generates the numeric code, how could it be otherwise, has also received the honour of an abbreviation: TOTP. This stands for Time-based One Time Password. Because the current time is part of the input of the algorithm, there is a limited timespan in which the code is valid. That limited validity adds to the security of the numeric code. In addition, the dependence to the time ensures that the code, in the practical sense, can only be used once.

Obviously, for this new authentication to work, there needs to be an exchange of the secret string of symbols between the identifying and the authenticating/verifying party first. For example between users of a website and the (managers of that) website. In many versions of this process, this is done by means of an OTP application on a mobile device and an image of a QR code on a website. By scanning that QR code with the OTP application and the camera of the mobile device, the OTP application gains access to the secret string of symbols. 

From that moment on, the OTP application on the mobile device can use that secret string of symbols and the current time to generate the TOTP, the time based one time numeric code. The user hands this code to the online service by entering it on an online form and sending it to the webservice. Then part of the webservice’s program can verify the provided numeric code and check whether the entered numeric code is correct. The webservice can do this by using the public algorithm, with the input (or parameters) of: the exchanged secret string of symbols and one (or more) moments in time. When the numeric code that has been sent to the webservice and the generated numeric code from the webservice match, the earlier exchange of the secret string of symbols will be ‘approved’ by adding it to the saved data of the user. From now on, there is no need for further communication that contains the secret string of symbols.

In the second step of the access control, the user only enters the generated numeric code. The secret string of symbols has already been exchanged and saved on both sides. If the entered numeric code (form the OTP application of the user) corresponds to the numeric code from the OTP application of the webservice, the claim made by the user (that the user has access to the user indicated in the first step has been verified by a second factor.

And now?

Hopefully, the above makes it clear that it is recommendable to use 2FA. A big advantage of using more than one factor in the authentication process is the higher level of security. In case the combination of the username and password becomes known to malicious parties, there is an extra threshold, and extra factor, that hopefully is not known there. I use the word ‘hopefully’ because I can imagine a simple scenario where both factors can fall into the hands of a malicious party: for example when someone loses a phone, tablet or laptop. In that case, both factors are stored on one device and the security of the data on that device is the weakest link in the security chain. 

In many cases the weakest link – the security of the data on the device – is also nothing more than logging in as a certain user on the operating system. Or more physically than that: simply gaining access to the stored data on the device. That is because users, often with ease of use in mind, allow the passwords and other applications to be automatically accessible after logging in once. There are cases in which this risk is acceptable, but in most cases it does not seem advisable.

Storing the two factors on separate devices seems to be the solution. Another measure could be to add an extra encryption in saving and retrieving stored data. Applications that store a combination of username and password usually offer that possibility and there are also OTP applications that use encryption while retrieving the secret string of symbols that is exchanged. 

There are some examples of TOTP application on the English Wikipedia (version of August 26, 2018). The open source OTP application AndOTP, also available on F-Droid, is an example of an application that provides a number of possibilities to store the secret sting(s) of symbols on an encrypted part of the phone and apply a security measure to the use of the OTP application.

In addition to other changes, the possibility to log in with a second factor has been added to the BIT-Portal. In the past 35 days, over 100 people have activated 2FA in the portal. Of course, it is advisable to activate it, but it is up to our clients to make their own decisions about it. This means that there is a choice between: ‘no 2FA policy’, ‘optional 2FA policy’ and ‘obligatory 2FA policy’, three company-wide forms of policy to respectively turn off the 2FA, keep 2FA as an option or make 2FA obligatory for all portal-users from the organisation in question.

By: Will Fris