Two-Factor Authentication
eBook - ePub

Two-Factor Authentication

  1. 104 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Two-Factor Authentication

About this book

Passwords are not enough

A password is a single authentication factor – anyone who has it can use it. No matter how strong it is, if it's lost or stolen it's entirely useless at keeping private information private. To secure your data properly, you also need to use a separate, secondary authentication factor.

Data breaches are now commonplace

In recent years, large-scale data breaches have increased dramatically in both severity and number, and the loss of personal information – including password data – has become commonplace. Add to this the fact that rapidly evolving password-cracking technology and the habitual use – and reuse – of weak passwords has rendered the security of username and password combinations negligible, and you have a very strong argument for more robust identity authentication methods. Consumers are beginning to realise just how exposed their personal and financial information is, and are demanding better security from the organisations that collect, process and store it, which in turn has led to a rise in the uptake of two-factor authentication (TFA or 2FA). In the field of authentication security, the method of proving identity can be broken down into three factor classes – roughly summarised as 'what you have', 'what you are', and 'what you know'. Two-factor authentication relies on the combination of two of these factors.

Product overview

TFA is nothing new. It's mandated by requirement 8.3 of the Payment Card Industry Data Security Standard (PCI DSS) and banks have been using it for years, combining paymentcards ('what you have') and PINs ('what you know'). If you use online banking you'll probably also have a chip authentication programme (CAP) keypad, which generates a one-time password (OTP).

What is new is TFA's rising uptake beyond the financial sector.

Two-Factor Authentication provides a comprehensive evaluation of popular secondary authentication methods, such as:

* Hardware-based OTP generation

* SMS-based OTP delivery

* Phone call-based mechanisms

* Geolocation-aware authentication

* Push notification-based authentication

* Biometric authentication factors

* Smart card verification

as well as examining MFA (multi-factor authentication), 2SV (two-step verification) and strong authentication (authentication that goes beyond passwords, using security questions or layered security).

The book also discusses the wider application of TFA for the average consumer, for example at such organisations as Google, Amazon and Facebook, as well as considering the future of multi-factor authentication, including its application to the Internet of Things (IoT). Increasing your password strength will do absolutely nothing to protect you from online hacking, phishing attacks or corporate data breaches. If you're concerned about the security of your personal and financial data, you need to read this book.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Two-Factor Authentication by Mark Stanislav in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

CHAPTER 1: INTRODUCTION

Everything old is new again

Existing information-security technologies and processes often resemble historical methods to provide confidentiality, integrity and availability.
In the Middle Ages, the use of castle walls, gates, and drawbridges allowed for certain people to come or go only as desired by those in charge. Today, a firewall ensures that data can only enter or leave specific network ports as defined by configured filtering-rule sets. Similarly, Julius Caesar utilised primitive cryptography thousands of years ago to transmit instructions and guidance to his Roman army. While cryptography still has its place among military engagements, it also helps us protect everything from our private photos to credit card numbers for online shopping.
Authentication is no different, with a rich history of methods proving that you are who you say you are before certain privilege or authorisation is granted.
If you’ve ever seen a signet ring, you may have been intrigued that it could provide a means to ensure that a document was sealed by a certain party whose ring symbol you knew of. What if you received a letter from a person that was sealed with a signet ring and then met them in person? Would presenting their ring as proof of identity satisfy you? What if the letter they had sealed included information about a scar on their face and a code word they’d say to you upon first meeting?
Within authentication security, the method to prove identity breaks down into three ‘factor classes’, each with their own pros and cons. The previous example involving the signet ring and letter actually encompasses all three of the factor classes rather succinctly.
1 The signet ring represents ‘what you have’.
2 The facial scar represents ‘what you are’.
3 The code word represents ‘what you know’.
Today, authentication factor classes are better represented by a slightly more tech-forward list:
1 A smartphone represents ‘what you have’.
2 A fingerprint represents ‘what you are’.
3 A password represents ‘what you know’.
The capabilities afforded to us by modern technology provide a wealth of means to handle our existing factor classes in new ways. As you’ll read, this opens up exciting possibilities for authentication security as we’ve known it for decades.

You’ve been using two-factor for years

For the majority of people worldwide, passwords and personal identification numbers (PINs) are how users authenticate themselves to systems and services in their daily lives. These values are representative of the ‘what you know’ factor class. Much like a predetermined code word, a password is really an agreement between a system and a user that, each time they ‘meet’, the password will validate that the user coming back to the system is who they claim to be.
However, if you’ve used an ATM or bought something with a debit card, you’ve actually engaged in using two-factor authentication. By possessing the debit card (what you have) and typing a PIN (what you know), you’ve utilised two factor classes for one authentication process.
Mixing factor classes leads to better security because it’s unlikely that a criminal could compromise both authentication mechanisms. Imagine if someone stole your wallet at a bar one night. They may now have your debit card (something you had), but without the PIN (something you know) they are unable to withdraw funds. If, one day, someone saw your PIN over your shoulder as you entered it into an ATM, they may know that value but still not have the card they need to present to the machine.
Since the ATM security we know today was patented back in the 1960s, it would seem reckless if the banking industry took away one of those factors of authentication to access your financial accounts. Amazingly, though, the majority of people who have used online banking for decades still wield only a password as their means to achieve the same goal.
Many of the technologies we use today (like online banking), have grown organically as capabilities to provide advanced functions to customers have become more realistic. Indeed, 15 years ago there were few cheap, reliable, easy-to-use and efficient means for two-factor authentication to be added to everyone’s online banking experiences. As a result, we’re now seeing financial institutions play catch-up in the digital world to gain parity with their physical banking counterparts.

Authentication security’s naming problem

One of the biggest issues with authentication security is the inability of the industry to name the technology clearly and concisely. Further, even well informed technologists and companies quite often use authentication security terms incorrectly, leading to unnecessary confusion. This point is well noted by the usage of so-called ‘security images’.
Security images are really a staple of the online financial industry’s attempt to provide additional protection to customer accounts without frustrating their users. Typically, a customer will select an image from a list of perhaps twenty that will be shown to them upon logging into their account. The usage of that image, however, is often conflated with the wrong type of security focus.
A security image can actually provide a benefit to customers by appearing when they are prompted to type their username and password into a site. If a user doesn’t see their specific image shown, they can be implicitly warned that a criminal may be attempting to steal their credentials through the usage of a fraudulent website. Unfortunately, this security benefit is often used incorrectly by treating it as a ‘second factor’, which it most certainly is not.
Remember, two-factor authentication requires two different factor classes to be used for one authentication transaction. A password is something the banking customer knows – and so is the security image. As a phishing-mitigation technique, security images may suffice, but do not accomplish the goals of two-factor authentication. While two steps from the same factor class isn’t necessarily bad, it’s not as secure as using two factor classes.
This leads us into the other aspect of naming that goes sideways for people: ‘I thought two-factor authentication was called [insert phrase or acronym] instead!’ Here’s a quick breakdown:
• Two-factor authentication: use of two factor classes to provide authentication. This is also represented as ‘2FA’ and ‘TFA’.
• Multi-factor authentication: use of two or more factor classes to provide authentication. This is also represented as ‘MFA’.
• Two-step verification: use of two independent steps for authentication that might not involve two separate factor classes. This is also represented as ‘2SV’.
• Strong authentication: authentication beyond simply a password. May be represented by the usage of ‘security questions’, or could be layered security like two-factor authentication.
Factor classes, when used together, are often referred to as primary and secondary methods of authentication. This book will typically discuss the secondary form of authentication used and implies that a password or PIN is the primary method. While certain facilities, government agencies or even corporations may not use a ‘what-you-know’ factor in their authentication process, most readers will likely do just that for the foreseeable future.

Looking down a road to greater adoption

I would suspect that many readers of this book have been using computing technologies for perhaps decades and likely had little to no interaction with two-factor authentication up to this point. The reason for this could vary wildly, but one reason is that unless your employers made you use it, few people would ever think that they could or should use such a level of authentication security for their day-to-day activities. Part of this reasoning goes to the fact that, until rather recently, the cost and complexity of deploying and using methods in this technology space were very prohibitive for most people’s lives.
Technologies best known to existing users of two-factor authentication will likely be hardware-based. That’s to say, their second factor would be ‘what you have’, such as a hardware token that would generate a one-time password (OTP) value. These devices typically range between US$25 and US$100, and for a business that you were a customer of, it’s unlikely they would just give them out to everyone (for free, anyway). Further, even if your financial institution or stock-trading company offered you one, you may have been annoyed at the prospect of having to carry a device on your keyring or in your wallet to log in online.
These two points (cost and end-user frustration) have unfortunately been traits of authentication security for decades. This isn’t to say that successful authentication vendors were doing anything wrong, simply that technology was not yet at the level necessary to reduce the costs and complexity associated with making security applicable for most users’ needs. Could you imagine the effort and cost of supplying the millions of customers of a multinational bank with hardware tokens? Taking on the overheads of purchasing, shipping, managing and supporting such an effort would be extremely unwise.
The road to adoption, while slow overall, has sped up within just the past decade due to technologies such as Cloud computing and smartphones, relieving much of the cost and complexity of widely deploying and managing a proper two-factor authentication solution. The addition of open standards for OTP generation has allowed vendors to build hardware that works on any number of platforms, helping to reduce cost and create more incentive for organisations to make the investment to buy devices they can use with a number of vendors.
As you learn more about the technologies, standards, risks and use cases of two-factor authentication throughout this book, be mindful to figure out what will work best for your needs. There are a wide variety of vendors, methods and implementation styles available to complement the specific goals that you or your organisation have.

CHAPTER 2: RISKS TO ONE-FACTOR AUTHENTICATION

Our solutions are also our problems

Depending on your level of computing technology experience, you may be more or less familiar with three major models in architecture:
1 Mainframe computing
2 Client–server computing
3 Cloud-mobile computing
Each of these models represents a fundamental shift in the way computing architects leverage resources (memory, storage, processing power, etc.) and how those resources are made available to end-users.
In mainframe computing, the resources were highly centralised, with perhaps a couple of large machines that would allow many users to access them and share resources. A client–server model, however, shifted much of the computing resources and effort down to individual workstations for users, while offsetting server needs down to a minimal amount – usually focused on data storage and file sharing. Lastly, and most recently, the era of Cloud-mobile has decentralised computing to the point where a service may be entirely separate from the architecture of the business using it. Today, the Cloud-mobile era that allows the two-factor authentication market to prosper has also made the need for such authentication all the more real.
Networks in mainframe and client–server models were often tied to private and highly restricted networks that afforded a sense of security to the data and services behind firewalls and intrusion prevention systems. Similar to the castle walls we spoke of previously, these older models of computing architecture were predicated on keeping bad people out and good data in. However, once an attacker breaks through these walls, many of these networks are soft and malleable to those wishing to do harm. This reality is even more concerning when you consider organisations are moving their data, processing power and even their email into ‘the Cloud’.
Companies like Google and Salesforce.com are stunning examples of how meaningful Cloud computing can be for big businesses, universities, and other entities that want to solve large-scale problems, but not take on the responsibility of managing their own servers, data centres and software updates. It also shouldn’t come as a shock that both of these companies offer two-factor authentication to protect sensitive data from criminals who wish to steal it.

Attacking password-only security

On 18 December 2013, journalist Brian Krebs released information on his website that stated that retailer Target had been bre...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Foreword
  5. Preface
  6. About the Author
  7. Acknowledgements
  8. Contents
  9. Chapter 1: Introduction
  10. Chapter 2: Risks to One-Factor Authentication
  11. Chapter 3: Understanding the Basics
  12. Chapter 4: Second-Factor Technologies
  13. Chapter 5: Standards and Regulations
  14. Chapter 6: Two Factor for Internet End-Users
  15. Chapter 7: Conclusion
  16. References
  17. ITG Resources