Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
1/16/2017
01:00 PM
Malwarebytes Labs
Malwarebytes Labs
Partner Perspectives
50%
50%

Understanding The Basics Of Two-Factor Authentication

With data breaches resulting in leaked passwords occurring almost daily, two-factor authentication has become an essential tool in the security toolkit.

Two-Factor Authentication (2FA) is the least complex version of Multi-Factor Authentication (MFA), a technology invented to add an extra layer of security to the now considered old-fashioned and insecure simple login procedure using a username and a password. Given the number of leaked login credentials for various websites (Yahoo, LinkedIn, Twitter to name a few), this extra layer is now a critical identity management tool.

It works by preventing hackers from accessing a user account from a different machine or from a different location (resulting in a different IP). With 2FA-enabled login procedures, legitimate users receive a text message providing them with a verification code. That code is needed to complete the login procedure.

By definition, 2FA depends on two different methods of identity confirmation of the user. In the example above, the user knows the login credentials and has control over the phone that receives the text. Other factors that are often used are:

  • Knowing a PIN or TAN code (ATM withdrawals, money transfers)
  • Having access to an email account (when verification codes are sent by mail)
  • Secret questions (often frowned upon as they are sometimes easy to guess)
  • Physical keys (card readers, USB keys)
  • Biometrics (fingerprint readers, iris scanners)
  • Mobile devices that can scan barcodes or QR codes and calculate a login code for one time use (Authy,  Google Authenticator)

Alternatives

There are some alternatives for 2FA that can also be used in combination with 2FA, or as one of the factors. Some examples are:

  • Single Sign On (SSO): this is mostly used as a method to dampen the impact of using 2FA methods, particularly when given an authenticated user access to several resources. The idea is that once the user has been identified and approved, the SSO software provides access to all platforms tied to the SSO. Given the possible impact of a breach the login procedure for a SSO system is usually done by using a MFA procedure. Another consideration when choosing a SSO system is the consequences of a failure. If the SSO software goes offline, will this block the user from all the underlying resources?
  • Time-based One-time Password (TOTP): this is a special authentication method that uses an algorithm that calculates a one-time login code based on the time. The server and the user that wants to login both run simultaneous calculations with the same seed and time-stamp. If the results match, the user is granted access. Obviously the clocks need to be synchronized, although there usually is some leniency built into the procedure (up to a one minute difference is generally allowed). Since losing the machine that runs the algorithm or any other way that leaks the algorithm could allow access to the wrong person, this method is generally used as one factor in a MFA method.
  • Token Authentication: besides physical tokens, other tokens can be used as a means of authentication. Consider, for example, apps that run on your smartphone and can show an image to your webcam or play a sound which can be compared to an original. As this is not a very strong authentication method (for now) it is advisable to be used as one of the authentication factors and not the sole one. 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
essayguide
50%
50%
essayguide,
User Rank: Apprentice
1/18/2017 | 10:56:15 PM
Re: Pending Review
Thanks for giving information about Two factor Authentication,it is topic of my academic essay writing.It will help me to complete my essay.
MCLEM25
50%
50%
MCLEM25,
User Rank: Apprentice
1/17/2017 | 9:42:00 AM
Troubleshooting Utilities
Many support techs for software vendors often have very little real network security experience.  It would be extremely helpful to add at least a few links to articles like this to even one or two other articles or authors or professionals who could just document the basics of even where to get started.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Malwarebytes protects businesses against malicious threats that escape detection by traditional antivirus solutions. Malwarebytes Anti-Malware, the companys flagship product, has a highly advanced heuristic detection engine that has removed more than five billion malicious threats from computers worldwide. SMBs and enterprise businesses worldwide trust Malwarebytes to protect their data. Founded in 2008, the company is headquartered in California with offices in Europe, and a global team of researchers and experts. For more information, please visit us at www.malwarebytes.com/business.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.