Two Factor Authentication Implementation Methods and Bypasses
Two Factor Authentication or 2FA is an advanced method of user authentication and a subset of multi-factor authentication mechanisms. 2FA enhances the security of its user accounts by adding another layer of authenticity challenge after traditional passwords used in single-factor authentication. The suggestion to add something more to the traditional login systems that relied fully on passwords only has been for quite long. This suggestion was inspired by the fact that passwords have an inherent trade-off between easy to remember and hard to guess.
Password managers helped people in remembering their complex passwords and generated such passwords for use. These password managers may be secure, but how do you stop someone from winning an iPhone and ending up installing a malware? Also, not everyone uses password managers. This is where multi-factor authentication is highly useful in protecting accounts from unauthorized access or complete takeovers. The common ways in which 2FA is implemented are :
1. One Time Passwords(OTPs)
A one time password is a string generally consisting of digits that have a short lifespan of validity and can be used only once in its lifetime. An OTP is used as an added layer of security to an account or a similar online entity after a password.
A general implementation of OTP for two-factor authentication requires receiving an OTP on an email or phone number connected to the account after successful verification of the password. The assumption is that only the actual owner of that account is having access to one or both of those. The login is not successful unless the correct OTP is provided. OTPs can be delivered to a phone over text or a voice call. On email, OTPs are generally received as part of the mail body in plaintext.
2. Software Based Authentication
Another idea to implement 2-factor authentication would be to have your users install an app on their phone that has to be used as the second factor. The app will generate tokens at regular intervals and will transmit them to its server. The website needing to authenticate will ask the user for the code, then send it to the server of that app for verification. The login will be successful once the code is verified. The idea behind app-based authentication is to avoid the inherent issues with texts and calls.
3. Backup Codes
Backup codes are used in case a user loses access to their source of secondary authentication. A less general way backup codes can be used is for direct authentication. Backup codes are generated for a logged-in user on demand. Codes are generated in groups of 10, 15 or so. Each code is usable once. Also, the old set becomes invalid whenever a new one is generated.
4. Hardware-Based Authentication
To avoid the issue of a malicious person getting physical access to the smartphone or similar device being used for 2-FA, a hardware-based “key” is used. This “key” is solely used for authentication, so the chances of someone ill-intended getting access to it by taking advantage of its user’s kindness are low. (You can let someone use your phone, but why would you give them your authentication hardware?). The “key” is usually a USB drive that contains a key that will be used for user authenticity validation.
5. Characteristic Based authentication(Biometric Authentication)
Biometric authentication relies on the biologically unique characteristics of the user. Two mostly used characteristics are fingerprint and iris. Biometric authentication is used as a secondary means of user authentication in highly sensitive systems. Biometrics can also be used as a standalone method of authentication.
Issues with 2FA Methods:
- SMS and Call based OTPs rely on SIM cards, which can be duplicated.
- Software based 2FA methods are as secure as the token generating algorithm.
- Hardware-based 2FA methods are useful only if they are not physically accessible by any other person except their Original user.
- Backup codes can be easily obtained if stored in unsafe places.
- Biometric authentication characteristics can be duplicated and hence bypassed.