Two factors are better than one
2FA: What it is, how it works and why it keeps your data secure
29 April 2022 minute read
Passwords just aren’t cutting it anymore. Don’t get me wrong, we still need them. And as a way of keeping alive the the memory of a long-dead family pet, they’re still second to none. But passwords are becoming intrinsically less and less secure, thanks to countless data breaches and poor user practices. So it’s time to reinforce them with a second line of defence. Meet two-factor authentication.
Two-factor authentication (2FA) is a method of establishing access to an online account or computer system that requires the user to provide two different types of information.
A factor in this context simply means a way to satisfy a computer or online service that you are who say you are, so the system can determine if you have the right to access the services that you're trying to access. By far the most common authentication factor in use across the web is the good old username/password combo, and since most accounts only require a password for access, most systems can therefore be said to be using single-factor authentication for security. With 2FA, you'll need to both provide a password AND prove your identity some other way before you can gain access.
Why use two-factor authentication?
Good question. After all, passwords have been the standard for everyday information security for a generation now. Surely adding an additional step just makes logging in to your account more difficult. Why bother?
Well the main reason to use 2FA is that, over recent years, widespread data breaches have put millions of email address/password pairs up for sale on the dark web. This, in turn, has made many passwords less secure. Most people reuse passwords across multiple sites and accounts on the web. Now this is a really bad idea, but lots of us do it anyway. Hackers can plug in known email address/password pairs into dozens of sites and see which of them provides access. And research conducted by Verizon in 2018 found that a whopping 81% of account breaches can be attributed to passwords that were either leaked in this way, or passwords that were so weak (eg ‘passw0rd’) that they were trivially easy to guess. We have a few tricks up our sleeve to make sure the user credentials you set for your AttendZen account haven’t previously been compromised – and also that they are sufficiently robust. But that’s another blog post (that you can read here).
Back to 2FA. You’re probably familiar with the security questions or knowledge-based authentication used by some sites – stuff like asking you your mother's maiden name or the city where you were born. Lots of sites use these questions as a sort of backup to passwords, for instance if a user is logging into a site from a new device or network connection. But this doesn’t add a whole lot of security. With so much personal information freely available for those who know where to look, a determined hacker could probably figure out the answers to these questions for a compromised account, or bypass them altogether via social engineering attacks. And anyway, as we'll see in a moment, they don't represent a true second security factor, and therefore they can’t provide the deep security that comes with 2FA.
How does 2FA work?
To understand what real two-factor authentication looks like, we need to revisit the concept of a factor. A password fits the definition we gave above, but it helps to think of it in more abstract terms. A password is something you know. This explains why knowledge-based authentication doesn't represent real 2FA; you’re just backing up something you know with something else you know. In truth, the answer to your security question is, well, just another password, and therefore subject to all the same weaknesses.
True 2FA pairs your first authentication factor – still a password (ie something you know), in the vast majority of cases – with a second factor of an entirely different kind, such as:
- Something you have (like a credit card, a smartphone, or a small hardware token)
- Something you are (biometric identifiers, such as the pattern of a fingerprint, an iris scan, or a voice print)
Users then need to supply both their password AND this second factor to get access to their account.
Arguably the most popular form of two-factor authentication (and the method we use at AttendZen) utilises a software-generated time-based, one-time passcode (also called TOTP, or ‘soft-token’). Ready? Here comes the science part.
TOTP stands for Time-Based One-Time Password. It is a standardised method for generating a regularly changing code based on a shared secret (that is to say, shared by our server and your phone). Because it’s a standard, you can get many different (and free) authenticator apps for your mobile phone that support it. Some of the most popular ones are Google Authenticator, Authy, Duo and 1Password. They can all be found in the app store.
When you set up 2FA on your AttendZen account, our server generates a secret key – a bunch of random numbers and letters. You then save this key to your phone by scanning a QR code with your authenticator app.
Now your phone and our server both have a copy of this secret key. When you want to log in, you need to prove that you have the key. To do this, your app combines the key with the current time to produce an access code. It does this using something called a ‘ecure hash function’ (for the crypto-heads out there, it uses HMAC-SHA-1). In layman’s terms, it mixes the time and your key together to produce an output that’s unique (if the time or the key are different in even the slightest way then the output is completely different), but impossible to reverse (knowing the output doesn't help you guess the secret key). To make it easier to type, the access code is shortened to a six digit number.
When prompted, you type the code into the input box, directly after you enter your username and password. Our server repeats the process and if the code matches, you’re in! It all takes a few seconds, it’s extremely reliable and it makes it way, way harder for someone to hack into your account.
Some websites use SMS-based authentication, where the site sends the user a unique one-time passcode (OTP) via text message. Again, the user has to enter the OTP back into the application before getting access. Easy enough. However, SMS is considered to be the least secure way to authenticate users, as hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. And if you happen not to have mobile phone service, then you’re not getting into your account. So we prefer using TOTP via an authenticator app.
Most of the online, account-based services you use for work or personal stuff should offer 2FA and it will likely work exactly as described here. One single app on your phone will handle authentication for every account and service you use across the web. Just head to the account settings tab and follow the instructions to enable it.
So to sum up, 2FA costs nothing, is incredibly quick to activate, really easy to use and it increases your account security by an order of magnitude. This is good news for you, and your attendees’ valuable personal data. Best of all, since app-based 2FA solutions are available for mobile, wearables, or desktop platforms – and they even work offline – user authentication is possible just about everywhere.