Two-factor authentication (2FA) for Dummies
Two-factor authentication often sounds difficult, confusing and to some people, it doesn’t make sense. So what is it? Think of it like this; You’re going to your apartment and you have the key to your door, but a guard is asking for a password before he lets you in the door. In essence, 2-factor authentication requires something you have, and something you know.
What is Two-Factor Authentication?
It's Week 3 of #CyberSecurity Awareness Month! Are you #CyberAware? Enable 2-Factor Authentication (2FA) wherever possible to add another layer of security to sensitive third-party apps and websites. *cough* Twitter *cough*
— Angelita Mardiros (@AM_ITConsulting) October 15, 2018
When using online banking, or our iCE3X cryptocurrency exchange, you will often need to set up Two-Factor authentication (2FA). We’ve witnessed a large increase in the number of websites being hacked, resulting in users personal data being stolen. With cybercrime becoming more sophisticated, the old 1 password and email security system is outdated. Though sometimes it’s just simple human error at fault resulting in a cyber attack. Companies often find that their old security infrastructures are no match against modern cyber threats and attacks.
2-Factor Authentication adds an extra layer to security, implemented to make sure a user trying to access an online account is who they say they are. A user will enter their email/username and password, then as soon as they log in, they will need to give another piece of information.
This second factor can be any one of these categories:
- Something you have: Usually something the user would have on their people such as a bank card, phone or small hardware token
- You know: Something the user would remember such as a PIN number, a password or the answer to a secret question. Even a specific keystroke pattern.
- You are: A new option for 2FA, this is a biometric layer of security. This could be a fingerprint, a voice print or an iris scan.
With 2FA, if your password is stolen or you lose your phone, the chances of another person having any of your second-factor information are extremely low. In the future, if consumers use 2FA correctly, a website or app could be more confident about the user’s identity and unlock the account based on trust.
Different types of 2-Factor Authentication
Nowadays, any websites that don’t require 2FA upon entry open themselves up to the risk of hackers. However, this doesn’t mean that all 2FA techniques are the same. There are a variety of 2FA techniques in use today, some are more complex than others, but they all offer better protection than just having a password. Here is a list detailing the different types of 2FA
One of the oldest, if not the oldest form of 2FA around. Hardware tokens are small pocket size items that generate a numeric code once every 30 seconds. With these, a user will log into one of their accounts, and glance at the device to see the code, then enter it into the website or application. Some versions of hardware tokens will automatically enter the 2FA code once they enter into a computer system’s USB port.
Hardware tokens are known to provide bank – level security to users. They are usually an enterprise tool; meaning they are not built for use with other sites or applications than the one that chose to provide the hardware token. Despite this, hardware tokens still suffer from various downsides. For example, businesses struggle with distributing these items as they are expensive. Also, many users say that the size of the tokens makes them easy to misplace. Plus, it becomes an item you have to keep on you 24/7 just to log in.
Probably the best form of Two-factor authentication. Using a software generated one-time passcode that self-destructs after a short period of time (codes lose their validity after 30 seconds – 10 minutes), software tokens provide a superior alternative to SMS and voice 2FA.
Software tokens like Google authenticator / Authy are easy to use apps that secure 99% of all 2FA enabled applications and sites. All a user would need to do is download the 2FA app on their smartphone or computer. After this, they will set it up, then after they enter a username and password, they enter the code shown on the 2FA app.
Similar to hardware tokens, the codes generated in order to log in only last for a short period of time. A big concern for SMS or voice delivery methods is hacker interception. But with soft tokens, the code generates and displays on the same device, leaving no entry points for a hacker. These tokens operate using the internet so there is no need for a phone connection so long as you have an internet connection.
Voice-based 2FA / SMS
SMS is the least secure method of 2-factor authentication as sim cloning is a widespread problem all over the world
SMS Text message based 2FA directly interacts with a user’s phone. After a site receives a username, password and phone number, a one-time passcode (OTP) is sent via text message. The user must then enter this passcode into the application to receive access to the account. Voice-based 2fa operates in a similar way; Users will receive a call and will be told to verbally deliver the 2FA code. This is more common in countries where smartphones are expensive and cell phone service is bad.
If you’re using a low-risk website, this authentication method may be all you need. But when using a website that stores your personal information, or your funds like on iCE3X, you may be better off with a Software Token. SMS is the least secure method of Two-factor authentication as sim cloning is a widespread problem all over the world.
In countries like South Africa, cell phone reception is poor in some places, so if you don’t have service, you won’t be able to access your funds. With operator downtime becoming a factor when using this method, this should be your last resort. Especially if you’re in South Africa.
Backing up your master key
Backing up your master key is extremely important. If you don’t do this, you are storing all your accounts on your authenticator app. This is because without backing up your device, all the information is kept on your phone. If you lose your phone, you’ll lose your accounts too.
To counteract this, you can opt in to back your accounts up to the cloud. Of course, all authenticator accounts go through encryption before the upload in order to keep all your information safe. Your phone is the only item that can encrypt/decrypt the files.
How to activate 2FA on iCE3X
- Login to the iceCubed Platform (https://ice3x.com)
- On the main page, click on “My Account”.
- Click on the “Settings” tab.
- You may use any one of these links listed below to download the authenticator app on your phone.
- For Android
- For iPhone
- Click the “Enable” icon to begin to activate Two-Factor Authentication
- Scan the QR code with your Google Authentication App. You will now have a 6 Digit Authorization Code which will change every time you log into your account. When asked for this code, only use the code that shows on your phone screen.
- Insert the 2fa from Google Authenticator then press the “SAVE” button.
- Please tick all the tabs where you want the extra security of two-factor authentication, and save it using your authorization code.
Read more about why 2FA matters!
Stolen and weak passwords are a common cause for security breaches. Though passwords are the main ( and sometimes only) way companies attempt to protect their users, 2FA can be a simple solution. An outbreak of 2FA based accounts would be a hacker’s worst nightmare. Set up 2FA on your account now to ensure your funds and personal information are safe.