Search Menu

Two-factor (or multi-factor) authentication

In most cases, to access an account on a website or an application, we use a validation by means of a personal username and password. This is the classic validation system that we can find on practically all sites. Even so, this validation alone is insufficient in today's times.

Daniel Consentini

Reading time: 8 min

One of the mechanisms that adds an additional layer of security and helps us protect our accounts is two-factor authentication. As we will see below, this security feature is quite widespread and greatly increases the security of our information.

Subscribe to Telefónica’s blog and find out before anyone else.





What is two-factor authentication?

Two-factor authentication (2FA) is an additional layer in the process of validating a personal account. As mentioned above, the classic validation of an account consists of credentials based on a username and password. Knowing this pair, we access the account.

Two-factor authentication adds the need for another form of validation, in addition to the typical username and password. What can this additional validation be? Simply a combination of the following groups:

  • Something we know: Information that only we know, such as passwords, PINs or access codes, for example.
  • Something we have: Elements such as a mobile device, a physical identity document, a security key, etc. are perfectly valid assets.
  • Something we are: This point refers to those features that make us unique, for example, a fingerprint or our face. But also, patterns such as the way we press keys.
  • A specific location: It is possible to limit authentication by the place where we are, such as a country or a city.
  • A specific time: Similar to the previous one, it is feasible to limit access if it occurs at a time outside a specific one.

In this way, a double factor valid for our username and password would be, for example, validation with a mobile device (something we have) or with a fingerprint (something we are).

Similarly, it would not be valid to combine a username and password with a PIN or an access code, as all the authentication mechanisms would be in the same group (something we know).

Why is it necessary?

At this point, if we follow the usual recommendations and have complex and unique passwords for each site, and also change them regularly, why do we need to establish yet another mechanism for validating an account?

This question can be resolved in several ways. Firstly, there is a deficiency in current passwords due to the ever-increasing processing capacity. In other words, it takes less and less time to obtain a password by ‘brute force’ (trying combinations).

On the other hand, there are more and more attacks aimed at obtaining the password in a readable form. In other words, the aim is not so much to carry out the previous brute force, but to deceive or attract us in some way to obtain the credentials. This can be done through social engineering such as malicious emails or websites, or also with WiFi or MitM (man in the middle) attacks, for example.

Finally, another possible explanation for having two-factor authentication is that we have to be honest about our own security. In general, we don’t have complex passwords, we use the same one for different sites and, moreover, they tend to be passwords with known patterns and, therefore, weak.

Given these circumstances, activating or configuring two-factor authentication can save us from many problems. Let’s consider that in the case of stolen credentials, with this solution, they would not be able to access, as another form of validation would be necessary.

How two-factor authentication works

Although it may seem a complex configuration from what we have seen so far, nothing could be further from the truth, it is a very simple solution to programme and use. Although it may vary depending on the type of authentication chosen, below are some general steps for its operation:

  • First of all, it is necessary to configure the two-factor authentication. This is done by linking the chosen mechanism to the account we want to protect. To do this, first we go into the security settings of the account and look for the option of two-factor authentication or 2FA. From the options given to us, we choose the most convenient one by following a few simple steps.
  • Once we have linked our two-factor system to the account, when we log in to the chosen site we will be asked for the two-factor. The most common method is to receive a one-time code that expires after a certain period of time, known as an OTP, although this may vary.
  • identify this one-time code (or the mechanism we have chosen) and enter it in the request. If everything is correct, we will enter our account.

Generally, the initial configuration of a two-factor authentication usually takes one or two minutes. Its use when logging in can take another thirty seconds or so in this validation process. As we can see, its configuration and use requires a negligible amount of time in comparison with the level of protection it provides.

Authentication methods

There are many methods or types of authentication using two-factor authentication. The following points explain the most common ones, although there are other totally valid ones:

  • Dedicated applications on mobile devices. This is usually the preferred option for this type of configuration. It consists of an application dedicated to this purpose where we will receive temporary one-time codes (OTP). These same codes will be used when entering a site or application.
  • Pop-up notification. These are usually associated with applications like the ones above, and in this case, instead of receiving a single-use code, a notification pops up on the device that we have to approve.
  • Email: Very similar to the previous option, we can receive temporary codes in our email that will be requested at the time of validation.
  • Fingerprint. This is the most widespread option as it uniquely identifies us, and it can also provide that double security barrier.
  • Hardware token. It is perhaps the least used type of authentication, but not for that reason the least secure, quite the opposite. It is normally based on small physical security keys that transfer a unique code as validation.

As mentioned, there are many other ways to activate two-factor authentication. However, there is one in particular that many sites use that has not been listed above, but it requires some attention: SMS.

Many portals use SMS as a two-factor authentication system, and this is NOT the most recommended option; we should not even use it as a validation mechanism. The problem is simple: SMS information carries certain risks, such as the possibility that it can be intercepted by attackers in different ways. Furthermore, the very structure of the protocol behind it does not favour the security of information sent in this way. Therefore, it is preferable to use other available methods rather than the classic SMS.

Use cases

As we have seen, two-factor authentication focuses on the security of personal accounts, providing additional validation and ensuring that it is really us trying to access the information.

As a result, there are many websites and applications that implement this type of access option. It is not possible to list them all, but we can describe the most relevant ones and where we should have this protection activated:

  • Banking. Although its use is mandatory by law, in some applications it can be configured to perform any action, providing a more secure approach to our data and banking transactions, avoiding monetary losses and the loss of sensitive information.
  • Messaging and social networks. Currently, social networks represent one of the greatest exposures of personal information to the outside world. Losing the account could mean losing reputation or even money. Likewise, messaging applications represent the only contact with certain users. Losing control means losing contact and even being used to relay malware.
  • Email accounts. In addition to the information that may be contained in them, email accounts are used as a means of recovering other types of accounts. If an email account is lost, it could be used to access other services and amplify the attack.
  • Online storage. There are various portals that offer us a certain amount of space to store information. This data can be private and its exposure can damage our image.

Adding more layers. Multiple factor

As seen in the previous sections, two-factor authentication consists of the combination of two different authentication methods for accessing an account. In this sense, if we continue adding authentication methods to said access, we would have to talk about multiple factor protection or MFA.

MFA goes one step further by adding even more security to an account by combining different layers. It arises from the need to protect the most valuable or sensitive information, such as corporate information or confidential personal data, for example.

An example of this type of multi-layered authentication could be: username/password (something we know), dedicated application on a mobile device (something we have), fingerprint (something we are) and the country from which we are accessing (specific location). The point is to add different factors based on the resources we want to protect.

Share it on your social networks

#

Word of the week

Cybersecurity

Most read in the last week :: TOP 5

  1. 7 advantages and disadvantages of ICTs in education  
  2. 9 technological inventions that have changed the world 
  3. Technology and the environment: a battle between harm and benefit
  4. Telecom Single Market: Scale, Simplification and Technological Convergence
  5. Level 4 Autonomy: Digital Twin for O2 transport network in Germany

Related Content

Communication

Contact our communication department or requests additional material.

Exit mobile version