Two Factor Authentication, or 2FA, has been around for a while. It usually refers to using an SMS code as an additional step to log in to your account. However, the term has been replaced by “Multi-Factor Authentication.”; What is the difference?
Password authentication sucks
Before two-factor authentication was ever a thing, the world ran on passwords. Passwords are still commonly used today, as they are quite useful to most people – a short, easy-to-remember phrase that gives you access to your protected services.
But passwords have many security issues in practice. The main issue is that you trust your password to many random third parties, which risks that hash of your password is stolen in a data breach. If you have a good long password, you should be safe, but many people have terrible passwords. In addition, many people use the same password, which means that a data breach by a company can affect your account in another service.
Even if everything else is ignored, a password is a single string that gives access to your account. Anyone who has this string can act and perform actions like you. A single point of error is never a good idea.
So a solution was made, called “Two-Factor Authentication.” Everyone has a phone; In many ways, the device in your pocket publicly identifies you. So the idea is simple – you get a text with a short code to your phone when someone tries to log in. Without the code, the attacker is banned. If an attacker stole your password and wanted to log in to your account, they will not be able to without access to your phone.
“Two factors” in 2FA is your password and the code sent to your phone. Without access to both factors (not either / or), no one can access your account.
But two-factor auth also has problems
While 2FA is good for locking accounts and has worked quite well, many implementations of it have their own problem. Because 2FA relies on SMS to send codes, it is not really a “password + phone” combination that gives access to your account, it is “password + phone figure.”
This is a problem because it is unbelievable easy to steal someone’s phone number with a SIM swap attack. This is how it works – a determined attacker wants to get into your account, so they investigate and find your phone number and possibly your birthday. With these two things, they can go to the phone provider’s store and buy a new phone. Most of the time, the employees in these stores are not aware of this security risk and will by default only ask you for your birthday. All the attacker needs to do is lie and they leave the store with your phone number on their SIM card. This is not just theoretical – it happened to me personally when I got my phone upgraded on Verizon. They did not ask for my birthday, any identifiable information or even my old phone. I gave them my phone number to change, but it could easily have been yours.
Of course, the attacker will still need your password to access your account, but many services will also use your phone as a recovery device. Even without your password, an attacker can choose to reset it, send the recovery code to your phone (which is now his phone) and unlock your account, all without knowing any of your two factors.
“Multi-Factor Auth” fixes all of these issues
The fix for this is pretty simple. Instead of using SMS to deliver codes to your device, download an “Authenticator app” and link it securely to your account. Instead of getting a code, you simply have to enter the code displayed in the app, which changes every 30 seconds. Otherwise it is the same as 2FA; no phone, no access.
Under the hood, this uses a time-based one-time password (TOTP), which is very secure. You and the service exchange secrets when you link the app to your account. This secret is used as the seed for a random number generator, which generates unique codes every 30 seconds. Because you and the server are linked, you have identical codes, and no one else will be on the same page without knowing the secret you exchanged. This alone solves the SIM exchange problem, because the secret is connected to the phone, not the phone number.
TOTP apps are just one example of an MFA factor. The term is a generalization, used for all types of authentication with two or more steps. MFA is a newer, more inclusive term commonly used by services that support TOTP apps and other authentication factors. While the phrase “Two Factor Auth” may still apply technically to keyfob + password authentication, it usually always refers to SMS.
MFA factors usually fall into one of three categories:
- Something the user vet, such as passwords or PINs
- Something the user has, such as a phone or a key fob
- Something the user is, as face or fingerprint recognition
Of these, key fob authentication (has) is the most common after TOTP apps. These are physical devices (similar to flash drives) that you connect to your device when you log in:
They contain a certificate that verifies your identity. Basically, it’s an SSH certificate on an easily accessible key, which is very secure, even more so than your average SSH key, since they are not on an internet-connected device. Theoretically, there is no way to break through key fob authentication, without physically stealing the key phobia, which is very unlikely, or removing the door itself, which can not be prevented anyway.
It should be noted that MFA is not always completely secure – password reset can sometimes still bypass it, depending on the service. For Google in particular, accounts locked with authentication apps can still be restored this way. If you use a Google Account for business services or just want your email locked, you should enable Google’s Advanced Protection, which requires a key phobia and fixes the problem.