Imagine you have a very important code repository on GitHub shared with your collaborators. You are using a super safe password that is never reused in other services on the internet where you also have an account, but you are not so sure about your collaborators and you definitely don’t want to take that risk.
Maybe you can not force them to use a password that is different from their others because you are not able to have an insight to that information, but you can certainly protect your code by adding a security layer to authentication settings.
For years, the dangers of protecting online accounts with only basic, password-based, authentication have been known. Yet, despite this, the transition to stronger forms of authentication has been slow. As consumers and businesses become wiser to the imperative of better protecting their accounts, their voices will add to those calling for two- and multi-factor authentication (2FA/MFA)
What is 2FA?
Two-factor authentication (2FA) is an extra security measure that requires two or more verification factors to gain access to the system. 2FA is an extra step added to the log-in process, such as a code sent to your phone or a fingerprint scan, that helps verify your identity and prevent cyber criminals from accessing your private information by adding an extra layer of security to your account.
The authentication factors of a 2FA scheme may include:
- Possession (Something the user has): Any physical object in the possession of the user, such as a security token, a bank card, a mobile phone, etc.
- Knowledge (Something the user knows): Certain knowledge only known to the user, such as a password, PIN, TAN, etc.
- Biology (Something the user is): Some physical characteristics of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.
- Location (Somewhere the user is): Some connection to a specific computing network or using a GPS signal to identify the location
One of the most common examples of 2FA we encounter is when logging in to our Google account on some new device. After entering the email address and password, you get a security alert on your mobile device to prove if it was really you.
In most other services, the procedure of a 2FA should be as follows: You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?
A very common way to implement 2FA is by using a third-party authenticator app that works usually by showing a randomly generated and constantly refreshing code that the user can use, rather than sending an SMS or using another method. A big benefit of these apps is that they usually continue to work even without an internet connection.
Examples of third-party authenticator apps include Google Authenticator, Authy, 2FAS, and Microsoft Authenticator; some password managers such as LastPass offer the service as well.
Although the easiest way to implement 2FA is by sending a code to your phone via SMS because you don’t have to take any actions like installing authentication applications on your phone, maybe it is not the best idea from the security point of view.
Why is 2FA using SMS not a good idea?
Using two-factor authentication, or 2FA is the right thing to do. But you put yourself at risk of getting codes over text. The nature of SMS itself opens up your organization to a host of risks. Hackers have many ways to leverage SMS to find a way into your accounts and network. Below, we’ll look at some common attack strategies.
Hackers use good old-fashioned spoofing, often combined with phishing, to intercept and read your SMS messages. For those in the know, it’s basic tradecraft. This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access.
While some text messages are encrypted user-to-user, like iMessages between iPhones or WhatsApp messages, SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content.
If you want to check your phone’s security, use these codes to check if your phone is tapped.
Forrester, as one of the leading research and advisory companies, estimates that SMS 2FA stops only 76% of attacks. Although SMS is the least secure method of 2FA, there are thankfully other ways to enjoy the security benefits of 2FA with minimal hassles like hardware or an application.
Which industries require 2FA?
To date, the use of 2FA to protect systems is not mandatory for every industry. However, 2FA is a needed measure to comply with particular password restrictions in sectors such as finance, healthcare, defense, law enforcement, and government, among others.
As one of the most security-sensitive industries, the finance industry has long used 2FA technology. In fact, each time you use an ATM, you are using 2FA—you need both your PIN (something you know) and your ATM card (something you have) to access your bank account. As more financial services move online, financial organizations need this added layer of security to protect customers and their assets.
As an example from the healthcare industry, The Health Insurance Portability and Accountability Act (HIPAA) was created to protect the privacy of an individual’s healthcare information. Under HIPAA, healthcare organizations need to put measures in place to enforce password security.
This does not dictate the implementation of 2FA but does require organizations to address password security practices. As in the finance industry, 2FA can ensure that healthcare organizations have high standards of password security and are compliant with industry regulations.
If it contributes to an increment that brings value to the client at the end of a sprint – then yes it is. But it’s a really good idea to have specs in Use Case or some other format that details how the system works and what it does.
Adding 2FA to your project implementation
In practice, there are several ways to add 2FA to your project. The implementation itself isn’t as scary as you think, but consists of a few steps.
The server generates a secret key against a user’s account. The secret key helps generate subsequent tokens that the end-user uses to verify their identity. If the end-user is the holder of the account, then they should know where to look for the token (email or Authenticator app), and the token should be verifiable against the secret.
In our company, most projects are Java based using Spring framework, and on Spring’s official GitHub account there is an example of two-factor authentication implementation as a reference.
What are the benefits of having an extra security layer on your accounts?
Firstly, stronger security. Having a second layer of security greatly decreases the chance of a hacker gaining access to corporate devices or some other sensitive information.
Google researchers also commented that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.” At the same time, “zero users that exclusively use security keys fell victim to targeted phishing.”
Also, 2FA increases productivity and flexibility. Many businesses are now embracing remote working as it encourages productivity. Adding an extra layer of security allows employees to safely access corporate systems from any device or location without putting sensitive data at risk.
What should we do?
In conclusion, for more carefree internet surfing, the recommendation is to use strong and (only for you) easily memorable passwords. Change passwords from time to time and don’t reuse them on other internet sites: one data breach can make all your other accounts exposed to danger. Finally, use 2FA on all your important services and force collaborators to do it as well.