Two factor authentication (2FA) can improve security for anyone using an online service or accessing corporate resources. Basically, it requires the user to provide two different types of information to authenticate or prove they are who they say they are before access is granted.
Traditional, password-based authentication systems are vulnerable to phishing attacks and the use of weak or reused passwords. Since many systems can be accessed from anywhere over the Internet, a compromised password makes it possible for an attacker to gain unauthorized access to a user account.
Two-factor authentication – also called two-step verification – is designed to add an additional layer of protection for user accounts. Instead of requiring only a password for authentication, logging into a 2FA-enabled account requires the user to present an additional factor as well.
Authentication factors are broken into three categories:
Ideally, a 2FA system should incorporate two different types of factors. Otherwise, the use of two of the same factor, such as two “something you know” factors, runs the risk that both will be compromised at once. For example, two knowledge-based factors (like a password and security question) could be compromised in a phishing attack, while two physical factors (like a smartphone and USB key) could be stolen by a pickpocket.
A common combination is using a knowledge-based and a physical factor. For example, a user may need to provide a password and plug a smartcard or USB key into a computer or tap a confirmation button on their smartphone. Biometric factors are less used because they are more difficult to create (smartphone fingerprint and face scanners have been defeated multiple times) and are hard to change if compromised. Let’s put it this way – it’s easy to change your password but much harder to change your fingerprints or retinas.
2FA works by presenting a login page that requires multiple input requests to a user. Commonly, this is a request for a password and a one-time access code.
This one-time access code can be acquired in a number of ways. One common option is to have it sent as an SMS or email. However, this approach is less secure because it is vulnerable to interception or SIM-swapping attacks.
A more secure option is a Time-based One-Time Password (TOTP) algorithm like the ones used in many smartphone apps. During setup, the authentication device (smartphone, USB key, etc.) share a secret random seed value. Both the server and the authentication device then use a common algorithm to transform this seed over time. This means that, at any point in time, they agree on the version of this value.
If a user attempts to log into a service, they provide the current value provided by their authentication device to the site, which compares it to its current value and authorizes the connection if they match. However, the space of possible values is large enough that an attacker is extremely unlikely to guess the correct code while it is still valid.
The use of two-factor authentication has grown dramatically in popularity in recent years. As a result, many major sites and most sites that contain and process sensitive data will have built-in support for multi-factor authentication. In some cases, a site may push the use of multi-factor authentication, presenting a pop-up that guides the user through the process. In others, it may be necessary to visit the account or profile settings page to set up 2FA.
The details of setting up 2FA depend on the type used. For SMS or email-based 2FA, the only setup requirement is to provide a phone number or email address to send codes to. For TOTP-based 2FA, installation of an authenticator app (like Authy or Google Authenticator) or the use of a USB-based security key may be necessary.
Two-factor authentication is not only beneficial for consumers. Enabling 2FA for access to corporate resources can help to protect against the impacts of compromised user passwords, especially in this remote work world.
Check Point offers easy solutions for deploying 2FA across your organization. This includes support for secure remote access and secure access service edge (SASE) solutions. To see Check Point solutions in action, please request a demonstration.