When Passwords isn't Enough

1 31
Avatar for RFM
Written by
3 years ago

Passwords have some inherent flaws that, while permissible years ago, are now exploitable by web-based attackers. That's why it's important to secure your accounts with two-factor authentication, also known as 2FA.

While all forms of 2FA are safer than only using a password, some do a better job of safeguarding your credentials than others.

OTPs

Due to their simplicity, OTPs are by far the most common 2FA form. The most popular type of OTP is a one-time-use password sent via SMS, email, or via a mobile application that you must enter in addition to your password.

The disadvantage of OTPs is that they are only passwords and therefore have the same flaws as regular passwords. Your account may be jeopardized if an intruder gains access to one of these codes, even if only for a short time. Despite this risk, you can use SMS-based 2FA when it is available; according to Google, SMS-based 2FA helped block 96 percent of phishing attacks in 2019.

Push-based 2FA

Since there is no password involved, push-based two-factor authentication is less common but more reliable than OTPs. The website you're logging in to sends a push notification to a phone with a request to authenticate in a push-based authentication flow. This approach is often used for enterprise authentication and can be facilitated by Security as a Service (SaaS) providers like Duo or Okta.

Accepting an impostorous push, in which an attacker has already stolen your password and sends you a push notification that you mistakenly accept, is the most serious security issue for push-based 2FA.

Hardware Security Token

A Universal Two-Factor Authentication Token, or U2F, is the best way to implement 2FA. A website that uses this kind of hardware protection token requests U2F authentication. The security token is then connected to your device through USB, Bluetooth, or sometimes Near Field Communication (NFC), and the site's request is cryptographically signed by the token.

Most importantly, no passwords are used in this process.

Since you must physically communicate with the token by pressing or tapping it against your laptop or mobile device, using a hardware key adds an extra layer of protection. Since the trick is communicating directly to the website via your mobile, there's little to no risk of approving a request incorrectly.

WebAuthn

OTPs, push-based 2FA, and hardware protection tokens all have the same flaw: they all act as a mask for the key issue: passwords.

WebAuthn is a stand-alone authentication method that eliminates the need for passwords, with the ultimate goal of replacing multi-factor authentication with a secure and cryptographic single factor authentication. Simply put, WebAuthn is a browser application programming interface that enables you to register and prove ownership of your website credentials.

Many devices that can check your identity biometrically or with a PIN can also handle WebAuthn requests. Since the same hardware used for local authentication can be extended to WebAuthn, laptops that support Windows Hello, several Android phones, and the most recently launched iOS devices are all capable of using it.

4
$ 0.00
Avatar for RFM
Written by
3 years ago

Comments

I always use google authenticator if is available. Just to be safe in case of a hack on my account

$ 0.00
3 years ago