- Bug Squashing Day
- Swiss National Day
Multi- and two-factor authentication explained. Top security features for data protection.
In our previous article, we introduced you to advanced password management and useful information and tips in this area
This time we’ll talk about two- and multi-factor authentication, which will deprive hackers of any hope of stealing your accounts and the data contained in them.
What are 2FA and MFA, and is there any difference between them?
Multi-factor authentication means a few authentication steps that you need to complete in order to confirm your login attempt.
Multi-factor authentication includes three pieces of evidence (factors):
- something you know (e.g. password, PIN);
- something you possess (e.g. your phone or security key);
- something you are (e.g. your biometric data).
While two-factor authentication includes only two of the above factors.
The main methods of 2FA are SMS messages, one-time codes generated by special mobile applications, authentication through push notifications, physical keys for authentication.
SMS
The oldest of the methods described in this article is the SMS Message, which is the least reliable due to the vulnerability of the SS7 telephony protocol, which was developed back in the 70s, and is still used in mobile networks. Hackers can intercept your messages. And also with the help of social engineering, they can transfer your number to their SIM card.1
If you have the opportunity to choose the 2FA method, we recommend that you pay attention to one of the following:
Time-based one-time passwords (TOTP)
The use of TOTP is widely supported by sites and services. This algorithm is universal, so all of your TOTP tokens from various services can be stored in one application. For example, you can try our free AccessSecurium™ for Android and iOS.
Perhaps it can be considered as an additional safety bonus if the application hides the codes and shows them only when you tap on them. You should also enable an additional security layer by turning on a PIN, fingerprint, or face ID to log into the app.
Most authenticator applications store data locally on your phone. Therefore, if you lose your phone or remove the application, you risk losing all your tokens. And if you don’t have additional 2FA method for websites and services, then restoring access to them can be problematic. If the application has a backup function, we recommend that you make a copy of your token database and store it on a flash drive in a safe.
Some applications store tokens in the cloud, which should guarantee their loss prevention as well as convenient transfer to new devices.
(Services of our secure corporate platform for communication and collaboration SWISS SECURIUM® are protected with TOTP)
Push notifications
Google introduced push verification technology in 2016, which was later picked up by Apple and Microsoft.
Using push-prompts, users can conveniently verify their login with a trusted device, although it takes the same time as entering one-time passwords. The main convenience is that the user simply unlocks the phone (which is one of the authentication factors) and confirms or rejects the login attempt in the pop-up notification.
In case the notification shows, for example, the place or device from which the login attempt is made, this can help you recognize phishing (if the place and device are not familiar to you, and you are sure that this is not one of your colleagues / acquaintances, then simply by clicking “No” you will block the attempt of unauthorized access to the corporate / personal account).
However, this is not a 100% guarantee of the phishing protection, since you can just automatically tap “Yes” without paying attention to an unfamiliar place / device indicated in the notification. Another drawback is that each vendor offers its own push verification service and not for each of its products – this solution has not yet been unified.
Security keys
The most common standard for security keys (also called hardware tokens) is U2F: Universal 2nd Factor. Most often, such keys are used through the USB, so they are convenient for PC and laptop users. But the U2F project is developing, and now it’s possible to use keys for Android and iOS devices.
The security key is easy to use: you connect it to the device on which you log in, press the button on the key (there are also devices with options like entering a PIN or scanning a fingerprint), and then the key remembers the website and creates with it a pair of cryptographic keys specific to this website and account.
Because the key remembers the website you log into, this provides more reliable protection against phishing, unlike all other methods.
(Using security keys for access is an on-demand option for our SWISS SECURIUM® platform)
Backup codes
As a rule, when you turn on 2FA on the website, you will be asked to save additional one-time codes for printing. Do not refuse them. Print these codes and store them in a safe place, as in case of loss of the security key, removal of the authentication application or loss of the phone, these codes will allow you to get back into your account. Also, such a code can be taken on a trip and used for a secure one-time login.
Here’s a list of services and websites that use various types of 2FA. There you will find links to instructions for enabling 2FA for them - in just a couple of steps you will significantly increase the security of your accounts and reduce the risk of unauthorized access to them.
What additional security features do providers offer to protect their services?
VPN
Access to services through a virtual private network significantly reduces the risk of unauthorized access. In fact, only trusted users, for whom access has been configured, can log into and use services hosted on a virtual network.
(The services of our SWISS SECURIUM® platform can also be configured to only allow access through VPN).
Data encryption
Encrypting data during storage, transferring it through secure channels is a must-have for those who are worried about their cybersecurity. The best option is end-to-end encryption, when only the sender and recipient and no one else can see the transmitted information.
But end-to-end encryption doesn’t provide verification of your interlocutor (the authenticity of his/her identity). Some applications (for example, our SwissSecurium™ messenger) have functionality to verify the interlocutor. There is a feature for comparing device fingerprints (a sequence of characters unique to your device that is verified during a personal meeting), as well as using a secret question about which you and your interlocutor agrees in a confidential setting.
Zero Knowledge
This concept of data storage stands for that no one except you has keys to your data, not even the service provider where you store your files. Even if representatives of the law require this service provider to hand over your data (or a leak occurs as a result of a hacker attack), this will not this will not disclose any data, because everything is encrypted, and only you hold the keys. But you also must mind the high responsibility: if you lose the keys, no one will be able to regain access to your data.
In conclusion, we want to say that the security and privacy of your data is a vast and complex task that shouldn’t be neglected. But with ALPEIN Software, you have a reliable and experienced business partner in the field of cybersecurity.