TMI About 2FA

Two-factor authentication, or 2FA/TFA for the syllabically challenged like me, is a system of authenticating twice before being granted access to something. For example, if you have to type in both a password and a temporary code received in a text message in order to sign into your bank, then you are already using 2FA. Congratulations in that case, by the way.

The use of 2FA is required for many job roles, such as people who manage systems subject to regulatory compliance, but it can also be used for many personal accounts. If you aren’t already using 2FA for critical accounts, turning it on now makes good sense considering the amount of personal information exposed in the Equifax breach. Of course, some versions of 2FA are better than others, so it is a good idea to know the basics before diving in.

At a high level, the process of authentication means proving your identity in one of three ways: you can reveal something you know such as a password, something you are such as a fingerprint or retina scan, or prove something you have physical possession of such as a phone or RSA key fob.

Properly implemented two-factor authentication uses one method from each of two different categories. Giving two passwords doesn’t count as two-factor authentication since that is two instances from the “something you know” category. The combination of a password and a temporary code received over SMS counts as 2FA because the password is something you know and entering the SMS code proves that you have possession of your phone. (For certain values of “proves,” anyway. More on that later.)

That’s not much of an architecture description, but it is surprisingly useful as a yardstick against which to measure various 2FA implementations. It’s a matter of asking (Read more...)

This is a Security Bloggers Network syndicated blog post authored by T.Rob Wyatt. Read the original post at: Cylance Blog