Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)
Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)

3 Two-factor authentication

This section is part of the amber and green pathways.

So, if a password isn’t secure enough, perhaps having two pieces of information is more secure? This is known as two-factor authentication and you’ve almost certainly used it without realising.

When you take money out of an ATM you have to give the bank two pieces of information – the first is the data stored on your bank card, the second is the PIN. Individually, neither can access your account, but when brought together they allow you to withdraw money.

Some banks have given similar two-factor authentication to online banking customers – in this case accounts need to be unlocked with the combination of a password and a four or six digit number generated on a hardware banking card reader (looks like a calculator). If you use online banking and don’t have a card reader device it will be well worth finding out if your bank offers them to customers, and if they do not, consider switching to a more secure banking service.

This figure shows a user receiving a text message from their bank, containing a security or authorisation code. There is a graphic superimposed on top representing the browser or bank app being used, which displays the message 'Your security code was sent by text message to: [phone number]'. There is then a blank box with the instruction 'Enter security code' where the received code can be typed to confirm the request.
Figure 11 SMS-based 2FA for online banking

More recently, the two-factor authentication for online banking is done via a SMS text message. Upon making a request to withdraw or transfer an amount, the bank sends you a numeric code, termed ‘authorisation code’ via SMS to your registered phone and asks you to enter that code before it validates your request for transfer of money or withdrawal. The SMS is typically valid for a short period of time, usually about three minutes, after which you will need to request for another authorisation code, online.

Hardware security tokens

These devices contain a clock and a number generator which creates a new one-time password every minute or so. The bank synchronises the token with a master computer before issuing it to customers so the token and the master computer generate new passwords in time with one another. When the user is asked to enter the one-time password into their browser, they press a button on the token and enter the four or six digit number shown on the screen. The master computer will have also generated the same number. The two values are compared, and if they match, the user is allowed into their account.

Two-factor authentication on the web

A number of companies, including Apple, eBay, Google and Microsoft support two-factor authentication (2fa) to improve the security for their web users. Rather than a single password, two-factor authentication requires the user to enter two pieces of information – their password and a changing value which is either sent by the website to their mobile phone (typically via SMS/text, as mentioned earlier), or generated by a companion application on the user’s own computer.

Depending on the site, it might be necessary to enter the two values every time (which is inconvenient), or after a period of inactivity, or it may be possible to tell the site that the computer which has already been authenticated should be trusted in future and a single password will be sufficient to allow you to use the site (although this raises a security weakness if the machine should be stolen).

Another place where you might have come across two-factor authentication is if you’ve ever connected to a virtual private network (VPN), which is a type of encrypted network connection. (You will cover VPNs in more detail in Week 5.)

The organisation that owns the network you are connecting to will give you a card or device, often called a VPN token, that can be used to generate a sequence of random characters. When you try to connect to the VPN, you will first be asked for your password (the secret based on something you know) and then will be challenged to provide some information from the VPN token (the secret based on something you have).

Please complete Quick poll #8 [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)]   now.

Open the poll in a new window or tab then come back here when you’re done.

CYBER_B2

Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371