3 Two-factor authentication
So, if a password isn’t secure enough, perhaps having two pieces of information is more secure? This is known as two-factor authentication and you’ve almost certainly used it without realising.
When you take money out of an ATM you have to give the bank two pieces of information – the first is the data stored on your bank card, the second is the PIN. Individually, neither can access your account, but when brought together they allow you to withdraw money.
Some banks have given similar two-factor authentication to online banking customers – in this case accounts need to be unlocked with the combination of a password and a four or six digit number generated on a hardware banking card reader. If you use online banking and don’t have a card reader device it will be well worth finding out if your bank offers them to customers, and if they do not, consider switching to a more secure banking service.
Banking card reader
The banking card reader reads the account details from your bank debit card, which includes your account number and a hash of your pin. It will also require you to enter a pin to log in, and if the pin matches the hashed pin this reader can generate passcodes that can be used on the banks website to authorise log in and for certain transactions. The banking card reader confirms that you both have the card and know the pin, without the need to enter a pin on a web page.
Two-factor authentication on the web
A number of companies, including Apple, eBay, Google and Microsoft support two-factor authentication (2fa) to improve the security for their web users. Rather than a single password, two-factor authentication requires the user to enter two pieces of information – their password and a changing value which is either sent by the website to their mobile phone, or generated by a companion application on the user’s own computer.
Depending on the site, it might be necessary to enter the two values every time (which is inconvenient), or after a period of inactivity, or it may be possible to tell the site that the computer which has already been authenticated should be trusted in future and a single password will be sufficient to allow you to use the site (although this raises a security weakness if the machine should be stolen).
This method of two-factor authentication works well as protection against random attacks. However, if you are being specifically targeted by the attacker, the attackers have found it quite easy to take over the user’s phone number and then intercept authentication messages. They don’t need to steal the phone to do this. Criminals can locate the telephone number and date of birth on social media, and then ask for the number to be transferred to a new sim with a new provider.
One way to greatly reduce this risk is to use a dual sim phone with a number on a pay-as-you-go tariff where the balance remains indefinitely – you usually have to make one call every 6 months to keep the sim working. Only use that number for two-factor authentication, not for anything else and never publish that number.
Alternatively, use a separate very basic phone or an old phone with a new pay-as-you-go sim purely for authentication. Switch it on only when you want to get an authentication. Don't used the phone for making phone calls. Don’t publish the number anywhere.
If your phone number stops working contact your phone provider immediately to check why. It might have been diverted.
A much more secure method of two-factor authentication is to use a special hardware security key on the computer instead of the phone. This restricts authentication to the computer with a unique hardware security key.
Another place where you might have come across two-factor authentication is if you’ve ever connected to a virtual private network (VPN), which is a type of encrypted network connection. (You will cover VPNs in more detail in Week 5.)
The organisation that owns the network you are connecting to will give you a card or device, often called a VPN token, that can be used to generate a sequence of random characters. When you try to connect to the VPN, you will first be asked for your password (the secret based on something you know) and then will be challenged to provide some information from the VPN token (the secret based on something you have).