I know you have seen in movies where the action character needs to break into a high-security building, and he must determine a way to capture the handprint or retinal scan of a person authorized to enter and play those back for the scanner to unlock the vault. This month, we will discuss practical, multi-factor authentication techniques that are available to the typical technology user.
Multi-factor or two-factor authentication schemes typically require you to provide your username and password as the first two pieces of information used to prove your identity. An additional factor is sometimes required if more security is needed like for accessing a bank account. This additional factor is typically based on something about you, like a fingerprint, or facial image, or on something you own like your telephone.
You may want this added security feature to protect your accounts. Sites like Twitter, Google, and Facebook all have support for one or more advanced authentication schemes to protect your accounts.
The most popular scheme today is to have a number sent to your cell phone via text message as you are logging in. You must then enter the four to six digits of the number into a field on the login screen, proving that you are in possession of the cell phone registered with the site. This is better than not having any third factor, but since the technology for sending text messages is not secure, it is possible for someone to capture the number before you get it. In Europe, people have lost thousands of dollars to criminals that intercepted numbers to their banking accounts.
One-Time Passwords (OTP)
One-time passwords, or OTP, are a secure solution to this problem. First, you need to install an app on your phone or tablet that generates a new 6-digit number about every thirty seconds. This app synchronizes with the system you want to access so they both generate the same number at the same time. You enter the number generated in the app on your phone into the login screen after you have provided your username and password.
Most OTP systems provide a means for secure backup of the key that generates the numbers or a short list of emergency numbers that should be printed and saved securely in case your phone is lost, stolen, or broken. OTP is very safe and very reliable. Two apps to consider are Google Authenticator and Authy. Authy can provide secure backup of the keys and optionally works in place of Google Authenticator.
FIDO U2F Keys
The Fast Identity Online (FIDO) Alliance has created a standard for a simple hardware factor called the Universal 2nd Factor, or U2F. This device plugs into the USB port of your computer. When prompted, you simply press the button on the device (it only has one button), and information is exchanged with the service proving the identity of the device. There may be no practical means of recovery if the device is lost or stolen. This is why many services support adding more than one device so a backup device can be supported. Purchase U2F keys on Amazon or directly from manufacturers like Yubico, manufacturer of the popular YubiKey. The web browser and the application both must support the U2F. Currently, support for the keys is limited to Chrome, with Firefox and Windows 10 expected shortly.
A bingo card is also something you have, but rather than being a high tech device, it is simply a folded sheet of paper with rows and columns of numbers and letters. A bingo card is printed and then folded in a manner to allow easy access to pages. On each page is a grid of two-digit numbers (or letters) with the rows and columns numbered. The login will provide a random page number, row, and column, and you must respond with the two-digit number found at that the location. This usually repeats three times to provide six digits for authentication. Once used, cross out the used numbers in the booklet. When about half the numbers have been used, the user is prompted to print a new booklet. If the bingo card is lost, a new one can be printed invalidating the old card.
Fingerprint readers have become available on many modern cell phones and laptop computers. To use a fingerprint reader, the device is trained to recognize one or more fingers. The phone or device then remains locked until a fingerprint is matched. These systems can be thwarted using easily made fake fingerprints (as seen on TV and in the movies). Some systems are set up to use fingerprints as a second factor requiring the fingerprint after giving the login credentials.
Apple, Windows, and Android all have some support for using facial recognition to unlock a device or access an account. Facial recognition uses the camera built into the phone to take a photo, analyzing the image to unlock the device if the face is recognized. On many systems, a photo of the person’s face can thwart the system. Apple has tried to make this harder with multiple cameras and specialized hardware. Unfortunately, it only required a little more effort to overcome Apple’s system.
If available, you really should use some additional factor beyond username and password to access your most important accounts to keep the accounts as safe as possible.