Thursday, July 20, 2017

best ways to ensure two-factor authentication for better mobile security




Are passwords dead? Not entirely—but as the sole means to log in, protect sensitive information, and link important accounts, usernames and passwords alone are no longer enough. Brute force attacks, phishing scams, data breaches, and SQL injection attacks have become so common that usernames and passwords can be easily cracked, captured, and leaked. Pile on top of that the use of weak passwords, same passwords across multiple accounts, and the use of unsecure wifi networks, and many people are in jeopardy of getting hacked.

So, how can you protect yourself? And how can the applications we rely on to keep our data protected better safeguard the login process?

Two-factor authentication (2FA, TFA, or multi-factor authentication) has become one of the best ways to ensure the only person logging into your account is you, and it’s an excellent way to thwart brute force attacks and hacks when passwords have been compromised. By requiring a second form of verification, 2FA is the next level of security—and it offers better peace of mind.


"mobile messaging platform"

mobile messaging platform


Here’s how 2FA works, why it’s a great solution, and some tips for implementing it in your own application or personal life.

What is 2-Factor Authentication?

It’s pretty clear that plain old passwords are an antiquated form of security and not enough when it comes to keeping our communications, accounts, and sensitive data secure. While we use passwords for nearly everything—from banking and social accounts to email—most of us still aren’t using basic best practices for creating strong passwords, or are failing to use unique passwords for each account. It all adds up to increased vulnerability that’s making it easier than ever for hackers to steal our passwords and information.

2FA manages to make this more difficult by adding a second layer of defense. While passwords alone grant access by asking for “something you know,” 2FA requires both this and “something you have” in order to grant access. This means that even if someone has acquired your password, unless they’re you and have your phone or other trusted device in their hand, it will be much more difficult for them to gain access to your accounts.

Authentication adds a second, often physical method to verifying your identity, and it’s quickly becoming a gold standard for safer, more secure logins.

Something You Know, Something That You Have, and Something That You Are

2FA is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password.

In many cases, a unique, one-time authorization code is sent to a device via an SMS, which you then enter to prove your identity. You can also install a native application on your phone which will dynamically generate this one-time token, or a physical device like a key fob or USB drive that’s synched with a server to randomly generate numbers.

More About Tokens

Tokens are unique, one-time codes sent to users via SMS or push notification, which means you’ll need access to your phone to receive the text. It’s possible for these to be intercepted, but for the most part they’re very secure because you and only you physically have your phone and can receive them. A software token can be generated by an app installed on your phone, like Google Authenticator or Authy. Other times, tokens are sent via email (less secure, if your credentials have already been stolen, and you can risk missing the email if it’s bounced), or by phone call, which is less common and pretty inconvenient to users.

A hacker with your username and password can theoretically get as far as the second step in a 2FA-enabled application, but when that code is sent to your phone, only you will receive it—and their hack (hopefully) ends there.

This scenario is an added benefit of 2FA, because if you receive an access code when you didn’t request one, right away you’ll be tipped off to the fact that someone, somewhere has your username and password and is attempting to log in as you.

Authorization vs. Authentication: What’s the Difference?

Before we go further, let’s quickly touch on the difference between these two easily confused terms. As you’ve read so far, authentication is how an application verifies the identity of the user interacting with it. Authorization is generally dependent on that authentication step, and allows third-party applications to access your information via an authorization server and a one-time “token” that grants access between the two.

For example, when an application allows you to login and load basic profile information without having to enter a username and password—say, when you log in to your Nike Running Club app using your Facebook account—that’s authorization. It’s the process that allows an application to determine what permissions it has to access a resource, or to perform a specific operation. Frameworks like OAuth 2.0 and OpenID Connect are common protocols for this, and they enforce TLS-encrypted connections for extra security.

Source


EmoticonEmoticon