Securing web accounts using 2-factor authentication

In this post I will discuss about 2 factor authentication and how it is helpful in guarding your account against unwanted access. It is extremely beneficial if your account have some sensitive data.

The whole idea of 2 Factor Authentication is that you should know something(Password) and you should have something(Your phone / USB Key) to get access to your account. It is an additional layer of security. It's like your Bank Account - You need to have your debit card and you should know your PIN to withdraw cash. All Google employees use a USB Key along with their passwords to verify their identity. It is much harder for an unethical hacker to have access to both your password and your phone / usb key. He should have physical access to you to get your key - which is much less likely. Check out YuBi Key (YubiKey 4 and YubiKey 4 Nano | U2F, OTP, PIV | Yubico) for more details on USB Keys.

It should be noted that 2 Factor Authentication is very important for admin accounts (if you are a developer). It does creates a little inconvenience but I think it's worth the effort. You can install the Google Authenticator application on your phone (Google Authenticator - Android Apps on Google Play) and enable 2-factor authentication on your account.

How it works ?

Google Authenticator uses something called TOTP or Time Based One Time Password. It's basically an algorithm that takes in 2 inputs - timestamp and a shared secret key between your device and the GMail Server. The output is a 6 digit unique code which changes every 30 secs (or 1 min) due to change in timestamp. When you want to login you type in your password and after that you type in the 6 digit PIN generated by the App. Google server should generate the same PIN because it also has both the inputs. If the PIN matches your identity is verified. Basically Google Servers came to know that you have the phone with you.

The shared key is secret. It's like a random number which only your phone and Google server knows). This shared key is actually generated and shared when you set up your Google Account with 2-factor authentication. Needless to say that it's a one-way function - given a 6 digit PIN and the timestamp when it was generated it computationally expensive (or let's just say impossible) to get the shared key. This ensures that no-one except your phone can generate that key. You cannot access the shared key of course. Only the phone knows the key and it will only tell you only the PIN.

SMS Based Authentication

This is another popular method to implement 2-Factor Authentication. You can opt to receive a text message on you phone number whenever you try to login. So after you enter password Google will send you a random 6 digit PIN to your phone via SMS (you can also opt to receive an electronic phone call). The PIN is randomly generated. You just have to type in that PIN and this confirms that you are indeed currently in possession of your phone.

Where all does it works ?

You can use Google Authenticator Application to enable 2-factor authentication on variety of websites - Facebook, GMail, Github. Digital Ocean, Heroku, Amazon Web Services, Dropbox and a tons on other accounts. Find the full list here - Google Authenticator.

Some website / apps like GMail allows to configure both - you can use SMS based Authentication or Google Authenticator to verify your identity whenever you log in. Some (Like Digital Ocean, GitHub) only allows Google Authenticator App. Some like LinkedIn allows only SMS Based Authentication. More and more web apps have started using some form of 2-factor authentication. However - It is still optional on all the website (that I have used it with) and is disabled by default unless you switch it on yourself.

Any Drawbacks ?

In will be unfair if I only discuss the advantages without discussing any disadvantages of such authentication. Here are few major disadvantages.

1. Firstly it's time consuming. SMS Based Authentication often take upto 60-70 secs. Authenticator App is relative faster - but you still have to take out your phone and look up the PIN. This is somewhat non-user friendly and user may get frustrated - but it is a price you have to pay for your account's security.
2. It doesn't prevent you against some other form of attacks - like Cookie Stealing or Man in the Middle attacks. Those are other forms of attack (if you don't already know what that means).
3. You often don't have access to your phone. Or your phone may be dead. Or you may be in an area with no network coverage. If you are a student like me, you may not be allowed to carry your phone to labs - where you often have to use your accounts

Remedies - Any ?

Don't be disheartened with the drawbacks. There are a few things you can do on top of that -

1. Always configure both Authenticator App and SMS Based Authentication wherever possible
2. Google actually provides a mechanism of BackUp Codes. They generate 10 one-time use codes - which may be used anytime instead of the 6 digit PIN in case if you do not have access to phone or you are unable to receive SMS at the moment. This is like a fall back strategy. Not many providers have such fall back strategy. I keep 2 back-up codes with me at all point of time - in my wallet - written on a currency note in a fashion that no one will be able to guess what it is ! I am changing the way I store my backup code after this post (:P. Don't try social engineering on me).
3. Remember your authentic desktops / laptops / phones. You can choose not to be asked for 2-factor authentication in case you are trying to log in from a known machine like your personal laptop and you are sure that no one except you usually have access to those machines. These machines are typically password protected themselves in case they get lost. And you and remotely configure your account to forget all the known machines (After which it will ask for authentication on even known systems). This is again only provided by few providers like GMail. They use Cookies to determine known systems.
4. Reset your password if phone gets lost.

So I guess by now you have a brief idea about 2-factor authentication. Mechanisms like YubiKey has an added advantage that since you always carry it with you - you are more likely to have access to it than your phone. I can carry those USB Keys to my Lab but not my phone. Plus they do not require power so they can never be dead unlike phone. Also they are much simpler - one just have to touch it. It is easier and faster than Authenticator App or SMS Based authentication where you have to read random number from phone and type it out. But then Yubi Keys comes at a cost and other two methods are free of cost. Also use of YuBi Keys is still not very popular. It's unavailable in India at a reasonable price. I have to pay $20 for shipping from US and $5 for the key.

Read this on Quora : Securing web accounts with 2-factor authentication or my Personal Page (https://www.ashishkedia.me/blog/two_factor_authentication)