Saturday, 27 December 2014

2 Factor Authentication - How It Works and How To Set It Up

2 factor authentication (also referred to as 2 step authentication) is a login process which requires 2 forms of verification from you, making it more secure than a just a standard password-based system.

The idea is that in order to log in, it requires something you know, plus something you have.  The something you know is usually your password, and the something you have is a physical object, e.g. your mobile phone, your bank card, or a special USB device.  These 2 requirements together make your account more secure because it's very unlikely that they will both be stolen at the same time.  Your password could be stolen online through software (e.g. a virus or a key logger), and your phone or bank card could be stolen from your home or your person, but it would be very difficult for someone to steal both a piece of information and a physical object from you together.

So the something you know, plus a physical object which you have, make the login system very hard to breach.

Hopefully my article on Why You Should Take Your Email Security Seriously will have convinced you to at least set up 2 factor authentication on your email.  But I highly recommend that you enable it on as many of your online accounts as you can.  It's supported by Gmail, Hotmail, Yahoo!, Twitter, Facebook, Apple, Dropbox, PayPal and LinkedIn, plus many more.

How It Works

How the password part of the login works is hopefully fairly obvious, but the fun part is how the website verifies that you are in possession of your special physical object.  Sending someone over to your house to check that you have your object would be somewhat tricky, so an object used for 2 factor authentication needs to generate a code which you can type into the website, allowing the website to know that you are in possession of the device.  Crucially the code must only work once, because if it could be reused then it would just be another piece of information, steal-able in the same way as your password.  So your physical device must be able to generate single-use codes, sometimes referred to as One Time Passwords (OTP).

For mobile phones this is fairy straightforward; after you have entered your username and password into the website, it then sends an SMS text message to your phone containing a single-use code.  You enter the code into the website, thus proving that you are in possession of your phone (or at least the SIM card), and the website then lets you in.  Each new login attempt causes the creation of a new code, and each code usually expires after a short time and once used cannot be used again.

For online banking, your bank card is used for the verification.  Each card has a unique chip in it, and this chip provides a function where you pass it a number and it passes a different number back to you.  Every single chip responds in a different way, so if you pass the same number into 2 different bank cards they will give you 2 different results.  Your bank knows the details of the chip in your particular card, so they provide you with the number to enter, and they know the result which your card should respond with.  Using your "card reader" you enter the number they provide into your card and retrieve the result which you submit to the web page.  This allows them to verify that you are in possession of your card.

There are also mobile apps such as Google Authenticator, and USB devices, which provide other methods of physical object verification.  Some services such as Facebook and Twitter have the 2nd factor authentication built into their own mobile apps.  Regardless of the mechanics, the key factor in all of them is that they provide a physical-object-based verification in addition to the knowledge-based verification of your password.

What If I Lose My Device?

In short, if you lose your device, you're screwed, unless you've printed your back up codes.  The whole point of 2 factor authentication is that unless someone is in possession of both your password and your device, they can't access your account.  So if you lose your device then you lose access to your account.  For obvious reasons this could be problematic, so there's a handy solution: back up codes.

All websites which provide a 2 factor login system will give you a set of back up codes which can be used in lieu of the codes generated by your physical device in the event of said device going in the river.  You should print out and keep these codes so that you don't lose access to your account.  Print several copies, keep one in your wallet, one under your floorboards and give a copy to your mum.  But don't store them on your computer.  Remember that these are part of the physical aspect of your authentication, so keep them in physical form, i.e. on paper.

Let me say this again, print your back up codes!

Application-Specific Passwords

On rare occasions, you may find that you need to login to your 2-factor-enabled account via an interface that doesn't support 2 factor authentication.  For example, supposing you've created an hilarious video of your cat drinking out of the toilet using iMovie on your Mac, and you want to share it to YouTube directly from iMovie.  iMovie requires you to enter your YouTube (Google) username and password in order to do the upload, but iMovie isn't aware of the need for the 2 factor login process.  So what do you do?

Well first you ask yourself the question "Why am I typing my password for YouTube into something which is not the YouTube website?".  Any time you are typing your password anywhere other than the website or application which it belongs to, you should raise suspicion.  But if you decide that you trust the application in question, then you'll need to give it an Application-Specific Password.

An Application-Specific Password is a password which you create solely for use with a particular application (e.g. iMovie).  This password will be automatically generated for you, and can be revoked at any time.  So in the example above, you would go to YouTube/Google and in your account settings ask it to generate an application-specific password for you, which you would label as being for iMovie.  You would then copy/paste this password into iMovie in order to allow it to upload your video.  If at any time you decide that you no longer want iMovie to be able to meddle with your account, you simply go back to your account settings and revoke the password.

Getting Set Up

Hopefully you've now got an idea of what 2 factor authentication is, and how it works.  If you're still not convinced that you need it, then why not take a quick read of my articles about Why You Should Take Your Email Security Seriously and Ways In Which Your Passwords Can Be Stolen.

Each website/company tends to do things slightly differently, so now that you're armed with the information from this article, the main instruction is just to follow the instructions for each site.  Here are some handy links to point you in the right directions.

Google Authenticator, this is a mobile app which can be used to generate single-use codes for a variety of different sites (including Google/Gmail), so is a great app to have on your phone.  iPhone, Android.

Links to the account settings for common sites are as follows:

Until next time, stay safe.  And remember, you're not safe until you've set up your 2 factor authentication!