Initially, during the introduction of networking, there was a severe need for ensuring security by the proper identification of a person. This led to the introduction of single-factor authentication, which only asked for the user’s password. But managing thousands and millions of passwords is not an easy task. To overcome this problem, passwords were maintained in a separate database manager, which was still not enough as it led to phishing and eavesdropping attacks. To eliminate this problem, two-factor authentication or 2FA was introduced.
Two-factor authentication: also known as two-step verification or dual-factor authentication is a method of confirming a person’s claimed identity by providing two authentication factors. First, is called the knowledge factor. Something that the user knows which is private only to them. Example, password. And the second factor is the Possession factor and inherence factor. Which is the user’s details which they have, such as his ID or email, which is that person’s true identity. Example, security token or their biometric fingerprint. After the user provides the two factors, the system checks the database if the provided factors combination matches in the database. If it does, the user is authenticated to access a website or a system. We mentioned about three factors that are used for 2FA. Let’s take a closer look at it.
- Knowledge factor – it is the factor that the user alone knows it like the passwords you create in banking, the passwords you create for your email account.
- Possession factor – this is the factor which you have to access your services like smart cards, identity cards, email address, etc.
- Inherence factor – is your biometric details such as fingerprints you add as an entry before you enter your office, iris scans that consist of the diameter of the iris and the color of your iris, signature, and number of moles in your body. That is the reason it is also called as a biometric authentication factor.
Possession factor and inherence factor both are the ones that determine what the user is. Use of inherence factor is highly recommended these days. But there is an issue with this kind of authentication. Whatever data is stored in a database, there are chances of being compromised or hacked by hackers. They are extremely intelligent programmers who snoop into the databases and track all the information and can cause damage. To provide extra security and prevent hackers from hacking your account, a concept of “One-Time Password” (OTP) is used. This kind of authentication is used by Google, Facebook, Whatsapp, Instagram, and many such web services. One benefit of this kind of password is that it need not be memorized at all. It is a concept of generating a password of random digits that are restricted to be used within a certain period of time, usually restricted only for a few minutes. This is used to confirm the identity of the user.
How OTP Works
When the system administrators of a website observe a suspicious login from a new device, they first accept the user ID and password. After checking if the entered details are correct, for proper confirmation, an OTP to the registered device or your mobile number is sent. It is a passcode (usually six digits) that is generated at that instant, and after the passcode is sent, the user is given a very short period of time to enter the passcode they receive in their mobile number or email. Let us assume it is restricted to the time for around 15 minutes. When the user receives the passcode randomly generated at that instance, it has to be entered within the time limit of those 15 minutes. If you don’t, the user will not be logged in. Sometimes, there are certain apps that automatically detect the OTP sent to their device and logged the user in. Example, Whatsapp and Instagram. In these apps, when the user types the mobile number after the OTP is sent, as soon as you receive the SMS, it detects the code immediately, enters the code by itself and logs in. Let us consider a hacker will be able to hack your user name and password and attempts to log in from a device which is not yours. When this happens, there are many operations made:
- An OTP to the registered mobile number is sent, which is basically your number.
- You will receive the OTP as it is your mobile number.
- You will receive an email id telling that there was an attempt of login on your account from another device.
- Since the hacker doesn’t know the OTP, he is not allowed to log in.
Hence, your account is safe and secure. This is not only used when you are logging in into an account for the first time. In some cases, when you forget your password or your user id, it first asks you a security question that you made when you first created the account. After that, the system sends you an OTP to confirm the identity. Then a link is sent to your email address for you to create a new password. At every situation of suspicion of an identity, two-factor authentication is the answer.
There are two more factors, namely: Location factor and time factor.
- The location factor is the one which detects the geographic location of the user attempting to log in using methods like GPS.
- Time factor restricts the time limit of the login window to be used by the users. So until a particular period of time, the user login window will be open, after it reaches timeout, it will not be available to the user.
These factors are again used to provide additional security.
2FA consists of hardware token to generate passwords and mechanisms of security. One such hardware token used by 2FA is the YubiKey, which is a small USB device that generates an OTP, public key encryption, and authentication.
