Enabling Factors of Authentication

With the ongoing onslaught of high profile security breaches, it’s fast become a no-brainer that we should use different passwords for each service we subscribe to, and that they should be long and complex. Unfortunately, not everyone may be able to remember something like ‘ZG9uJ3QgZG8gdGhpcw==’, so many services have implemented Multi Factor Authentication to help better defend users.

Password based authentication has long since remained the most popular way of logging in to common services. It’s something a user knows. Multi-Factor Authentication serves to add various identifying factors to make it harder for attackers to access accounts that aren’t theirs. Other examples of factors we can add include something a user has (cryptographic token, phone) or something a user is (features, such as biometrics).

Two Factors are better than one

Many common services today provide the option of enabling Two Factor Authentication (2FA). This uses either a time-based code generated by an Authenticator app (such as Google Authenticator, or Facebook’s Code Generator), or SMS text messages sent to a mobile device. The two factors in question here are something one knows (password) and something one has (phone).

2FA also can be used to provide a way to find out if an account is currently being targeted, since if the password is entered, some services can send users an SMS code to facilitate login. Without this code, a malicious actor couldn’t enter the system, but the user would be made aware of the login attempt and could proceed to change their password.

How it works

After enabling 2FA, when logging in to services online, users are shown the typical password prompt and an additional step is shown on successful entry. Users are prompted for a short code generated either by a corresponding authenticator app or received via SMS. Some systems which are not web-based, such as mobile apps, may not support 2FA login. For these cases, users can generate application-specific passwords. Browsers can also be remembered to prevent the need for entering a code on every login.

This type of verification is commonplace in the banking industry, and we are already somewhat accustomed to entering a security code generated by a separate device when carrying out transactions. Now, this additional layer of security can be turned on in many more places.

To help reduce the chances of that Twitter account someday sending spam to its followers, that Facebook profile being defaced with questionable content for all to see, and to make those files on Dropbox safer from prying eyes, consider turning on 2FA for the following systems:

Facebook Login Approvals

1) Visit https://www.facebook.com/settings

2) Navigate to the Security tab

3) Enable the Code Generator (and SMS codes if desired)

Image

4) Enable login approvals

Image

The mobile app will now have an option to invoke the Code Generator, as shown below on iOS:

Image             Image

Twitter login verification

1) Navigate to https://twitter.com/settings/security

2) Opt-in to send login verification requests either via SMS or the app

Image

3) Follow the instructions to generate a temporary password for other apps if necessary

4) While we’re here, click the option to “require personal information to reset my password too”

5) If so inclined, uncheck the option to “tailor ads based on information shared by ad partners”

Dropbox two-step verification

1) Visit https://www.dropbox.com/account/security

2) Enable two-step verification

Google 2-step verification

1) Sign in to Google Account at www.google.com

2) Follow the instructions at http://accounts.google.com/SmsAuthConfig

3) Optionally download the Google Authenticator mobile app

Microsoft two-step verification

1) Sign in at https://login.live.com

2) Navigate to https://account.live.com/Proofs/Manage

3) Enable two-step verification

WordPress Two Step Authentication

1) Sign in to WordPress and navigate to https://wordpress.com/settings/security/

2) Enable the option for Two Step Authentication for SMS/Authenticator

Image

Github Two-Factor Authentication

1) Sign in to Github and visit https://github.com/settings/admin

2) Enable the option for Two-Factor Authentication

Image

LinkedIn Two-Step Verification

1) Navigate to https://www.linkedin.com/settings/

2) Select the option to manage security settings

3) Click turn on two-step verification

2FA all the services

A range of other websites also support 2FA, including PayPal, Steam and Amazon Web Services – so this is certainly not an exhaustive list.

Be sure to take note of the backup codes provided by any service for which 2FA is enabled, and store them in a safe place. It is also worth mentioning that the Authenticator mobile app has had problems in the past which resulted in users unable to generate codes, so always keep backups and/or the SMS option available.

For those who are interested in locking down their security further, take note that enabling 2FA in such a way adds access to the device providing the codes as a potential attack vector. Consider turning off SMS message previews during the lock screen in mobile devices, so that the codes aren’t freely displayed to anyone who happens to glance over.

With users’ attitudes beginning to shift in favour of authentication mechanisms that look beyond passwords, one can hope the rate at which accounts are ‘hacked’ can slow down. Above all, the first point of entry remains the password, so keep them strong, complex and dissimilar to dictionary words. If possible, use a passphrase.

Alex Kara

Advertisements

About Alexander Karapetian

Software Engineer & Computer Scientist from Imperial College.
This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink.

One Response to Enabling Factors of Authentication

  1. Great overview! Many services that utilize TOTP are compatible with a variety of mobile applications, including Duo Security’s “Duo Mobile”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s