People are not aware that they already use two-factor authentication on a regular basis. When making a purchase using a debit card, the first factor is physically having the card to swipe it in a card reader. The second factor is having to enter a pin. If a card is lost or stolen, without the pin it is more difficult to use.
Another example of two-factor authentication is if a person is asked to show identification when paying with a credit card. The identification is the second factor needed along with the physical card being present to charge the cost of a transaction to the credit card account.
What is 2 factor authentication for online systems?
Two-factor (2 factor) authentication for online systems uses a two-step process. It requires the user to complete two challenges in order to gain authorized access to a secured system. It has the advantage that all the information is encrypted and not readable by others without them having the proper encryption key.
The challenges are based on one of these categories:
- 1. Knowledge: Something you know that is private, such as a user name and a password.
- 2. Possessions: Something you have with you, such as a smartphone.
- 3. Characteristics: Something physical about you, such as having distinct fingerprints.
Is more authentication always better?
2FA is a subset of multi-factor authentication (MFA). The difference is that MFA uses more than two challenges. At first, MFA may sound good to those who provide business IT security. MFA can be much more secure that 2FA. The difficulty is getting authorized users to comply with the proper protocols.
Google engineers reported in January 2018 that less than 10% of Gmail account holders use 2FA. Using 2FA for Gmail is voluntary unless required by an employer for work-related Gmail use. The low level of 2FA adoption shows that users do not have a compelling reason to use 2FA for personal Gmail accounts. Keep that in mind, if planning to enforce 2FA use for Gmail in your organisation.
An authentication system that presents too many challenges can frustrate authorized users. This may cause them to use workarounds, which introduce vulnerabilities. An example of this problem is created if employees attach a note to their computer screen with a complex password written on it. Forcing employees to use complex passwords may create this unintended result of a major risk with them publicly posting those same complex passwords near a computer that they use to sign in.
With such poor password protection, any person that gains access to the physical space can also gain access to the computer network if the password is posted on the machine in plain sight.
The 2FA system created by Twilio called Authy is an authenticator app that helps avoid this user-compliance problem. The Authy authenticator app makes setting up 2FA for many systems extremely easy. This is part of the reason that 2FA usage is rapidly expanding. The software downloads for Authy increased 618% from 2015 to 2017. The trends for the future are that this user base will double and triple until almost everyone uses a 2FA system.
2FA is a nice balance between providing more security that does not have the hassle of having the user need to complete three or more challenges every time he or she signs in. Business IT security now relies on 2FA as the gold standard for improving secure network access.
Typically, for the first factor in 2FA, the best practices are using complex passwords that are securely maintained. They are stored as encrypted files using a password manager software such as LastPass or 1Password, which has a master password. When needed, after completing the proper 2FA procedures, the passwords are transmitted using end-to-end encryption. This encryption use helps avoid any risk exposure when the password information goes across the network from the Authy cloud servers to a device or another server for an online system.
For step two, the system sends a response challenge to a smartphone that is registered to the user. This gives the user a temporary, one-time use, unlock code (called a token) that automatically expires after a certain short period of time. The Authy system is not dependent on the cell phone system. The Authy app makes secured connections to Authy cloud servers using the Internet. The Authy app works even if there is no cell phone signal as long as the device has an Internet connection.
Authy works better than receiving a text message over SMS. SMS text messages can be intercepted. The Authy system sends an encrypted authentication code every 30 seconds to a connected and authorized device. The user grabs the most recent still active token code and does not have to wait for a token transmission. This makes Authy work almost instantaneously.
For a hacker to gain access to the personal data, they need to have the correct passwords and pass the token test by responding with the correct code. The extra protection of this 2FA system is that a lost or stolen phone can be deactivated instantly if needed.
Besides using 2FA for secure login access, 2FA can be used for other types of critical transaction processing after being logged in. Authentication can be made automatically for pre-registered, synchronized devices as a way to make repetitive authentication easier.
Where can you use Authy?
Authy is compatible with all online systems that use Google Authenticator; however, Authy is better and has more features. If you get a new phone you have to start over and set up Google Authenticator once again, which is a big hassle.
With the Authy app, you can synchronize devices and back up authentication codes to the Authy cloud server. You can also back up the codes to other devices that are encrypted with a password you choose. These authentication codes are used as recovery files. They are available to use when getting a new phone. They can be used on a computer, a laptop, or a tablet in addition to your smartphone so that these devices can also to generate tokens.
How much does Authy cost?
The Authy app is free for users. Software and web developers, who use Authy for security, have two options to pay, which are 1) a cost-per-successful-authentication or 2) get a discount for bulk usage on a monthly subscription basis.
What are the advantages of Authy?
Here are some of the Authy app’s key benefits:
- Authy is free for users, low-cost for providers, and set up is simple.
- Data is automatically backed up to the Authy cloud servers, when the backup feature is turned on.
- Authy recommends using two synchronised devices or more for the best protection.
- If a phone becomes lost or is stolen, it can be disabled immediately by using another synchronised device to open the app and then remove the device under the settings section.
- Recovery data can be used for a replacement phone to get back to normal status quickly.
- Changing a phone number for a new phone can be done easily by using the account recovery features.
- The Authy system sends an automatic alert when an unauthorized user attempts to hack your account with SMS messages.
- Token codes are sent over secure Internet connections.
- Tokens do not need to use the SMS text system of the cell phone carriers.
- Accounts that have a high risk and significant value, such as cryptocurrencies like Bitcoin, require a 24-hour delay with email confirmation for transactions for added protection.
- Multiples devices can be sychronised together.
- Any sychronised device can be used for recovery.
How to Set Up 2 Factor Authentication Using Authy
Here are the seven steps to use for how to set up the 2 factor authentication process with the Authy system for Gmail, Microsoft, Facebook, Slack, Twitch, and many other popular systems.
Download the Authy software for your device from:
- Authy website (all versions)
- Apple App Store for IoS devices (iPad or iPhone)
- GooglePlay for Android devices
Install the Authy app on your device. Register for the service by entering your mobile phone number and your email address. A Pin is sent. Confirm the PIN to prove you can access the phone.
Open the Authy software if it is not already open. Go to any online service that you wish to use that allows two-factor authentication. Visit the set-up web page for 2FA on each website you want to use. Locate the QR code. Hold your phone in the correct position to capture the image of the QR code with the phone’s camera. Tap the “add” button at the bottom of the Authy software screen to scan the QR code or enter the QR code number manually. The online system is now added to the Authy app. Repeat this process for all websites and online services where you want to use 2FA to sign on.
Here is a list of links to the Authy 2FA guides with the detailed set up instructions for many of the popular websites. The guides have screen captures showing exactly how to get Authy to work with these systems:
- Humble Bundle
- Mercado Libre
When you need a token code to sign on to one of the registered systems, open the Authy app Then, simply tap on the account icon for the system you need a token for. Type the code on the sign in page for the online service you want to log in to. You can also copy and paste this token code.
Secure your phone from unauthorised access so that no one else can gain access to your private token code or private information after you signed in to an online system. Do this by enabling one of the smart phone’s features, which is a protection PIN. On an iPhone, you can also use a TouchID, which is your fingerprint. These methods lock your phone when it is not in use.
Enable automatic backups that are encrypted with a password you choose. These backups are stored securely on the Authy cloud servers. These codes are useful if you change your phone to a new one or it gets lost or stolen.
To turn on backups, go to the Authy settings and make sure the Authenticator Backups feature is enabled. If you do not do this and you lose your phone, you have to start over from the beginning to set up a new Authy account. The Google Authenticator app does not have a backup feature.
Synchronise all your devices by installing the Authy app on all of them. There is a Chrome browser extension that is useful if you use that browser. There is a version for MacOS and Windows computers, tablets, and laptops. All the software versions can be downloaded from the links on the Authy website.
To add devices for synchronisation, go to the settings in the Authy software. Under the devices section, enable the multi-device switch. Then sign on to your Authy account with the new device you are adding. You will get an SMS text message, a phone call, or a prompt in the Authy application on the original device you first used to set up your account. This requires you to confirm the adding of a new device. Any new device will be synced with all the others. Any changes to your online accounts, such as removing one or adding a new one will be synced to appear on all the devices attached to your Authy account.
After you add all your devices, it is best to turn off the multi-device switch in the Authy software for more protection of your account. This makes sure no one adds a device to the system without your knowledge and permission. If you only have one device it is better not to turn off the multi-device switch, in case you need to add a new device to use for account recovery.
Note that when a device is authorised for your account it cannot access the backup codes unless you enter the password you chose for those to be encrypted with for security protection.
If you want to learn more about how to implement Authy 2FA, consult with the experts at BIZTACTIX. Contact BIZTACTIX (biztactix.com.au) for further help with your “Business IT Security.”
2 factor authentication: How and why to use it
Two Factor Authentication with Authy
Introduction to Two Factor Authentication: