Password Authentication Sucks
Before two-factor authentication was ever a thing, the world ran on passwords. Passwords are still commonly used today, as they’re quite useful for most people—a short easy-to-remember phrase that gives you access to your protected services.
But, passwords have a lot of security problems in practice. The main issue is that you’re trusting your password to a lot of random third parties, which runs the risk of having the hash of your password getting stolen in a data breach. If you have a good long password, you should be safe, but many people have terrible passwords. On top of this, many people reuse the same password, which means that a data breach at one company could affect your account at a different service.
Even with everything else ignored, a password is a single string that gives access to your account. Anyone in possession of this string can act and perform actions as you. A single point of failure is never a good idea.
So, a solution was made, called “Two-Factor Authentication.” Everyone has a phone; in many ways, the device in your pocket publically identifies you. So, the idea is simple—you’ll be sent a text with a short code to your phone whenever anyone tries to login. Without the code, the attacker is locked out. If an attacker stole your password and wanted to log in to your account, they won’t be able to without access to your phone.
The “Two Factors” in 2FA are your password and the code sent to your phone. Without access to both factors (not either/or), nobody can get into your account.
But Two-Factor Auth Has Problems, Too
While 2FA is great for locking down accounts, and has fairly worked well , many implementations of it have their own issue. Because 2FA relies on SMS to send codes, it isn’t really a “password + phone” combo that allow access to your account, it’s “password + phone number.”
This is an issue because it’s incredibly easy to steal someone’s phone number with a SIM swap attack. It works like this—a determined attacker wants to get into your account, so they do some research and find your phone number, and optionally, your birthday. With these two things, they can go to phone service provider’s store and buy a new phone. A lot of the time, the employees in these stores aren’t aware of this security risk, and will default to just asking you for your birthday. All the attacker has to do is lie, and they walk out of the store with your phone number on their SIM card. This isn’t just theoretical—it has personally happened to me when I got my phone upgraded at Verizon. They didn’t ask for my birthday, any identifiable information, or even my old phone. I gave them my phone number to swap over, but it could have easily been yours.
Of course, the attacker will still require your password to get into your account, but many services will use your phone as a recovery device as well. Even without your password, an attacker could choose to reset it, send the recovery code to your phone (which is now his phone), and unlock your account, all without knowing either of your two factors.
“Multi-Factor Auth” Fixes All of These Issues
The fix for this is pretty simple. Rather than using SMS to deliver codes to your device, you’ll instead download an “Authenticator App,” and securely link it to your account. Instead of being sent a code, you’ll simply need to enter in the code shown in the app, which will change every 30 seconds or so. Otherwise, it’s the same as 2FA; no phone, no access.
Under the hood, this uses a Time-Based One- Time Passcode (TOTP), which is very secure. You and the service exchange secrets when linking the app to your account. This secret is used as the seed for a random number generator, which generates unique codes every 30 seconds. Because you and the server are linked up, you’ll have identical codes, and nobody else will be on the same page without knowing the secret you exchanged. This alone fixes the SIM swap issue, because the secret is linked the phone, not the phone number.
TOTP apps are just one example of an MFA factor. The term is a generalization, used to apply to any type of two-or-more-step authentication. MFA is a newer, more inclusive term that is usually used by services that support TOTP apps and other auth factors. While the phrase “Two Factor Auth” could still technically apply to keyfob + password auth, it’s usually always referring to SMS.
MFA factors usually fall into one of three categories:
Something the user knows, such as passwords or PINs Something the user has, such as a phone, or a key fob Something the user is, such as facial or fingerprint recognition
Out of these, key fob authentication (has) is the most common, after TOTP apps. These are physical devices (similar to flash drives) that you plug into your device when you sign in:
They contain a certificate that verifies your identity. Essentially, it’s an SSH cert on an easy-to-access key, which is very secure, even more so than your average SSH key, as they don’t exist on an internet-connected device. Theoretically, there is no way to break through key fob authentication, short of physically stealing the key fob, which is highly unlikely, or removing the door itself, which can’t be prevented anyway.
It should be noted that MFA isn’t always entirely secure—password recovery can sometimes still bypass it, depending on the service. For Google in particular, accounts locked with authenticator apps can still be reset this way. If you use a Google account for business services, or just really want your email locked down, you should enable Google’s “Advanced Protection,” which requires a key fob and fixes this issue.