Merchant Fraud Journal

How Does Two-Factor Authentication (2FA) Work?

Given how easily password and username combinations can be stolen by hackers, it’s no wonder that corporate data breaches happen regularly. And when they do, two-factor authentication is the best way to protect your sensitive data from theft.

Two-Factor Authentication (2FA) works by adding an additional layer of security to your online accounts. It requires an additional login credential – beyond just the username and password – to gain account access, and getting that second credential requires access to something that belongs to you.

Without this additional access method, it’s impossible to enter the account, which in turn makes it impossible for hackers to access your account using only stolen password and login information.

Here is a simplistic diagram of the Two-Factor Authentication Process

two-factor authentication diagram
Two-Factor Authentication Process

What Can You Use for Two-Factor Authentication?

Two-factor authentication describes an approach, not a method. Many different methods exist to secure your account with two-factor authentication.

There are three main types of two-factor authentication:

  1. Additional login credentials only the account holder should know. This includes things like security question answers and PIN numbers.
  2. Devices the account holder owns that receive additional login credentials. This most commonly takes the form of a security token, mobile phone app, or tablet device app.
  3. Biometric login credentials unique to the account owner. This includes retina scans and fingerprints.

You can determine which 2FA method works best for you. Companies often prefer the device method, because employees may feel biometric options violate their privacy. Individuals often find it less cumbersome to secure devices they own with biometric methods, because they don’t require you to carry around multiple devices

How Does Two-Factor Authentication Work?

Here’s a quick rundown of what adding 2FA to an account looks like for the methods described above.

1. Text Message

Text messages for two-factor authentication send a login code to a mobile device number you register with the account. This is the most streamlined form of 2FA. All you need is a cellphone and a connection to a wireless network.

Text message 2FA is very common for personal accounts, but it is not without risk. There is a chance someone can impersonate you to the phone company, hijack your phone, and gain unauthorized access to your accounts.

Corporations should be wary of this method unless employees have dedicated corporate phone lines. Routing access through an employee’s personal number risks a fired employee doing major damage.

In addition, employees’ personal phone plans may not offer service everywhere, which risks an employee locking themselves out of their accounts while on an international business trip.

2. Authentication Applications

Authentication app 2FA works by using a mobile app to generate an authentication code. You must then enter this code to gain access to your account.

Unlike text messages, apps don’t require the user to have access to a wireless network. Any internet connection is enough to access your account.

In addition, authentication apps like Google offer a list of backup codes to use in case of connectivity problems.

3. Biometric Two-factor Authentication

Biometric 2FA works by requiring you to present something unique to your physical person to gain access to your account.

Common methods of biometric verification include retina scans by your computer’s camera, or a requirement to use your fingerprint on your tablet.

While increasingly popular, it’s important to note limitations to these methods exist. The most common is the fear of biometric data theft. Unlike a changeable password, stealing information about your retina or fingerprint would comprise your security and privacy for life.

How Secure is Two-Factor Authentication?

An account that uses 2FA is much more secure than a mere username and password login, but that doesn’t mean it is entirely foolproof.

Text Message 2FA Security

For text messages, one of the biggest 2FA security flaws is the ability of users to keep their cell phone numbers even when they switch providers. Mobile number portability is an opening for hackers to impersonate you and switch your number to a phone they control.

One that happens, your usernames and passwords will give hackers access to your accounts.

Authentication Applications 2FA Security

Authentication apps like Google Authenticator are vulnerable to device theft for the reason that leaving your device unattended while at work, or losing it while traveling your accounts at risk.

Similarly, security tokens — often considered one of the most secure types of 2FA — can get hacked at the manufacturer level.

That’s exactly what happened to customers of RSA Security’s “SecurID” tokens, after a breach leaked sensitive information to hackers.

Biometric 2FA Security

People often believe biometric security is foolproof. The reality is much different. Just like an other security method, hackers can get account access even with biometrics enabled.

It’s true a hacker isn’t going to remove your finger (we hope) to gain access to your accounts, but these security systems aren’t magic. They must store a Digital representation of your fingerprint/retina to work. And that can be hacked.

Two-Factor Authentication Best Practices

You should never use just a username and password to protect your account. The number of corporate security breaches in recent memory proves it’s too easy for hackers to gain access to your accounts.

However, that doesn’t mean that two-factor authentication is a foolproof way to prevent commerce fraud.

Using text messages, authenticator apps, or biometric methods are better than nothing, but you should also go beyond that and follow these 2FA best practices:

  1. Don’t use your personal phone number for text 2FA authentication.
    Phone carriers are notorious for getting tricked into changing account details by clever hackers. Instead, set up a dedicated Google Voice number that you can always keep and that a phone carrier cannot change.
  2. Don’t use email-based account resets.
    It’s convenient to reset your accounts by email. This is because it makes it very easy for a hacker to bypass other 2FA procedures you’ve put in place and get at the account with just a username and password.
  3. Use a combination of authentication methods.
    You can secure many accounts with more than one 2FA method. And the more 2FA methods you use, the more secure your information is.

Two-factor authentication is an essential step in knowing how to prevent eCommerce fraud. Although adding additional layers is inconvenient, it’s much less inconvenient — and costly — than a fraudster impersonating you, getting access to your personal information, or stealing your bank account details.

 

Exit mobile version