The Two-Factor Takeover

Online security has never been more important, as companies today continually have information hacked or stolen on a regular basis. Passwords alone are no longer a secure enough method for protecting sensitive data and personal information, giving way to two-factor authentication.

The Future of Password Authentication

Sites that require two-factor ask for a password and another method for added security - usually a code or biometric access. Although SMS code verification has been historically effective, it is now becoming just as unsafe; as codes are too easily intercepted via text or email.

Two-factor authentication is becoming the standard for protecting sensitive login information online, as banks, credit card companies, and your go-to social media sites now require an additional method of verification other than your password.

We will look at some of the current and up-and-coming solutions to password security, including apps that generate authentication codes on your phone to using a physical hardware token. Regardless of which method you choose one thing is certain, the future of internet security will depend on two-factor authentication.

Authenticator Apps

Two-factor authentication is recommended for your high-security accounts (e.g., banking, credit cards, and any site using your personal info), though it is important to note that not all sites offer two-factor at this time.

Authenticator Apps are by far the most accessible forms of two-factor authentication at the moment, with the most common apps being Google Authenticator and Authy. Both work similarly, allowing users to install the app and scan the code upon setting up a new account. The app then generates new codes, approximately every 30 seconds, allowing you to enter the code and your password upon logging into the desired site.

Using Google Authenticator is a great way to start making yourself less of a target to prospective hackers; however, the app isn’t entirely perfect. If you lose your phone, for example, you may lose access to your accounts and have to start over. Authy is a little more refined in this respect, as it allows you to back up your previous codes in the cloud with an encrypted password; so you can access them, across multiple devices, at a later time. Either app works well in replacing the SMS method, and will be helpful as more websites require two-factor authentication.

Physical Hardware Tokens

Physical authentication keys like Yubico are another way to utilize the two-factor login and are revolutionizing major companies like Google, Microsoft, PayPal, American Express, MasterCard, VISA, Intel, ARM, Samsung, Qualcomm, Bank of America, etc. It is already possible to use a physical U2F token to secure Chrome, Firefox, and Opera for Google, Facebook, Dropbox, and GitHub accounts. This small USB key is used to log into your account from a new computer by inserting the key, and pressing a button on it.

U2F is supported by the FIDO Alliance, who enable an interoperable ecosystem of hardware, mobile, and biometrics-based authenticators used with many apps and websites. Similarly, Web Authentication (WebAuthn) is an up-and-coming credential management API that will be built directly into popular web browsers. It allows users to register and authenticate with web applications via phone, hardware security keys, or Trusted Platform Module (TPM) devices.

Once WebAuthn becomes commonplace, we should expect a drastic increase in U2F usage. As two-factor authentication becomes the internet standard, these devices should work with NFC and Bluetooth for mobile communication - minus USB ports. Its biggest perk is that it’s virtually tamper-free and, unlike SMS and codes, information on U2F devices cannot be intercepted. Of course, two-factor authentication is not perfect; but it is radically more secure than passwords, and makes you a less compelling target.