Trusted Tech Team Blog

Two-Factor Takeover

The Future of Password Authentication

Online security has never been more important, as companies today continually have information hacked or stolen on a regular basis. Passwords alone are no longer a secure enough method for protecting sensitive data and personal information, giving way to two-factor authentication. Sites that require two-factor ask for a password as well as another method for added security, usually being a code or biometric access. Although using SMS codes as verification has been effective in the past, it is becoming just as unsafe, as codes are too easily intercepted through text or email.

Two-factor authentication is becoming the standard for protecting sensitive login information online, as banks, credit card companies, and your go-to social media sites now require an additional method of verification other than your password. We will look at some of the current and up-and-coming solutions to password security, including apps that generate authentication codes on your phone to using a physical hardware token. Regardless of which method you choose one thing is certain, the future of internet security will depend on two-factor authentication.

Authenticator Apps

Two-factor is recommended for your high-security accounts (e.g., banking, credit cards, and pretty much any site that uses your personal info), though it is important to note that not all sites offer two-factor at this time. Authenticator Apps are by far the most accessible forms of two-factor authentication at the moment, with the most commonly used apps being Google Authenticator and Authy. Both work similarly, allowing users to install the app and scan the code when setting up a new account. The app then generates new codes approximately every 30 seconds, allowing you to enter the code and your password upon logging into the desired site.

This type of two-factor through Google is a great start to making yourself less of a target to prospective hackers, however, the app isn’t entirely perfect. If you lose your phone, for example, you may lose access to your accounts and have to start over. Authy is a little more refined in this respect, as it allows you to back up your previous codes in the cloud with an encrypted password so you can access them later across multiple devices if needed. Either app works well in replacing the SMS method and will be helpful as more websites require two-factor authentication.

Physical Hardware Tokens

Physical authentication keys like Yubico are another way to utilize the two-factor login and are starting to revolutionize major companies including Google, Microsoft, PayPal, American Express, MasterCard, VISA, Intel, ARM, Samsung, Qualcomm, Bank of America, and many others. It’s already possible to use a physical U2F token to secure your Chrome, Firefox, and Opera for Google, Facebook, Dropbox, and GitHub accounts. This is a small USB key used to log into your account from a new computer by inserting the key and pressing a button on it.

The use of these physical devices, also called U2F, is supported by the FIDO Alliance, who enable an interoperable ecosystem of hardware, mobile, and biometrics-based authenticators that can be used with many apps and websites. Similarly, Web Authentication (WebAuthn) is an up-and-coming credential management API that will be built directly into popular web browsers. It allows users to register and authenticate with web applications using an authenticator such as a phone, hardware security keys, or Trusted Platform Module (TPM) devices. Once WebAuthn is in place, we will see a drastic increase in the use of U2F devices. As two-factor authentication becomes the internet standard in the next few years, these devices should work with NFC and Bluetooth for communicating with mobile devices without USB ports. The biggest perk of this system is that it is virtually tamper-free. Unlike SMS and codes, information on these devices cannot be intercepted. Of course, two-factor authentication is not perfect, but it is radically more secure than relying on a regular password and makes you a much less compelling target.


Leave a Comment