Authentication describes the process of confirming the genuineness of something, for instance, a password that has been input by verifying it with the one entered upon registration.
Passwords remain the most commonly used data protection measure, but even a very strong password is vulnerable to attacks, spurring many services and programs to provide an additional layer of security to beef up password protection.
Overall, authentication doesn’t have to be two-factor. Three-factor authentication, for instance, would involve a user typing in a permanent password, getting a one-time password via SMS and applying fingerprint verification.
Two-factor authentication can take different forms, and in this chapter, you will learn about the most commonly used methods.
Some applications use a password/keyfile combination. Keyfile is a file whose content is provided to the program to allow a user to log in.
Such method is used by a popular, on-the-fly encryption application TrueCrypt and its fork VeraCrypt. When creating an encrypted file-hosted volume, you specify a file that will be requested by the application for decrypting your data.
For keyfiles, you can use almost any file, the contents of this file will remain intact. Be aware that you can’t make any changes to this file, otherwise you are affecting its structure, and it will be rendered ineffective. Don’t use too large keys, there’s no point in it: for instance, VeraCrypt uses the first 1024 KB of your file.
TipDon’t use too large files as keyfiles, there’s no point in it.
Make sure you make it hard enough to locate your file or guess that this file is a keyfile. Avoid calling it “key” or any other names that may reveal the true purpose of the file. Use a common document or image that doesn’t draw attention.
TipDisguise keyfiles as common files.
Always remember to use this tool in addition to a password. A keyfile deters some commonly used methods of password theft you won’t be able to protect yourself from even with the strongest password in place, for instance, from snooping on your password or keylogger use.
You are probably guessing where you should store your keyfile. I store my keyfile unprotected on my computer, in a folder, where it doesn’t differ from other files. This file doesn’t need to be kept in a protected place since you combine it with a password. I store a copy of this file in encrypted file-hosted volumes on portable hard drive and cloud storage. Be aware that if you lose this file, you will be unable to access your data.
SMS codes offer an extra layer of defense that requires a user to enter the verification code sent to the phone number you provided in your user profile. This is quite a safe mechanism, unless your phone is unknown to attackers. Unfortunately, recovering your phone number or intercepting SMS messages is no big deal for attackers nowadays.
There are different ways to intercept SMS messages: recovering SIM cards, access to data at operator’s level, hacking a device that receives SMS messages, exploiting SS7 vulnerabilities, fake base station. The most important takeaway here is: you can’t rely on SMS code verification for effective protection, though it is better than lack of two-factor authentication.
TipIf possible, choose more secure two-factor authentication methods than SMS code verification.
Sending verification codes over SMS text is seen increasingly unsafe, and this is confirmed in an ongoing shift where corporations, like Google, are dropping support for SMS for two-factor authentication in favor of more secure data protection measures.
This is quite a secure method provided you can access the email only using a different device. If you use your computer to log in and accept an email containing the verification code on the same computer, you render two-factor authentication completely useless.
TipDon’t accept verification codes via email on the same device you log in from.
Table with passcodes
Table with passcodes is an extra layer of defense where the system asks you to enter a code from a table with numbered codes generated for you when you log in. Such tables should be printed, there is no point in keeping them in electronic form. Tables with codes protect you from password theft, for instance, if an attacker uses malware.
Attackers can access your computer and steal your password, but it will be useless to them since they’ll have to enter the code from the table you don’t have on your computer if they want to log in.
Sadly, users have a lack of awareness of it and keep storing a table with passcodes in electronic form. By doing this, they basically hand their passwords to attackers, rendering two-factor authentication useless.