Internet privacy and security course RU

Two-factor authentication

Authentication describes the process of confirming the genuineness of something, for instance, a password that has been input by verifying it with the one entered upon registration. 

Passwords remain the most commonly used data protection measure, but even a very strong password is vulnerable to attacks, spurring many services and programs to provide an additional layer of security to beef up password protection.  

 Overall, authentication doesn’t have to be two-factor. Three-factor authentication, for instance, would involve a user typing in a permanent password, getting a one-time password via SMS and applying fingerprint verification. 

 Two-factor authentication can take different forms, and in this chapter, you will learn about the most commonly used methods.  



 Some applications use a password/keyfile combination. Keyfile is a file whose content is provided to the program to allow a user to log in.

 Such method is used by a popular, on-the-fly encryption application TrueCrypt and its fork VeraCrypt. When creating an encrypted file-hosted volume, you specify a file that will be requested by the application for decrypting your data. 

 For keyfiles, you can use almost any file, the contents of this file will remain intact. Be aware that you can’t make any changes to this file, otherwise you are affecting its structure, and it will be rendered ineffective. Don’t use too large keys, there’s no point in it: for instance, VeraCrypt uses the first 1024 KB of your file. 



Don’t use too large files as keyfiles, there’s no point in it.


Make sure you make it hard enough to locate your file or guess that this file is a keyfile. Avoid calling it “key” or any other names that may reveal the true purpose of the file. Use a common document or image that doesn’t draw attention. 



Disguise keyfiles as common files.


 Always remember to use this tool in addition to a password. A keyfile deters some commonly used methods of password theft you won’t be able to protect yourself from even with the strongest password in place, for instance, from snooping on your password or keylogger use.   

You are probably guessing where you should store your keyfile. I store my keyfile unprotected on my computer, in a folder, where it doesn’t differ from other files. This file doesn’t need to be kept in a protected place since you combine it with a password. I store a copy of this file in encrypted file-hosted volumes on portable hard drive and cloud storage. Be aware that if you lose this file, you will be unable to access your data. 


SMS codes

SMS codes offer an extra layer of defense that requires a user to enter the verification code sent to the phone number you provided in your user profile. This is quite a safe mechanism, unless your phone is unknown to attackers. Unfortunately, recovering your phone number or intercepting SMS messages is no big deal for attackers nowadays.  

There are different ways to intercept SMS messages: recovering SIM cards, access to data at operator’s level, hacking a device that receives SMS messages, exploiting SS7 vulnerabilities, fake base station. The most important takeaway here is: you can’t rely on SMS code verification for effective protection, though it is better than lack of two-factor authentication.  



If possible, choose more secure two-factor authentication methods than SMS code verification.


Sending verification codes over SMS text is seen increasingly unsafe, and this is confirmed in an ongoing shift where corporations, like Google, are dropping support for SMS for two-factor authentication in favor of more secure data protection measures. 


Email codes 

This is quite a secure method provided you can access the email only using a different device. If you use your computer to log in and accept an email containing the verification code on the same computer, you render two-factor authentication completely useless. 



Don’t accept verification codes via email on the same device you log in from.


Table with passcodes 

Table with passcodes is an extra layer of defense where the system asks you to enter a code from a table with numbered codes generated for you when you log in. Such tables should be printed, there is no point in keeping them in electronic form. Tables with codes protect you from password theft, for instance, if an attacker uses malware. 

Attackers can access your computer and steal your password, but it will be useless to them since they’ll have to enter the code from the table you don’t have on your computer if they want to log in.  

Sadly, users have a lack of awareness of it and keep storing a table with passcodes in electronic form. By doing this, they basically hand their passwords to attackers, rendering two-factor authentication useless. 



Print your table with passcodes and never keep it in electronic form.


Logging in using a mobile application

Logging in using an application on a mobile phone is, in my view, the best added layer of protection, except when you log in from the device where this same application is installed.  

This method offers different authentication schemes, with the simplest one using push notifications. Personally, I prefer authentication via QR codes. When you log in, after entering the correct login and password, the system will display a QR code on your screen and asks you to decode it. Only you can decrypt the QR code using your application. Of course, in this case stealing your passwords is rendered completely useless. 


Biometric data

As a rule, biometric data is used as an alternative to passwords, not as a two-factor authentication tool, you can find more about it in a separate chapter of this course. However, if you can take advantage of biometric two-factor authentication based on physical attributes like retina or fingerprint – use it without giving it a second thought. 

The main problem with biometric data is that it allows a possibility of being used if the owner is dead. For instance, police is known to have used lifeless fingerprints to unlock the dead people’s phones. But if a password is in place, this threat is negated, leaving you to enjoy all the advantages, including lack of a brute-force attack or password theft risks (at least without physical injury involved). 

We have covered the most commonly used two-factor authentication methods, and any of them combined with your password will considerably beef up your security.



Wherever possible, when logging in, use a password/keyfile combination or other methods of data protection as an extra step to a common log-in procedure (SMS codes, alternate code tables, etc.).


Присоединяйтесь к анонимному сообществу белых хакеров и
любителей анонимной и безопасной работы в сети.


© 2018. WebGears Services Ltd. All rights reserved