Internet privacy and security course
Aa font
AA font size
About translation
Previous Next

Chapter 74

Two-factor authentication

Authentication describes the process of confirming the genuineness of something, for instance, a password that has been input by verifying it with the one entered upon registration.

Passwords remain the most commonly used data protection measure, but even a very strong password is vulnerable to attacks, spurring many services and programs to provide an additional layer of security to beef up password protection.

Overall, authentication doesn’t have to be two-factor. Three-factor authentication, for instance, would involve a user typing in a permanent password, getting a one-time password via SMS and applying fingerprint verification.

Two-factor authentication can take different forms, and in this chapter, you will learn about the most commonly used methods.


Some applications use a password/keyfile combination. Keyfile is a file whose content is provided to the program to allow a user to log in.

Such method is used by a popular, on-the-fly encryption application TrueCrypt and its fork VeraCrypt. When creating an encrypted file-hosted volume, you specify a file that will be requested by the application for decrypting your data.

For keyfiles, you can use almost any file, the contents of this file will remain intact. Be aware that you can’t make any changes to this file, otherwise you are affecting its structure, and it will be rendered ineffective. Don’t use too large keys, there’s no point in it: for instance, VeraCrypt uses the first 1024 KB of your file.


Don’t use too large files as keyfiles, there’s no point in it.

Make sure you make it hard enough to locate your file or guess that this file is a keyfile. Avoid calling it “key” or any other names that may reveal the true purpose of the file. Use a common document or image that doesn’t draw attention.


Disguise keyfiles as common files.

Always remember to use this tool in addition to a password. A keyfile deters some commonly used methods of password theft you won’t be able to protect yourself from even with the strongest password in place, for instance, from snooping on your password or keylogger use.

You are probably guessing where you should store your keyfile. I store my keyfile unprotected on my computer, in a folder, where it doesn’t differ from other files. This file doesn’t need to be kept in a protected place since you combine it with a password. I store a copy of this file in encrypted file-hosted volumes on portable hard drive and cloud storage. Be aware that if you lose this file, you will be unable to access your data.

SMS codes

SMS codes offer an extra layer of defense that requires a user to enter the verification code sent to the phone number you provided in your user profile. This is quite a safe mechanism, unless your phone is unknown to attackers. Unfortunately, recovering your phone number or intercepting SMS messages is no big deal for attackers nowadays.

There are different ways to intercept SMS messages: recovering SIM cards, access to data at operator’s level, hacking a device that receives SMS messages, exploiting SS7 vulnerabilities, fake base station. The most important takeaway here is: you can’t rely on SMS code verification for effective protection, though it is better than lack of two-factor authentication.


If possible, choose more secure two-factor authentication methods than SMS code verification.