by Chris Woodford. Last updated: October 5, 2016.
Every time you leave your home, you're probably very careful about locking all the doors and windows, maybe even switching on an intruder alarm if you have one. You can't be too careful, right? But how careful are you when it comes to securing your computer? Do you take pains to choose complex passwords and not write them down where other people can find them? Even if you do, isn't it just possible someone else could hack into the systems you use and do all kinds of damage? Now more and more people are moving their lives online, banks, ecommerce (shopping) websites, and others are having to take security far more seriously, no longer relying on simple passwords to keep intruders at bay. One increasingly popular measure is called two-factor authentication, and it's the online equivalent of a combination lock whose code keeps on changing. How exactly does it work? Let's take a closer look!
Photo: Your computer and the online systems it gives you access to may be one of the most valuable things in your life, but how secure is it really?
Why online security isn't always secure
Most people now access all the important areas of their life—banking, shopping, insurance, medical records, and so on—simply by sitting at their computer and typing a username and password into a website. Getting access to something this way is called one-factor authentication, because you need to know only one thing to get into the system: the combination of user name and password is like a single key to a single lock. In theory, this kind of protection should be reasonably secure; in practice, it's less and less trustworthy. Many people choose trivial passwords that are easy to guess (like their partner's or child's name, their own name, or even the word "password"). Or they write passwords down on sticky notes stuck to the computer or let their web browser store passwords for them. Lots of people use the same username and password across many different websites (so a rogue user who steals your details from one site can immediately get access to any other site you use). If you regularly use cyber cafés, or computers at colleges or other public places, there's a risk you could inadvertently store your password on a machine someone else will use or forget to log out of a secure site.
Even if you're sensible with passwords, you're not necessarily as secure as you think: your password can be stolen in all kinds of ways you'd never even notice. It's possible for clever hackers to write keystroke logging programs that sit quietly on your computer remembering all the keys you press, including any passwords you enter. Viruses, worms, and other kinds of malware (malicious software) are often rumored to install keystroke loggers like this on people's computers. In theory, passwords can also be stolen in transit as they're being sent from the user's web browser to the server that checks ("authenticates") them—something known as a man-in-the-middle attack; malware installed in your browser can capture passwords even more easily (that's known as a man-in-the-browser attack). If you're using a typical Wi-Fi (wireless Internet) setup, everything you type into your browser is broadcast publicly for a distance of up to 100m (over 300 ft) as it travels through the air to the router that takes you online. If your system doesn't use proper encryption, it's possible (in theory at least) for any sensitive information going back and forth between your computer and the Internet to be captured by an electronic eavesdropper. And since passwords are often relatively trivial, and computers are becoming faster and ever more sophisticated, it's possible for hackers to use completely automated methods to get access to online systems. In one well-known technique known as a dictionary attack, a hacker can program a computer to log into someone's system by brute force, trying a list of common words (or names) as passwords, one after another, until it hits the right one by chance.
Banks and other organizations prone to cyber crime make life harder for online intruders and thieves by requiring users to enter more pieces of information at signon. You might have to enter not just a username and password, but also a memorable piece of information such as your date of birth, the town where you were born, your pet's name, or whatever it might be. That's more secure, but it still doesn't overcome problems like keystroke loggers, insecure Wi-Fi, man-in-the-middle, or dictionary attacks.
Photo: Is keystroke-logging "malware" (viruses, worms, and so on) secretly running on your computer and recording the buttons you press when you access "secure" websites? If you're worried about this, cut and paste passwords a character at a time from other documents using your mouse.
What is two-factor authentication?
In the real world of bricks-and-mortar, banks try to secure their valuables by putting them in vaults that have multiple security devices. A safe might need two different sets of keys to open it, for example, with each one held by a different, senior member of staff. Or it might have a timelock that means it opens only between certain hours of the day, whether you have the right keys or not. The online equivalent of this is called multi-factor authentication (MFA) and it means you have to pass distinctly different types of security check to get access to a computer system. In theory, just as you could have a bank vault secured by any number of keys and other security devices, so you could have an online bank or shopping website secured by lots of different security checks. In practice, most online systems that use this extra security currently require you to sign in with a username and password and satisfy one extra security check as well. Since two separate checks are involved instead of the normal one, this is often called two-factor authentication (2FA or TFA) or two-step verification.
What is a one-time password?
So what's the extra check? Where signing into computer systems and websites is concerned, it usually involves entering a disposable password, which is valid only once and changes every time you sign-in. This is called a one-time password (OTP) and a new one is generated fresh each time you access the system. Typically a one-time password is a series of meaningless numbers or characters or it might be a half dozen or so short, random words. How do you know your one-time password if it keeps changing? It's not something you're expected to remember: it's generated automatically and sent to you by some method other than online transmission. It might be sent to your cellphone (mobile phone) as an SMS text message; it could be generated by an app running on your phone or by a dedicated, handheld electronic gadget called a security token; it might even be printed out and mailed to you on paper, the good old-fashioned way.
Photo: Microsoft Live now gives you the option of signing in with a disposable, one-time password (or "single-use code," as they like to call it). How does it work? If you're using a public computer, you might prefer not to type in your normal password in case someone is looking over your shoulder (or you're worried about key logging). If you've registered your cellphone number with the site, you can click a link to have a single-use code sent to your phone, which you then enter in place of your password, as shown here.
Unlike a conventional password, which is "something you know" and remember, your one-time password comes from "something you have" and keep, such as a text message, a security token, or a piece of paper. (In books and articles about computer security, you'll often see the two different "keys" that unlock a system protected by two-factor authentication referred to as "something you know" and "something you have.") Usually you have to type the one-time password into the website or computer you're trying to access, though some security tokens use wireless technologies (such as RFID) or plug in to computers via USB sockets, automatically transfer a one-time password without your having to bother about it, and grant you access that way; a plug-in token like this is a bit like a computerized key that unlocks the door to your system and is sometimes called a dongle.
How are one-time passwords generated?
If a one-time password is going to give you access to a computer system, the disposable password you hold in your hand obviously has to match the password the computer has in its memory, just like a conventional password. The only trouble is, the password has got to change every time you use it. This means there has to be some form of synchronization that allows both you and the computer system to use the same, ever-changing password, without the computer having to transmit it to you each time by some insecure method such as email. You can see how this would work with a cellphone-based system: the computer system would generate the one-time password, send it to you in an SMS text message, and then allow you a certain time period to type it in before the password expired. A mail-based system works in essentially the same way, but the password would have to be valid for longer to allow for delays in transit (some banks will mail you a whole printed list of one-time passwords, called transaction authentication numbers or TANs, that you use and then strike out in sequence, matching a list of passwords stored on the computer system).
But how does the synchronization work if you have something like a security token generating one-time passwords for you? One method, called time synchronization, involves the token and the computer system both generating new one-time passwords based on a numeric version of the current time. They might take the time, say 5:08PM, turn it into a numerical code, 1708, then run it through a code generator and an algorithm (a mathematical process) called a hash function (or hash code) to generate a unique 10-digit code, which becomes your one-time password. As long as the token and the computer system have their clocks synchronized, the token will always generate a one-time password that matches the one the computer is looking for. But if the clocks get out of step, the token won't generate correct passwords anymore and will need to be reset.
A different method involves the computer system and the token starting with a shared number called a seed and generating a new one-time password using a constantly advancing counter. The first time a password is needed, the computer and the token use the counter number 0001 with the seed number to generate the password; some time in the future after lots of passwords have been generated, the counter might stand at 0299 inside both the computer and the token, so that number would be used with the seed to generate the password for the next time. This technique is called counter synchronization and doesn't suffer from the disadvantage of keeping clocks in step.
Photo: The Google Authenticator mobile app greatly increases the security of your Google Account. You download the app, set it up with your Google account details, then use it to generate a new security code every time you want to sign in—so, in this case, your mobile device ("something you have") becomes the second factor. When you want to log in to Google on your computer, you enter your Google user name and password on the usual login screen, then a second screen prompts you for the one-time security code generated by your mobile at that instant (the Authenticator app constantly generates new codes that are valid for only 60 seconds). If your password is compromised, it doesn't matter: only someone with your mobile device (and app) will be able to access your account. Google Authenticator is an example of two-factor authentication that uses time synchronization.
Who is using two-factor authentication?
It's early days so far and most websites are still relying on a basic combination of username and password (one-factor authentication) to grant or deny us access. Some sites, including PayPal, Amazon, and Google, have now introduced two-factor authentication as an option for customers who want the reassurance of added security. PayPal's Security Key system offers a choice between sending you one-time passwords in SMS messages or generating them with a token, while Amazon's AWS system uses inexpensive tokens supplied by Gemalto to generate its passwords (you can see one in the photo higher up this page). Google has an iPhone app called Google Authenticator that constantly generates either time-based or counter-based one-time codes every sixty seconds. Once you've enabled two-factor authentication for your Google account, you use the Authenticator to generate a new one-time code that you enter each time you sign in.
Online banks are also experimenting with a variety of different multi-factor authentication systems, including handheld card readers that generate one-time passwords using your credit-card number and PIN. In future, as more and more organizations introduce measures like this, we could find ourselves with a plethora of different dongles, tokens, and other security devices to control access to all the sensitive online systems we use—a veritable electronic keyring, in fact. But we'll also see criminals becoming increasingly sophisticated as they seek even more outlandish ways of cracking secure systems.
Photo: Many banks are now issuing two-factor authentication devices to customers to make online banking more secure. You put your bank card into the device, enter your PIN number, and it generates one-time passwords that you can enter into online banking websites. If you have accounts with several different banks, you don't need a card reader for each one. The banks have agreed a standard system between them, so you should find that a card issued by one bank will work in a card reader issued by any other bank. That's handy if you're away from home without a reader: you should be able to use a friend's.