by Chris Woodford. Last updated: February 10, 2021.
Every time you leave your home, you're probably very careful about locking all the doors and windows, maybe even switching on an intruder alarm if
you have one. You can't be too careful, right? But how careful are
you when it comes to securing your computer? Do you take pains to
choose complex passwords and not write them down where other people
can find them? Even if you do, isn't it just possible someone else
could hack into the systems you use and do all kinds of damage? Now
more and more people are moving their lives online, banks,
websites, and others are having to take security far more seriously,
no longer relying on simple passwords to keep intruders at bay. One
increasingly popular measure is called two-factor authentication,
and it's the online equivalent of a combination lock whose code keeps on
changing. How exactly does it work? Let's take a closer look!
Photo: Your computer and the online systems it gives you access to may be one of the most valuable things in your life, but how secure is it really?
Why online security isn't always secure
Most people now access all the important areas of their life—banking, shopping,
insurance, medical records, and so on—simply by sitting at their
computer and typing a username and password into a website. Getting
access to something this way is called one-factor authentication,
because you need to know only one thing to get into the system: the
combination of user name and password is like a single key to a
single lock. In theory, this kind of protection should be reasonably
secure; in practice, it's less and less trustworthy. Many people choose
trivial passwords that are easy to guess (like their partner's or child's name, their own name, or even the word "password"). Or they write passwords down on sticky notes stuck to the computer or let their web browser store passwords for
them. Lots of people use the same username and password across many
different websites (so a rogue user who steals your details from one
site can immediately get access to any other site you use). If you
regularly use cyber cafés, or computers at colleges or other public
places, there's a risk you could inadvertently store your password on
a machine someone else will use or forget to log out of a secure
Even if you're sensible with passwords, you're not necessarily as secure
as you think: your password can be stolen in all kinds of ways
you'd never even notice. It's possible for clever hackers to write
keystroke logging programs that sit quietly on your computer
remembering all the keys you press, including any passwords you
enter. Viruses, worms, and other kinds of malware (malicious software)
are often rumored
to install keystroke loggers like this on people's computers. In
theory, passwords can also be stolen in transit as they're being sent from
the user's web browser to the server that checks ("authenticates")
them—something known as a man-in-the-middle attack; malware
installed in your browser can capture passwords even more easily
(that's known as a man-in-the-browser attack). If you're using
a typical Wi-Fi (wireless Internet) setup, everything you type into
your browser is broadcast publicly for a distance of up to 100m (over
300 ft) as it travels through the air to the router that takes you
online. If your system doesn't use proper encryption, it's possible
(in theory at least) for any sensitive information going back and
forth between your computer and the Internet to be captured by an
electronic eavesdropper. And since passwords are often relatively
trivial, and computers are becoming faster and ever more
sophisticated, it's possible for hackers to use completely automated
methods to get access to online systems. In one well-known technique
known as a dictionary attack, a hacker can program a computer
to log into someone's system by brute force, trying a list of common
words (or names) as passwords, one after another, until it hits the right one by
Banks and other organizations prone to cyber crime make life harder for online
intruders and thieves by requiring users to enter more pieces of
information at signon. You might have to enter not just a username
and password, but also a memorable piece of information such as
your date of birth, the town where you were born, your pet's name, or
whatever it might be. That's more secure, but it still doesn't overcome
problems like keystroke loggers, insecure Wi-Fi, man-in-the-middle,
or dictionary attacks.
Artwork: Are you connecting securely? Whenever you're sending personal or confidential information to a website, check that it's using an https connection, which encrypts the back-and-forth dialogue between your web browser and the server that hosts the website it's talking to. Look in the browser's URL bar. The most secure websites use both authentication (the bank's name is clearly shown, proving they're who they say they are) and encryption (shown shown by the https part of the URL, a padlock that's typically colored green or yellow, or a message like "Secure" in some browsers); many websites use encryption alone. Note that https does nothing more than secure the connection between your browser and the server it's talking to. It does not make a website completely secure. For example, are there pages on the website that don't use https? How does the website store your information when it's collected and decrypted it? Who has access to your data? Are you forced to change your password quite frequently? Does the site use two-factor authentication? Using https is only one of the things a business needs to do to make its website secure.
What is two-factor authentication?
“... at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services”
The Register, 2018
In the real world of bricks-and-mortar, banks try to secure their valuables by
putting them in vaults that have multiple security devices. A safe
might need two different sets of keys to open it, for example, with
each one held by a different, senior member of staff. Or it might
have a timelock that means it opens only between certain hours of the
day, whether you have the right keys or not. The online equivalent of
this is called multi-factor authentication (MFA) and it means
you have to pass distinctly different types of security check to get access to a
computer system. In theory, just as you could have a bank vault
secured by any number of keys and other security devices, so you
could have an online bank or shopping website secured by lots of
different security checks. In practice, most online systems that use
this extra security currently require you to sign in with a username
and password and satisfy one extra security check as well. Since
two separate checks are involved instead of the normal one, this is
often called two-factor authentication (2FA or TFA)
or two-step verification.
What is a one-time password?
Photo: Microsoft Live now gives you the option of signing in with a disposable, one-time password (or "single-use code," as they like to call it). How does it work? If you're using a public computer, you might prefer not to type in your normal password in case someone is looking over your shoulder (or you're worried about key logging). If you've registered your cellphone number with the site, you can click a link to have a single-use code sent to your phone, which you then enter in place of your password, as shown here.
So what's the extra check? Where signing into computer systems and websites is
concerned, it usually involves entering a disposable password, which is valid
only once and changes every time you sign-in. This is called a
one-time password (OTP) and a new one is generated fresh each
time you access the system. Typically a one-time password is a series
of meaningless numbers or characters or it might be a half dozen or
so short, random words. How do you know your one-time password if it
keeps changing? It's not something you're expected to remember: it's
generated automatically and sent to you by some method other than
online transmission. It might be sent to your cellphone (mobile
phone) as an SMS text message; it could be generated by an app
running on your phone or by a dedicated, handheld
electronic gadget called a security token; it might even be
printed out and mailed to you on paper, the good old-fashioned way.
Unlike a conventional password, which is "something you know" and
remember, your one-time password comes from "something you have"
and keep, such as a text message, a security token, or a piece of paper.
(In books and articles about computer security, you'll often see the two different "keys" that unlock a system
protected by two-factor authentication referred to as "something you know"
and "something you have.") Usually you have to type the one-time
password into the website or computer you're trying to access, though
some security tokens use wireless technologies (such as RFID) or plug
in to computers via USB sockets, automatically transfer a one-time
password without your having to bother about it, and grant you access
that way; a plug-in token like this is a bit like a computerized key that
unlocks the door to your system and is sometimes called a dongle.
Artwork: Some sites now use one-time password codes by default. When I go to sign into Outlook mail, for example, I'm not asked for my usual password. Instead, a code is immediately sent to my cellphone and I have to type that instead. I can still decline to sign in this way and use a conventional username and password if I want to, so this isn't as secure as two-factor authentication,
How are one-time passwords generated?
If a one-time password is going to give you access to a computer system,
the disposable password you hold in your hand obviously has to match
the password the computer has in its memory, just like a conventional
password. The only trouble is, the password has got to change every
time you use it. This means there has to be some form of
synchronization that allows both you and the computer system to use
the same, ever-changing password, without the computer having to
transmit it to you each time by some insecure method such as email. You can see
how this would work with a cellphone-based system: the computer
system would generate the one-time password, send it to you in an SMS text
message, and then allow you a certain time period to type it in
before the password expired. A mail-based system works in essentially
the same way, but the password would have to be valid for longer to
allow for delays in transit (some banks will mail you a whole
printed list of one-time passwords, called transaction
authentication numbers or TANs, that you use and then strike out in
sequence, matching a list of passwords stored on the computer
But how does the synchronization work if you have something like a security
token generating one-time passwords for you? One method, called time
synchronization, involves the token and the computer system both
generating new one-time passwords based on a numeric version of the
current time. They might take the time, say 5:08PM, turn it into
a numerical code, 1708, then run it through a code generator and an algorithm (a
mathematical process) called a hash function
(or hash code) to generate a unique 10-digit code, which becomes your one-time password. As long as the token and the computer
system have their clocks synchronized, the token will always generate
a one-time password that matches the one the computer is looking for.
But if the clocks get out of step, the token won't generate correct
passwords anymore and will need to be reset.
Photo: The Google Authenticator mobile app greatly increases the security of your Google Account. You download the app, set it up with your Google account details, then use it to generate a new security code every time you want to sign in—so, in this case, your mobile device ("something you have") becomes the second factor. When you want to log in to Google on your computer, you enter your Google user name and password on the usual login screen, then a second screen prompts you for the one-time security code generated by your mobile at that instant (the Authenticator app constantly generates new codes that are valid for only 60 seconds). If your password is compromised, it doesn't matter: only someone with your mobile device (and app) will be able to access your account. Google Authenticator is an example of two-factor authentication that uses time synchronization.
A different method involves the computer system and the token starting with a
shared number called a seed and generating a new one-time password
using a constantly advancing counter. The first time a password is
needed, the computer and the token use the counter number 0001 with
the seed number to generate the password; some time in the future
after lots of passwords have been generated, the counter might stand
at 0299 inside both the computer and the token, so that number would
be used with the seed to generate the password for the next time.
This technique is called counter synchronization and doesn't
suffer from the disadvantage of keeping clocks in step.
Who is using two-factor authentication?
It's early days so far and most websites are still relying on a basic
combination of username and password (one-factor authentication) to
grant or deny us access. Some sites, including PayPal, Amazon,
and Google, have now introduced two-factor authentication as an option for
customers who want the reassurance of added security. PayPal's
Security Key system offers a choice between sending you one-time
passwords in SMS messages or generating them with a token, while
Amazon's AWS system uses inexpensive tokens supplied by Gemalto to
generate its passwords. Google has an app called Google Authenticator that constantly generates
either time-based or counter-based one-time codes every sixty seconds. Once you've enabled two-factor authentication
for your Google account, you use the Authenticator to generate a new one-time code that you enter
each time you sign in. (One minor drawback is that if you have two phones/tablets or other devices,
you have to set them up together, in a synchronized way, or they won't generate the same one-time code.
You can't add an extra device later without resetting the others you already own.)
Photo: Many banks are now issuing two-factor authentication devices to customers to make online banking more secure. You put your bank card into the device, enter your PIN number, and it generates one-time passwords that you can enter into online banking websites. If you have accounts with several different banks, you don't need a card reader for each one. The banks have agreed a standard system between them, so you should find that a card issued by one bank will work in a card reader issued by any other bank. That's handy if you're away from home without a reader: you should be able to use a friend's.
Online banks are also experimenting with a
variety of different multi-factor authentication systems, including
handheld card readers that generate one-time passwords using your
credit-card number and PIN. In future, as more and more organizations
introduce measures like this, we could find ourselves with a plethora
of different dongles, tokens, and other security devices to control
access to all the sensitive online systems we use—a veritable
electronic keyring, in fact. But we'll also see criminals becoming
increasingly sophisticated as they seek even more outlandish ways of
cracking secure systems.