What is two-factor and multi-factor authentication?– what is two-factor authentication
Dual authentication, or two-factor authentication (2FA), is a security process that requires a user to provide a second authentication factor, such as a text message, in addition to a password (first factor) to verify their identity and access their account.
Multi-factor authentication (MFA) requires a user to provide multiple authentication factors before they can log in to their account.
Why use two-factor authentication?– what is a two factor authentication
Dual authentication is necessary because it provides a higher level of security than authentication methods that rely on only one factor (usually a password or PIN).
If a hacker steals a user’s access code protected by two-factor authentication, he or she will not be able to access the user’s online account or mobile device without knowing the second factor required to access that account, such as a fingerprint or SMS verification code.
The French National Agency for Information Systems Security (ANSSI) reminds us of the best practices for using two-factor authentication every day:
| Example of a context | Sensitivity of the data or service | Significance of the threat | Method of authentication |
| Tennis court reservation system | not very sensitive | low (reservation change) | password |
| Advertising website | moderately sensitive | medium (interruption or disfiguration of the site) | strong password |
| Professional messaging | sensitive | medium (service interruption, compromise of sensitive business information, which may be which may be industrial, financial, competitive, etc.) | strong password + second factor |
| Administration information system | very sensitive | critical (complete compromise of the information system) | strong multi-factor (e.g. smart card and pin code) |
For myself, whenever I have the opportunity to enable two-factor authentication on any of my new online accounts, I do so immediately after generating a new strong password with a password manager.
How does dual authentication work?
Once dual authentication is enabled on your account, the process will look like this when you log into your account online:
- You will first need to enter your password ;
- The website or application will ask you for a security code or to connect a device depending on the type of authentication ;
- Once both steps are validated, you can access your account online..
Common types of dual authentication– two factor authentication
Two-factor authentication via SMS
An SMS with a unique code is sent to the user to identify them. This verification is no longer recommended because this type of authentication is not reliable.
In 2019, the Twitter CEO had enabled two-factor authentication via SMS on his account, but cybercriminals managed to hack his Twitter account. They were able to retrieve his password and a duplicate of his SIM card (Source : CNN).
To solve this problem, a more secure two-factor authentication should be used.
Unfortunately, some services only offer SMS verification. Most smartphones today are dual SIM. One way to reduce this risk is to use a new SIM card. One SIM card for your personal life and another card just to secure certain online accounts.
I would like to point out that it is safer to use a password with SMS 2FA than to use a single password.
Two-factor authentication via email
An email containing a unique code is sent to the user. This verification may be relevant if your email is well secured, i.e. protected by a strong password and secure two-factor authentication.
Two-factor authentication with a mobile application
A unique digital code, called a token, is generated every 30 seconds on the user’s application. This two-factor authentication is more secure than SMS 2FA.
However, this verification is not perfect. Mobile notification two-factor authentication can also be compromised by malware. In 2020, malware called Cerberus stole 2FA codes from the Google Authenticator app on Android smartphones (Source : Wikipedia).
For my part, I see two ways to guard against this threat:
- Use a paid antivirus to further protect your information on your smartphone and lock your critical apps like Google Authenticator with a password, fingerprint or facial recognition (iPhone only). I don’t know if it’s enough, but we’re doing our best 😅 ;
- Use a two-factor security key.
Two-factor authentication with a physical security key
This two-factor authentication is much more secure than the other authentications I’ve presented because the hacker can’t compromise your USB security key with malware when the validation is purely physical. The user must insert the physical key into their computer to access their account.
Some physical security keys also work with Bluetooth or a fingerprint. However, in 2019, a security flaw was discovered in Google’s security key at the Bluetooth level. Google was forced to replace the faulty key (Source : The Verge).
The best multi-factor authentication applications
Google Authenticator is the most popular two-step verification code generator for smartphones. It works on Android and iOS.
Authy Authenticator is also a secure two-step verification token generator for smartphones and computers. This software is cross-platform (Android, iOS, macOS, PC, Linux).
Source : https://authy.com
The Microsoft Authenticator application is a great alternative to Authy Authenticator and Google Authenticator.
The best multi-factor authentication security keys
Yubico was founded in Sweden in 2007 with the goal of simplifying authentication and making it accessible to everyone. It is the maker of the famous YubiKey. Today, the company is the world leader in secure key authentication.
To help secure your digital life with strong two-factor authentication, Google offers a package of two physical keys with USB, NFC, and Bluetooth technologies. The package includes a primary key and a backup key in case you lose one.
Enable dual authentication with a mobile application on Gmail– examples of two-factor authentication
Step 1 : Open your Google Account and click on “Manage your Google Account”.
Step 2 : Click on “Security” in the left column.
Step 3 : Click on “2-Step Verification” under “Signing in to Google”.
Step 4 : Click on “GET STARTED”.
Step 5 : Enter your password and click “Next”.
Step 6 : Enter your phone number and click “Next”.
Step 7 : Enter the code you received by SMS and click “Next”.
Step 8 : Click on “TURN ON”.
Step 9 : Click on “Authenticator app”.
Step 10 : Click on “Set up authentication app”. If you downloaded Authy Authenticator, scan the QR code, click “Next”,and enter the token you received on Authy. If you have downloaded Google Authenticator, click on “Can’t scan it ?”.
Step 11 : If you chose the second option, keep the configuration key safe, manually enter this key on the Google Authenticator app, click “Next”, and then enter the token received in Google Authenticator.
Step 12 : Click on “Voice or text message” and enter your password.
Step 13: Click on the “delete icon” and confirm your action.
Step 14: Two-factor authentication with mobile notification is enabled by default.
Warning :
If you use the Google Authenticator application, there are two ways to protect your information:
- I strongly recommend that you save the recovery key, as it can be considered a second password. If you lose your phone, the key will allow you to restore your information to Google Authenticator ;
- You also have the option to scan the QR code with at least two different devices (for example, your primary phone and another as a backup).
These recommendations are not to be taken lightly, because if you don’t have a backup, Google can’t help you because your recovery key is encrypted locally on your phone (Source : Authy).
If you use Authy Authenticator, your recovery key is encrypted in the cloud. So you don’t need to keep the recovery key yourself. However, I recommend installing Authy Authenticator on a different device.
Unfortunately, some services do not allow you to keep the recovery key, such as the Degiro broker.
Enable dual authentication with a physical security key on Gmail– examples of two factor authentication
Step 1 : Go to the “2-Step Validation” section, then click on “Security Key”.
Step 2 : Click on “Add security key”, insert your USB security key into your computer and press te button.
Step 3 : Give your key’s name and then click “Next”.
Step 4 : The key has been added.
Step 5 : Two factor authentication with a security key is enabled by default. If you want to log in to your email only with a secure key, you will need to remove the other two-step validations. In our example, two-factor authentication with a mobile notification. You will also need to add a second key to your Gmail account.
Warning :
If you choose this verification, I recommend that you buy this device from the manufacturer’s official website and not from a used one, as you don’t want the device to be compromised.
If you choose to use a YubiKey, I suggest you buy at least two keys (a primary YubiKey and a secondary backup). Google provides two security keys by default.
Enable dual authentication on an online account
In most cases, you will need to go to the “Security” section to enable 2FA for your accounts. The 2FA.directory website lists the number of online accounts or mobile applications that support 2FA (Source: https://2fa.directory).
Conclusion
Dual authentication is a great way to increase the security of your online accounts and mobile applications.
For most people, I think it would be more relevant to use authentication with a mobile notification because this option offers the best ratio of simplicity and efficiency to secure your digital life.
Personally, this is the solution I prefer to use and recommend most of the time.
