2 Factor Authentication

2 Factor Authentication – A Primer

0 Flares 0 Flares ×

As people and companies become increasingly aware of the security risks involved in having many log-ins for many applications, methods of stronger security have been introduced over the years. Two-factor authentication isn’t necessarily new, but it has steadily improved and utilized new techniques that have made it a favorite security measure of many companies and end-users.

What is 2 Factor Authentication?

2 Factor Authentication is a security method that utilizes two factor classes to make it exceedingly difficult for hackers to compromise your system. For example, a common two factor authentication method is receiving a PIN code via SMS to enter into your application during the login process. There are several factor classes which include:

  • A phone or hardware token- An example of this is an RSA token which changes numbers on the LCD screen every few seconds. However, note that these are not foolproof and hackers did crack this method in 2011.
  • A password or PIN – A pin number is a 4-6 digit number which is similar to the pin you use for a bank account. The only issue with pins is that they can be easy for hackers to guess.
  • Biometric Identification- Fingerprint, voice or retina scanners are examples of this method. However, concern should be taken with these techniques, as users often find them frustrating due to false positives.

Why it Works

By combining two of the factor classes, such as your fingerprint + a PIN, an extra layer of security is added. An attacker may steal your password, for example, but they didn’t steal your fingerprint. Companies that rely on two factor authentication are much safer, because they aren’t at risk of a data breach if employee passwords are stolen. This is due to the fact that the hacker will likely not have a secondary authentication factor such a token device, for example.

Terms to Know

  • A generic term used is “multi-factor” (2+ classes), or a “strong” authentication.
  • Two-factor may be abbreviated as TFA, 2FA, or T-FA.
  • Two-step verification (2SV) is also commonly used.
  • Combining a password + PIN does not count as 2FA.

Two-Factor Methods

There are several two-factor methods to be aware of:

  • TOTP – Time-based One Time Passwords became an industry standard in 2011, as an extension of Hash-based One Time Passwords. With TOTP, the generated password is only good for 30 seconds, which is troublesome for attackers.
  • Hardware Tokens – Hardware tokens are one of the most common forms of two-step authentication. These are small devices that generate a number every 60 seconds. They can typically be attached to a keychain for easy carrying.
  • SMS – Typically if a service uses their own 2FA without TOTP, they deliver an SMS passcode to your phone. The only drawbacks are the cost of receiving SMS for some people, and the chance of traveling internationally and not having cellphone service. A good example would be the way Apple utilizes SMS to deliver a six-digit verification code. The code will be delivered to any Apple devices which you own and that you are already signed into, and the code will be required to log into any new devices.
  • Phone Calls – This is a common method historically for verifying the ownership of a particular phone number. An automated phone system will ask you to accept a log-in, or enter a PIN that is provided to you before or during the call.
  • Other Forms – Mobile apps that utilize “push” notifications, geographic locating through GPS, biometric data, and Smart cards are all other forms of two-factor authentication.


Which Method is Easiest?

SMS can be regarded as the easiest because of the ease of use; it is widely understood and utilized worldwide, requires no extra hardware besides your phone, and no internet connection is typically required. Keep in mind though that even though SMS is easy, it is essentially unencrypted.


Utilizing a two-factor authentication method relies on the type you choose.

  • With RSA, a physical server will be joined with your company’s network, and it will act as the central point for handling authentication requests.
  • With cloud services, an account is hosted on the platform’s servers on the internet.

Whichever method you choose, you’ll usually need to write code that will handle the 2FA functionality, or install software modifications. However, many 2FA services will provide you with a “stock” integration that will allow their platform to co-exist with existing software, such as SSH or VPN. Furthermore, some providers may also provide a development kit or API.


  • The TOTP / HOTP password generation utilizes cryptography for generating codes. For HOTP, HMAC-SHA-1 is the cryptography utilized. For TOTP, HMAC-SHA-{1,256,512} may be used.
  • “Push” mobile apps use a public-key cryptography in order to work. With an RSA key-pair, your phone will keep the private key, and you will be given the public key.

These methods will require a secret, such as a “seed” value”, which provides the unique output utilized with a token’s specific algorithm. This secret is highly important to the 2FA method, and can cause massive problems if compromised. For example, RSA was compromised in 2011 and needed to send out 40 million new tokens.

How Google’s 2F Authenticator Works

First you need to install Google Authenticator on your device, which must be running Android 2.1 or later. After initial setup, you’ll need to link your phone to your account. The method in which you do this is by using either a QR code or a secret key. With a QR code, you need to open Google Authenticator on your computer, and flash your camera at the QR code. If you want to use a secret key, you must manually add an account, then enter the secret key displayed on your computer screen. It’s wise to make sure you’ve chosen a time-based key.

Why 2-Factor Authentication Often Fails

Many of the current 2-factor authentications are overly cumbersome and complex. Also, due to the number of 2FA methods out there, some are more susceptible to attack than others. Problems can also arise if the user loses their token device, for example, and is locked out of all applications tied to that device.

The solution is ease of use, such as the 2FA provided by Onion ID. Onion ID Password Management offers features such as automated refreshes, the ability to share accounts securely with invisible 2-factor support, and the storage of credentials in your private cloud or data center.

As you can see, two-factor authentication is not particularly difficult to setup and maintain. It’s a worthwhile security measure for companies or individuals that have sensitive information they need to keep private. 2FA is not at risk to brute force attacks or other types of scripted attacks, and can only be compromised when the required authentication factors fall into the wrong hands, typically through physical theft. As a method for ensuring the most secure logins possible, however, it is the best.

Onion ID uses 2FA in a way that makes it almost invisible to the end user, so they won’t be irritated or annoyed trying to get authenticated. Here is an example video you can check out for gotomeeting, showing how they use 2FA to log into their meetings. https://www.youtube.com/watch?v=Y0XZgcoutk8

Contact us today to get started and keep you secure!

(Visited 504 times, 1 visits today)

Share this post

0 Flares Twitter 0 Facebook 0 Google+ 0 Reddit 0 LinkedIn 0 Buffer 0 0 Flares ×