We increasingly see discussions about internet security, and a recurring term in these discussions is 2FA, also known as “two-factor authentication”. But do you know exactly what this is?
The history of this security method is somewhat uncertain, but there is a patent dated 1984 citing an «apparatus for generating and comparing unpredictable codes».
Two-factor authentication exists in several different formats, some very secure and some not so.
Authentication via SMS
This is a very popular method, relatively practical, but not very safe. SMS authentication consists of receiving a unique and random code via SMS for use in any service. It is widely used by banks, various online services and even Caixa’s own emergency assistance.
Despite being widely used, whenever possible, avoid this method for the following reasons:
- Your SIM card can be easily installed on another device and thus access the codes;
- Criminals can obtain a SIM card with their number from the operators’ stores using persuasion or bribery techniques;
- SMS can be intercepted using a flaw in the SS7 protocol.
2FA via apps
One of the simplest ways to use 2FA securely is through authentication applications. There are several applications that do this job, and among the best known are: Authy, Google Authenticator, Microsoft Authenticator, in addition to password managers like 1Password, Dashlane, Bitwarden and several others.
The procedure in all these applications works in a similar way, where it is necessary to scan a QR code, or enter a code manually, and each time the service asks for the 2FA code, just copy what is informed in the chosen application.
For the generation of this code, an algorithm called TOTP (Time-based One-time Password algorithm, or in Portuguese, Unique Password Algorithm based on Time) is used. This algorithm combines a private key with the current time of the device, thus generating a unique random code. That is, it is necessary that the two devices have their time synchronized.
A less common but much more secure method is through hardware authentication. In this format, a device similar to a USB stick is used, where each time a service requests the code, it will be necessary to insert the device manually into your device.
This method uses a U2F standard (Universal Second Factor, or in Portuguese, Second Universal Factor) and the most popular devices are those from Yubico.
Authentication via email
Another method that some services use is through authentication via e-mail. Very similar to authentication via SMS, the only difference is that instead of receiving the code via a message, it will be sent to your e-mail address.
The security level of this method depends on the email service used, which can be more or less secure in the case of using encryption, or other security mechanisms.
Which method to choose
The answer to this question can vary widely. Some services can only support authentication via SMS, as is the case with Pinterest. In these situations, there is not much to be done.
If the service supports other methods, if you prefer ease, opt for authentication through applications. Just check if the application you are going to use has any backup functionality, in case your device is lost, or stops working, so as not to risk losing access to all your accounts.
If you are one of those people who want maximum security, hardware authentication is the ideal solution. Usually devices are sold in dollars, so this game can be a bit expensive, but it’s worth it.
To the next!