Two-factor authentication, or 2FA, has been around for some time. Usually this refers to using an SMS code as an extra step to log into your account. However, the term has been changed to “Multi-factor authentication”. What is the difference?
Password authentication is null
Before two-factor authentication became a thing, the world worked with passwords. Passwords are still widely used today because they are very useful for most people – a short, easy-to-remember phrase that gives you access to your protected services.
But passwords pose a number of practical security concerns. The main problem is that you entrust your password to a lot of random third parties, which runs the risk of your password hash being stolen in a data breach. If you have a long, good password you should be safe, but a lot of people have terrible passwords. On top of that, many people re-use the same password, which means that a data breach at one company could affect your account on a different service.
Even if everything else is ignored, a password is a single string that gives access to your account. Anyone in possession of this channel can act and perform actions like you. A single point of failure is never a good idea.
A solution was therefore provided, called “Two-factor authentication”. Everyone has a phone; in many ways, the device in your pocket identifies you publicly. So the idea is simple: you will receive an SMS with a short code on your phone every time someone tries to connect. Without the code, the attacker is locked out. If a hacker stole your password and wanted to log into your account, they won’t be able to do so without having access to your phone.
The “two factors” in 2FA are your password and the code sent to your phone. Without access to both factors (not one or the other), no one can access your account.
But two-factor authentication also has problems
While 2FA is great for locking out accounts and has worked quite well, many implementations of it have their own issue. Because 2FA relies on SMS to send codes, it’s not really a “password + phone” combo that allows you to access your account, it’s “password + phone number” .
This is a problem because it is incredibly easy to steal someone’s phone number with a SIM swap attack. It works like this: a determined attacker wants to access your account, so they search and find your phone number and possibly your birthday. With these two things, they can go to the phone service provider’s store and buy a new phone. Most of the time the employees of these stores are unaware of this security risk and by default they just ask you for your birthday. All the attacker has to do is lie and he walks out of the store with your phone number on his SIM card. It’s not just theoretical – it happened to me personally when I upgraded my phone at Verizon. They didn’t ask for my birthday, any identifiable information, or even my old phone. I gave them my phone number to redeem, but it could easily have been yours.
Of course, the attacker will still need your password to access your account, but many services will also use your phone as a recovery device. Even without your password, an attacker could choose to reset it, send the recovery code to your phone (which is now their phone), and unlock your account, all without knowing either of your two factors.
“Multi-Factor Auth” solves all these problems
The fix for this is pretty straightforward. Rather than using text messages to send codes to your device, you’ll instead download an “Authenticator app” and securely link it to your account. Instead of receiving a code, you simply enter the code displayed in the app, which will change every 30 seconds or so. Otherwise, it’s the same as 2FA; no phone, no access.
Under the hood, this uses a Time-Based One-Time Access Code (TOTP), which is very secure. You and the service exchange secrets when associating the app with your account. This secret is used as a seed for a random number generator, which generates unique codes every 30 seconds. Since you and the server are linked, you will have identical codes and no one else will be on the same page without knowing the secret you have exchanged. That alone solves the problem of SIM swapping, because the secret is related to the phone, not the phone number.
TOTP applications are just one example of an MFA factor. The term is a generalization, used to apply to any type of authentication with two or more steps. MFA is a newer and more inclusive term that is typically used by services that support TOTP applications and other authentication factors. While the term “Two-Factor Authentication” can still technically be applied to remote control and password, it usually still refers to SMS.
MFA factors generally fall into one of three categories:
Something the user knows, such as passwords or PIN codes
Something the user has, such as a phone or a key ring
Something the user is, like facial recognition or fingerprint
Among these, key authentication (a) is the most common, after TOTP applications. These are physical devices (similar to flash drives) that you connect to your device when you connect:
They contain a certificate that verifies your identity. Essentially, it’s an SSH certificate on an easy-to-access key, which is very secure, even more so than your average SSH key because they don’t exist on a device connected to the internet. Theoretically, there is no way to break the keychain authentication, unless you physically steal the keychain, which is highly unlikely, or remove the door itself, which cannot be prevented anyway.
It should be noted that multi-factor authentication is not always completely secure. Sometimes password recovery can still bypass it, depending on the service. For Google in particular, accounts locked out with authenticator apps can always be reset this way. If you’re using a Google account for business services or really want your email locked, you must activate Google’s “Advanced protection”, which requires a keychain and solves this problem.