We all know the importance of protecting the personal data that we must use in the increasing number of online services. While password security offers some protection, two-factor authentication greatly enhances it.
By definition, authentication is a control procedure that consists of verifying and validating the identity of an entity that requests access to a network, a computer system or software.
To strengthen it, you have to assign factors, the more there are, the more secure the authentication will be.
To do this, authentication uses things that we know (a password) we have (a mobile device) and what we are (a fingerprint or a retinal image). Big problem with fingerprints and retina images, if a hacker obtains a digital copy of them, they will be compromised forever, while a password, although less secure, is easy to override.
In most cases, two-factor authentication (A2F) uses a password and a mobile device in which a dedicated application generates a six-digit code that changes every 30 seconds.
How are the codes generated?
After entering your username and password, you have 30 seconds to enter the code generated by the authentication application, which will be identical to the service you are connecting to.
The most popular mobile apps are Google Authenticator, Authenticator (from Microsoft), and Authy. There is a room on my phone, OneAuth, from Zoho.
If you prefer an A2F app that is not tied to a large group, FreeOTP It is available for iOS, iPhone and Android mobiles.
And each authentication app can manage multiple online services that use it, for example, Facebook, Uber, etc.
Even video game publishers use them, like Epic Games for their popular game. Provided.
Without going into the encryption operation, the codes that are not really random are generated by time algorithms, therefore they are based on a time interval.
For this to work, the clocks of the mobile device and the server are roughly in sync and the code generated will be for the amount of time periods that have elapsed. Great advantage of the A2F algorithms, you can unlock access to a service even when you are offline, a thousand leagues from a tower or your router, because the key is stored on your device.
Therefore, you can be sure for 30 seconds that the unique code that appears on your screen will correspond to that of the server’s algorithms.
Initially, a QR image code
If a site offers this type of A2F authentication, it will show you a QR code containing the secret key that you only need to scan with the authentication app.
If you have multiple phones, you can scan it multiple times; you can also save the image in a safe place or print it if you need a backup.
Thereafter, your application generates a 6-digit code every 30 seconds.
Not everything is perfect …
Disadvantages of A2F, if your phone is dead or stolen, access to your services is impossible, unless you use these alternatives:
- Have a copy of the original QR code handy;
- Have the emergency codes of the service saved or printed from the beginning;
- Or you have enabled SMS authentication on the service.
That said, the A2F is not hack-proof, despite its effectiveness. According to the site TUBE, a dozen stratagems can be used to get hold of your data.
For example, with a cyber interception attack (man in the middle) which consists of intercepting communications between two parties. Here a hacker manages to trick you into visiting their fraudulent website and requesting your A2F credentials. If you are successful, you are done.
This video in English proves it in six minutes.
And don’t forget to export your accounts.
We don’t think about it, but we all end up replacing our devices one day or another. And your accounts managed by authentication won’t be magically transferred.
For this, the A2F applications allow the export of accounts. For example, by typing the three dots in the upper right corner, the Google Authenticator app offers to export up to 10 simultaneously.