And why aren’t passwords good enough?
Before addressing the question ‘what is two-factor authentication’ or ‘what is 2FA,’ let’s consider why it’s important to do everything you can to improve your online account security. With so much of our lives happening on mobile devices and laptops, it’s no wonder our digital accounts have become a magnet for criminals. Malicious attacks against governments, companies, and individuals are more and more common. And there are no signs that the hacks, data breaches, and other forms of cybercrime are slowing down!
Luckily, it’s easy for businesses to add an extra level of protection to user accounts in the form of two-factor authentication, also commonly referred to as 2FA.
————————————————————————————————————————————————-
ARE YOU A DEVELOPER INTERESTED IN ADDING 2FA TO YOUR APPLICATION? SEE TWILIO APIs & TUTORIALS
————————————————————————————————————————————————-
Rise in Cybercrime Requires Stronger Security With 2FA
In recent years, we’ve witnessed a massive increase in the number of websites losing personal data of their users. And as cybercrime gets more sophisticated, companies find their old security systems are no match for modern threats and attacks. Sometimes it’s simple human error that has left them exposed. And it’s not just user trust that can be damaged. All types of organizations—global companies, small businesses, start-ups, and even non-profits—can suffer severe financial and reputational loss.
For consumers, the after-effects of targeted hack or identity theft can be devastating. Stolen credentials are used to secure fake credit cards and fund shopping sprees, which can damage a victim’s credit rating. And entire bank and cryptocurrency accounts can be drained overnight. A recent study revealed that in 2016 over $16 billion was taken from 15.4 million U.S. consumers. Even more incredible, identify thieves stole over $107 billion in the past six years alone.
Clearly, online sites and apps must offer tighter security. And, whenever possible, consumers should get in the habit of protecting themselves with something that’s stronger than just a password. For many, that extra level of security is two-factor authentication.
Passwords: Historically Bad But Still In Use
How and when did passwords get so vulnerable? Back in 1961, the Massachusetts Institute of Technology developed the Compatible Time-Sharing System (CTSS). To make sure everyone had an equal chance to use the computer, MIT required all students to log in with a secure password. Soon enough, students figured out that they could hack the system, print out the passwords, and hog more computer time.
Despite this, and the fact that there are much more secure alternatives, usernames and passwords remain the most common form of user authentication.The general rule of thumb is that a password should be something only you know while being difficult for anyone else to guess. And while using passwords is better than having no protection at all, they’re not foolproof. Here’s why:
- Humans have lousy memories. A recent report looked at over 1.4 billion stolen passwords and found that most were embarrassingly simple. Among the worst are “111111,” “123456,” “123456789,” “qwerty,” and “password.” While these are easy to remember, any decent hacker could crack these simple passwords in no time.
- Too many accounts: As users get more comfortable with doing everything online, they open more and more accounts. This eventually creates too many passwords to remember and paves the way for a dangerous habit: password recycling. Here’s why hackers love this trend: it takes just seconds for hacking software to test thousands of stolen sign-in credentials against popular online banks and shopping sites. If a username and password pair is recycled, it’s extremely likely it’ll unlock plenty of other lucrative accounts.
- Security fatigue sets in: To protect themselves, some consumers try to make it harder for attackers by creating more complex passwords and passphrases. But with so many data breaches flooding the dark web with user information, many just give up and fall back to using weak passwords across multiple accounts.
2FA To The Rescue
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This second factor could come from one of the following categories:
- Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern
- Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
- Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print
With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and unlock the account.
Common Types of 2FA
If a site you use only requires a password to get in and doesn’t offer 2FA, there’s a good chance that it will be eventually be hacked. That doesn’t mean that all 2FA is the same. Several types of two-factor authentication are in use today; some may be stronger or more complex than others, but all offer better protection than passwords alone. Let’s look at the most common forms of 2FA.
Hardware Tokens for 2FA
Probably the oldest form of 2FA,hardware tokensare small, like a key fob, and produce a new numeric code every 30-seconds. When a user tries to access an account, they glance at the device and enter thedisplayed 2FA code back into the site or app. Other versions of hardware tokens automatically transfer the 2FA code when plugged into a computer’s USB port.
They’ve got several downsides, however. For businesses, distributing these units is costly. And users find their size makes them easy to lose or misplace. Most importantly, they are not entirely safe from being hacked.
SMS Text-Message and Voice-based 2FA
SMS-based 2FAinteracts directly with a user’s phone. After receiving a username and password, the site sends the user a unique one-time passcode (OTP) via text message. Like the hardware token process, a user must then enter the OTP back into the application before getting access.Similarly, voice-based 2FA automatically dials a user and verbally delivers the 2FA code. While not common, it’s still used in countries where smartphones are expensive, or where cell service is poor.
For a low-risk online activity, authentication by text or voice may be all you need. But for websites that store your personal information — like utility companies, banks, or email accounts — this level of 2FA may not be secure enough. In fact,SMS is considered to be the least secure way to authenticate users. Because of this, many companies are upgrading their security by moving beyond SMS-based 2FA.
Software Tokens for 2FA
The most popular form of two-factor authentication (and a preferred alternative to SMS and voice) uses a software-generated time-based, one-time passcode (also called TOTP, or “soft-token”).
First, a user mustdownload and install a free 2FA app on their smartphone or desktop. They can then use the app with any site that supports this type of authentication. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app.Like hardware tokens, the soft-token is typically valid for less than a minute. And because the code is generated and displayed on the same device, soft-tokens remove the chance of hacker interception. That’s a big concern with SMS or voice delivery methods.
Best of all, sinceapp-based 2FA solutions are available for mobile, wearables, or desktop platforms — and even work offline — user authentication is possible just about everywhere.
Push Notification for 2FA
Rather than relying on the receipt and entry of a 2FA token, websites and apps can now send the user a push notification that an authentication attempt is taking place. The device owner simply views the details and can approve or deny access with a single touch. It’s passwordless authentication with no codes to enter, and no additional interaction required.
By having adirect and secure connection between the retailer, the 2FA service, and the device, push notification eliminates any opportunity for phishing, man-in-the-middle attacks, or unauthorized access. But itonly works with an internet-connected device, one that’s able to install apps to. Also, in areas where smartphone penetration is low, or where the internet is unreliable, SMS-based 2FA may be a preferred fall-back. But where it is an option, push notifications provide a more user-friendly, more secure form of security.
Other Forms of Two-Factor Authentication
Biometric 2FA, authentication that treats the user as the token, is just around the corner. Recent innovations includeverifying a person’s identity viafingerprints,retina patterns, and facial recognition. Ambient noise, pulse, typing patterns, and vocal prints are also being explored. It’s only a matter of time before one of these 2FA methods takes off…and for biometric hackers to figure out how to exploit them.
Everybody Should 2FA
According to a recent report, stolen, reused, and weak passwords remain a leading cause of security breaches. Unfortunately, passwords are still the main (or only) way many companies protect their users. The good news is that cybercrime is in the news so much that 2FA awareness is quickly growing and usres are demanding that the companies they do business with have improved security. We agree: “Everybody Should 2FA”
Want To Learn More About 2FA?
Consumers:Don’t know if your favorite sites or apps have 2FA? Visit TwoFactorAuth.orgto find out. Or visit the following links to learn more:
- Download Authy 2FA app for iOS, Android, or Desktop
- Get Better Security on Your Twitter Account
- See How To Enable 2FA For Your Favorite Sites
- Understanding 2FA, the Authy App, and SMS
- Understanding Authy 2FA’s Multi-Device Feature
- How Authy 2FA Backups Work
Businesses:Rather than building 2FA themselves, many businesses find that it’s smarter and more cost-effective to partner with an expert. Twilio offers a comprehensive suite of developer-friendly authentication APIsandan SDK that can turn any app into a self-branded authenticator. Check out these useful links for businesses and developers:
- Cross-Industry Security: 4 Brands Getting 2FA Right
- Whitepaper: Account Security Best Practices Guide
- EBook: Upgrade 2FA By Downgrading SMS
- Step-by-Step 2FA Tutorials
- Sign Up To Try Twilio’s 2FA APIs for Free
FAQs
What Is Two-Factor Authentication (2FA)? - Authy? ›
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. 2FA is implemented to better protect both a user's credentials and the resources the user can access.
What is two-factor authentication 2FA? ›2FA defined
Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. 2FA gives businesses the ability to monitor and help safeguard their most vulnerable information and networks.
- Open the Authy Android app.
- Tap the … (menu) icon in the upper right corner, and then select Add Account.
- Tap the desired option, and follow the prompts: ...
- Select the icon (if desired) and enter an account name, then tap Done.
- You'll now see a new 2FA code for this account in Authy.
SMS-based 2FA interacts directly with a user's phone. After receiving a username and password, the site sends the user a unique one-time passcode (OTP) via text message. Like the hardware token process, a user must then enter the OTP back into the application before getting access.
What do people use Authy for? ›Authy is a free mobile / desktop app for two-factor authentication, as well as security partner and SMS delivery service of many websites that want to make two-factor authentication work better for their users. Some of our well-known partners include CloudFlare, Twitch, Pinterest, etc.
What is an example of a 2FA? ›Examples of Two Factor Authentication
When you use your credit card and are prompted for your billing zip code, that's 2FA in action. Knowledge factors like your zip code may also be passwords or a personal identification number (PIN).
As with Duo Mobile, Authy provides an option to back up your tokens online. These backups are encrypted on your device before they're uploaded. Your password is never sent to Authy, which means that even if someone were to hack Authy, they still wouldn't get your two-factor authentication tokens.
Does Authy cost money? ›For end users looking to secure their internet logins and accounts, Authy is free to install and use. For help getting started using Authy and securing your accounts, please see our article Welcome to Authy!
Does Authy have a password? ›The Master Password in the Chrome, Windows, and MacOS Authy applications allows you to set a password to lock your Authy app installation. The password will be requested any time the app is opened, or when your computer wakes from sleep, so that your 2FA account tokens are protected.
Where do I find my 2FA code? ›- Go to Settings > [your name].
- Tap Password & Security > Get Verification Code.
What is the disadvantage of Authy? ›
Authy doesn't always display how much time is left before your current token expires, making it difficult to know how much time you have left to enter the current code.
How do hackers get through 2FA? ›Cybercriminals are able to gain access to your mobile device using one of three methods: SIM-jacking, SIM swapping, and SIM cloning, which are explained in more detail below: SIM-jacking: Hackers will send a piece of spyware-like code to a target device using an SMS message.
How do I use Authy on my phone? ›- Install Authy.
- Open Authy.
- Enter your phone number and tap OK.
- Tap the three-dot menu in the upper-right corner. ...
- Tap Add Account.
- Tap Scan QR Code or Enter Code Manually (choose the option suggested by your service). ...
- Scan the QR code or type in the manual code.
Enter this code in the field and then click “Verify.” You now have 2FA enabled for your Google and Gmail account. From now on, you will need to use the Authy app when you login.
What happens if you forgot your Authy password? ›If you ever forget your master password, we recommend the following to regain access to your 2FA accounts: Check any Authy installations on other devices (if available) to see if your tokens are present. Or use the recovery codes provided by the service(s) during 2FA setup to regain access to your accounts.
How do I start using Authy? ›- Open the Google App.
- Tap your profile photo in the upper-right corner and then tap Manage your Google Account.
- Tap Security in the top bar, and then open the 2-step verification menu and sign in with your password. ...
- Scroll down and tap Authenticator app.
- Tap Set up authenticator.
2FA can be vulnerable to several attacks from hackers because a user can accidentally approve access to a request issued by a hacker without acknowledging it.
What is 2FA for beginners? ›Two-factor authentication (or 2FA, for short) strengthens login security by requiring a second piece of information — a second factor beyond your password. The second piece of information is usually a temporary code delivered by a device in your possession, such as your phone.
Did Authy get hacked? ›In an elaborate social engineering attack, a bad actor gained access to employee's accounts, in turn compromising the security of Authy and a handful of Twilio customers, including LastPass. Read on to find out what happened and how you can better protect your own Authy account from attacks like these.
Can you turn off Authy? ›Open the Authy Chrome app. in the upper left corner. From the Devices tab, click the Multi-device checkbox to enable or disable.
Can I use Authy without Internet? ›
Works offline
You can still access secured websites without internet access on your phone.
We recommend using the Authy app if you do not have a mobile device - such as most iOS or Android smartphones and tablets - capable of running the Google Authenticator app. (If you do have one of these, you can find setup instructions for your device in Logging into Savio.) Authy is a desktop app.
Does Authy sell your data? ›We keep a record of your log-ins to accounts for which you use Authy for 2-factor authentication. We do not sell your personal information.
What is the most secure 2 factor authentication? ›Authy. Authy by Twilio is a universal 2FA app, available for iOS, Android, Windows, macOS, and even Linux. It is also said to be the most trusted 2FA app and is free for users while businesses have to pay for it.
Does Authy use Face ID? ›Authy is a simple app with few options. Your phone should be secured by a passcode and/or a biometric option (e.g. Touch ID or Face ID).
Which is better Authy or Google Authenticator? ›Conclusion. Google Authenticator and Authy are both reliable authenticator apps. People looking for a simple and easy-to-use app should get Google Authenticator. The same goes for users who want a higher security level in the two-factor authentication process.
Is Authy a VPN? ›The Authy VPN plugin comes with a script, that helps you register users.
What is the secret key in Authenticator? ›The secret key is like a secondary password shared between the authenticator app on your device and your Knowledge Hub account. If you have multiple devices, they must all share the same secret key. If you feel that the secret key has been compromised, you should regenerate and save a new secret key.
How many digits is a 2FA code? ›If you have 2FA enabled, you will receive a temporary 6-digit code which can be used only for a very short period of time: about 20 seconds. After 20 seconds, the code will expire and a new code will be generated. The requirement to enter both your password and this 6-digit code makes your account better protected.
How do I turn off 2 step verification without signing in? ›First off, go to Settings and Privacy > Settings > Security and Login > Two-factor authentication on your browser-based Facebook account. You'll find a list of your authorized devices where you won't need to use a login code.
What happens if I delete Authy? ›
If you delete your Authy account token prior to disabling 2FA security on the website for your 2FA token account, you will be unable to login to your account. Please click the appropriate link to see how to delete an account token from each of our Authy Apps: Android.
What is the difference between Authy and one password? ›Authy lets you manually add a code for 2FA on the Mac, but 1Passwords gives you the additional option of adding based on a QR code. I find it easier to do the add by using the scan. 1Password also scans your accounts and lets you know which systems support 2FA and takes you to the link to enable it.
Can someone hack your account if you have two-factor authentication? ›While using two-factor authentication isn't a foolproof way to prevent hackers from accessing accounts, it's far safer than not enabling it in the first place.
Can hackers turn off two-factor authentication? ›Some platforms enable users to generate tokens in advance, sometimes providing a document with a certain number of codes that can be used in the future to bypass 2FA should the service fail. If an attacker obtains the user password and gains access to that document, they can bypass 2FA.
Can two-factor authentication be turned off? ›Manage your Google Account.
At the top, tap Security. Under "Signing in to Google," tap 2-Step Verification. You might need to sign in. Tap Turn off.
Acquisitions. In February 2015, Twilio acquired Authy, a Y Combinator-backed startup that offers two-factor authentication services to end users, developers and enterprises.
How many devices can Authy be on? ›Authy is then accessible on all devices you've authorized, and you can enable as many devices as you desire. But after installing the Authy app on more than one device, we strongly recommend disabling Multi-Device.
Is Authy good for privacy? ›Authy does not sell your personal information, share it with third parties for their own marketing purposes, nor do we allow third parties to use it for their own marketing purposes, unless you ask us to do this.
What are Authy codes? ›Authy is an application that installs on your selected device and produces a 6-digit code for you to use in Two-Factor Authentication (2FA). While highly versatile, Authy is the most complex option available for setting up and configuring 2FA.
How do I remove Authy from my device? ›Remove a device from Authy on Android
Tap the … (menu) icon in the upper right corner, and then select Settings. From the Devices tab, tap the desired device to remove. Tap Remove device.
Why does Authy not work? ›
Restart the mobile device and try scanning the barcode again. If this does not work your device may not support Authy or Google Authenticator and you should try another device.
What is 2FA and how does it work? ›Two-factor authentication (2FA) is a security system that requires two separate, distinct forms of identification in order to access something. The first factor is a password and the second commonly includes a text with a code sent to your smartphone, or biometrics using your fingerprint, face, or retina.
How do I do 2FA authentication? ›- Open your Google Account.
- In the navigation panel, select Security.
- Under “Signing in to Google,” select 2-Step Verification. Get started.
- Follow the on-screen steps.
- Go to the ACCOUNT page.
- Click the PASSWORD & SECURITY tab.
- Under the 'TWO-FACTOR AUTHENTICATION' header, click the 2FA option you want to enable: THIRD-PARTY AUTHENTICATOR APP: Use an Authenticator App as your Two-Factor Authentication (2FA). ...
- Verify that 2FA is enabled.
2FA uses two of the following three factors to verify your identity: something you know (like a password), something you have (like a key), or something you are (like a fingerprint). By adding an additional verification step, 2FA significantly strengthens the security of your accounts.
Is it good to enable 2FA? ›2FA is essential to web security because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.
Is it safe to enable 2FA? ›Several websites also use authenticator apps to generate unique codes. In fact, this method is one of the highest levels of security one will receive. This proves Google authenticator is safe.
How do I find my 2FA key? ›While setting up an authenticator app for 2FA you can view the setup key which we automatically generate as a QR code, but which can also be read in plain text by clicking on View setup key.
How do I find my 2FA code? ›- Go to Settings > [your name].
- Tap Password & Security.
- A message says "Account Details Unavailable." Tap Get Verification Code.
You need to install the Google Authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don't have to wait a few seconds to receive a text message.
What happens if you disable 2FA? ›
Your account is more secure when you need a password and a verification code to sign in. If you remove this extra layer of security, you will only be asked for a password when you sign in. It might be easier for someone to break into your account.
What are the pros and cons of using two-factor authentication? ›2FA, and multi-factor authentication as a whole, is a reliable and effective system for blocking unauthorized access. It still, however, has some downsides. These include: Increased login time – Users must go through an extra step to login into an application, adding time to the login process.
Who uses two-factor authentication? ›- Finance. The finance industry has long used 2FA technology. ...
- Healthcare. The Health Insurance Portability and Accountability Act (HIPAA) was created to protect the privacy of an individual's healthcare information. ...
- Defense. ...
- Law Enforcement. ...
- US Government.