2FA or Not 2FA: Password Protection You Need

At Clevertech, we use a lot of tech, obviously. It’s what we do. Our clients have expectations of professionalism and look to us to be an industry-leader. That means we keep raising the standards on all our technology decisions —big and small—to keep our operations running optimally for our clients.

One of those things we use is two-factor authentication, or 2FA. It’s one of those not-very-exciting things (some might even say a little annoying!), that are crucial to protecting information for our business and our clients. And if you’re not using it, you should be.

We’ve shared one of our favorite password hacks before, but 2FA takes password security to the next level. At Clevertech, all critical resources such as code, documents, emails, etc., are protected behind 2FA. 

Two-factor authentication adds another step to your basic login process. With 2FA, you’ll use your username and password to log in, but there will be a second step, usually a code generated and delivered to you that you have to input in order to complete the log in process.  Contrast this with single-factor, where your only protection is your username and password -- both of which rarely change, if ever, making them easier for hackers to predict and/or steal.

When you add a second factor, you’ve got 2FA. It’s another way to verify your identify to better protect your credentials. And it works. Google found that when they started implementing 2FA, it eliminated 100% of automated bot attacks and 96% of phishing attacks. 

There are a number of different kinds of 2FA, including app-generated, thumbprint and facial, SMS, and hardware-based. You can also combine several of these methods to have MFA, or Multi-Factor Authentication. We’re going to talk about what these are and the benefits of each. 

SMS messages are a popular 2FA option. An SMS service will generate a short, one-time-use code every time you log in that you’ll have to enter to complete logging in. This is a convenient method—but not the best option.

The problem with SMS 2FA is that hackers can easily hack your phone by intercepting the messages. Hackers have gone to conferences to showcase just how easy it is. For example, they can call the support center for a cellular company, play audio of a baby crying, explain this problem and that problem, acting flustered and confused, and the support team gives out the private account information without going through the proper security channels.

App-generated 2FA does not require a cellular intermediary to deliver the codes, instead relying on pre-shared seeds for number generation (i.e. a QR code).  There are a number of apps available that can generate an authentication code, such as Google Authenticator. You simply install the app, use the code when setting up a new account, and then the app will generate new codes about every 30 seconds. Then, in the future, when you log in, it will display a code on your phone to complete the log in process.

Hardware-based 2FA (Also known as FIDO U2F (Fast IDentity Online Alliance -- Universal 2nd Factor)) is the most secure way to keep your credentials safe and is the type of 2FA we use at Clevertech. It’s usually a small USB key you keep with you. When you want to log in to your account, you insert the USB and press a button. And that’s it! Another option is using thumbprint and facial recognition. Hardware-based 2FA is safer because they can’t be intercepted and tampered with. Unfortunately, hardware tokens can be lost, so it’s good to always have a back-up or two (or even three) so you don’t accidentally get locked out.

The issue with hardware-based is that it is a separate thing to carry. Having a dedicated app that does the same cryptography using faceID and does not rely on SMS is super convenient and maintains a high security standard.  

FaceID, however, has had some issues where people who look like you can still unlock your phone. It was shown to be particularly bad with non-white users, who more frequently are allowed to unlock each others' phones. This may improve over time. 

Biometrics such as fingerprints are certainly more convenient (you can't easily lose them and they're quick to enter) but while they can't easily be stolen, they have been faked before.

While it is true that some 2FA methods are more secure than others, the best defense is a combination of the above options. Multi-factor authentication (MFA) combines biometrics, hardware tokens, and sometimes also app-based authentication for advanced access control.

The bottom line is that 2FA adds necessary security to your authentication flow, and while simple 2FA like SMS may be convenient, it’s best to opt for either app-based 2Fa or, better yet, hardware tokens.  Biometrics can be used as a convenience; however, biometrics should be used in combination with a more secure 2FA option for extra account protection. Look into options like Centrify, Duo, and Okta -- additionally, AWS Cognito and other pre-built authentication services support MFA out of the box.

If you’d like to find out more about Clevertech check out our YouTube channel and visit clevertech.careers.