Categories

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Web Development

Two Factor Authentication

Good post? Please, share it...
Pin It
Login screen example

A normal password-only log in screen.

Authenticating yourself (proving that you are who you say you are), on websites, is showing cracks in the system!

It is no major problem, when authenticating yourself on an unimportant site – provided you do not use a password that you use elsewhere – but what about sites where access is critical, such as banking, social networking sites and even shopping sites.

If another person could fool the system by pretending to be you, they could also purchase goods in your name, steal your money or identity, use your computing device for nefarious purposes or do even worse things that can impact on your life in a serious way.

Heartbleed icon

Heart
bleed

The recent HeartBleed scandle has shown us that even Secure Sockets Layer (SSL) may not be sufficiently secure. SSL is what is used to pass information around the Internet, in an encrypted way, such that, in theory, the information cannot be read by third parties.

Unfortunately, this system was recently found to have a security flaw that had remained un-fixed for over 2 years. This flaw meant that on many websites users’ passwords may have been compromised, meaning that everyone should change the passwords they use on those sites and any sites on which they use the same password. (Most people re-use passwords, as remembering too many is impossible.)

The reason for this is that the entire password system relies entirely on verifying your identity by asking for something that only you know. If anyone else knows this, they can pretend to be you! It is all too easy for hackers to use a variety of techniques to extract this knowledge from you, often without you even knowing that this was done.

There is another way. What if the system asked you to provide something only you have. This would mean that if someone else had that thing and could associate that with its purpose, they could also steal your identity. However, a third party having something that only you own is actual theft, under law. In addition, it can be guarded and checked, regularly, to make sure that it is always in your possession.

SIM card

SIM card

Almost everyone, these days, has something unique to themselves – a mobile phone SIM card. If an SMS message is sent to your mobile phone, then only you could receive it, unless the phone was stolen. Even if it was,  it would be difficult for the thief to associate it with a specific site that you were using it to log on with and, anyway, surely you would notice very quickly that your mobile device is gone.

So, what if a critical website didn’t ask you for a password, but instead sent an SMS to your phone that had a OTP in it. OTP stands for ‘One Time Password’. This is a password that becomes invalid as soon as it has been used once and even becomes invalid, if it is not used quickly (30 seconds is a typical time).

Google Authenticator

Google Authenticator

To use this method, it is necessary to download and install a tiny app, from Google, called ‘Google Authenticator’. This will do all the work of receiving and displaying the OTP needed.

In fact, even better, would be if such a site asked for a normal password AND a OTP, received in an SMS. Well, welcome to the world of Two Factor Authentication. It has been in use for a long time already, but most people aren’t aware of it. I switched it on for my Google log in, many months ago, because this is so critical to me. If someone gets my Google password, they can get my entire contact list and can send mails pretending to be me to all of them, asking for money, for example. This actually happened to a friend of mine, years ago. She lost Euros 2000, that way, when a much-loved friend of hers had his Google account stolen.

Google TFA example

Google TFA example
(called by Google ‘2-Step Verification)

 

Therefore, when I discovered that Google allow TFA, I signed up to it, on the spot.  Since then, more and more sites are using TFA and, since the recent Joomla 3.2.x release, any site made with Joomla CMS system, can use TFA for user authentication, if they prefer it to a single password log in. All of my Joomla sites are now TFA enabled, now.

 

 

 

Yubikey

Yubikey

There is even an alternative to the SMS to a mobile phone’s SIM card. It is called Yubikey. This is a little device that goes on a key chain. If you opt for TFA with a Yubikey, on a website, you have but to put the key into a free USB port of the device you are using and press a little gold button on the key. Provided your password is also correct, this will generate a OTP that will log you in. Joomla sites can also use Yubikey authentication.

TFA relies not only on ‘something you know’, such as a password or PIN number, but also on ‘something you have’, such as a mobile device with a SIM card or a Yubikey. Reliable banking has been using TFA for years, now. I can only do my banking with ‘something I know’ (my PIN) AND ‘something I have’ (my credit or debit card). There is a reason why banks use this method. They cannot afford for their clients to be cheated by thieving hackers.

There is no 100% solution to online security issues, but using TFA for all critical log-ins will, at least, help.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.