Two-factor authentication ( 2FA ) is all the rage now, especially for Internet services such as Facebook , Twitter , Gmail , Dropbox , among others. Which allow to have an extra layer of security to access to the user’s information.
In this post I will show you what is the Two-factor Authentication and in the following posts how to implement it in Scriptcase , specifically by means of 2 different software services: Swivel and Own Development in NodeJS ; I hope in a next opportunity can show you how to do it with an specific hardware!.
Conceptually, two-factor authentication consists of adding a step to existing authentication, when accessing an application is required or validating a user for a specific task. In general security terms there are different types of authentication that combined give a better level of security, these are:
- Something that the user knows. This means that the user knows and remembers when requested, such as the e-mail password or the 4-digit password of their ATM.
- Something that the user has. It refers to some physical or virtual object that the user has, for example, Debit or Credit Cards, they also apply USB keys with or without codes, virtual keyboards, SMS messages, emails, among others.
- Something the user is. It refers to some biometric feature such as fingerprint or iris reading.
OTC On Time Code and OTP One Time Password.
These definitions refer to strings of characters that can be numeric or alphanumeric that will only be used once to access the application, are generated dynamically and sent by SMS, or with a mobile application, etc. every time a user wants to login. However, for those workstations or mobile stations where access is constant and / or regular, it can be configured so that it does not ask for that 2FA but when it is accessed from another different device.
Let’s see a little more in detail some examples of the most used elements of the authentication type “Something the user has”, these are:
Hardware Tokens for 2FA (Hard Tokens)
It is surely the oldest way to use 2FA, the hardware tokens are small, like a keychain, and produce a new numeric code every certain time (30 seconds on average). Each time the user wants to enter the application, look at the device and enter the current A2F code and enter it in the site or application.
Some other hardware tokens automatically transfer the 2FA code when they are connected directly to the computer’s USB port.
Software Tokens for 2FA (Soft Tokens)
Perhaps it is one of the most popular forms of two-factor authentication, which works in a similar way to the previous one, since it uses a unique access code generated but the difference is that it is only software. First, the user must download and install a free 2FA application on their smartphone or desktop computer, for example, Google Authenticator. When you log in, the user first enters a username and password, and then, when prompted, you must enter the code that is displayed in the application.
Example A2F in Google with Google Authenticator.
SMS text message and / or voice based on 2FA
Obviously, since it is an SMS, the dependence on the mobile phone is total. Its operation is that after receiving a username and password, the site using SMS sends the user a one-time unique access code (OTP). The difference between text and voice, is that when it is by voice, when the user accesses, a call is automatically made to the user to read the OTP to be able to access. This option is used in countries where mobile telephony is deficient and / or smartphones are very expensive.
So, if we can combine elements of each of these types of authentication, we could say that our application would be more secure. And I must clarify, that does not mean that it is impenetrable, only that it will be more difficult for someone not authorized to access our information.
However, regularly when we talk about implementing 2FA to our applications, what we regularly do is add a layer to the traditional one that we already have, because 99% of the applications use the authentication type “Something the user knows” because the access credentials are a user and a password. So, a second factor could be another element of the 2 remaining types of authentication.
In the next 2 posts we will use as a second factor “Something the user has”, but at the Service level (software) then in the first example, we will use a “virtual keyboard” to validate a PIN or Password within our application and in the other example, they will send us a code by mail, SMS or we will use Google Authenticator.
It is also clear that the specifications and how the 2FA works, depends entirely on the service provider. And in most cases there are examples in source code for different languages such as PHP, .Net, Java, among others.
There are different service providers for 2FA among many others, some of these are:
- Swivel. https://swivelsecure.com/
- CA. https://www.ca.com/us/products/ca-strong-authentication.html
- RSA. https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/authent ication-manager
- SafeNet. https://www2.gemalto.com/sas/
In my next post I will talk about how to implement 2FA using Swivel in a Scriptcase application.