In the past two decades, we have seen a dramatic growth in terms of what the internet can offer us: social media, on-demand video streaming, video conference and online shopping. All of these developments have enabled us to connect and communicate with anyone across the world, access content such as movies and TV series, and to buy and ship anything we need or want across the world.
For us to access any of these online services, we need to create an account with the service provider. As part of account creation, we need to specify an username or email address and a password. Either during or after the account creation, we might be asked to setup either 2-factor authentication or multi-factor authentication with the objective of keeping our online accounts more secure and resilient to malicious activities such as hacking.
But, have you ever wondered why you should be setting up or enabling 2FA or MFA?
In this multi-part series, we will be exploring the various concepts and the why using simple analogies to help you understand what is going on.
First up, let’s have a look at the most basic form of security: the use of username and password.
Securing your account using only a username and password
The use of an username and password is one of the most basic security tool we have to keep an account secure. It is a way for us to verify that someone is who they say they are.
Now, let us imagine that the accounts we create and use on these online sites are apartment units and apartment buildings respectively. We do not need to care about where the apartment buildings are in the world since we don’t really care where a website is hosted.
In order to keep the apartments secure and only allowing the rightful tenants to enter, the building management hires multiple security guards to stand by the main entrance of each apartment. The security guard is like the login form we use to login to any website. There is no security guard for the apartment buildings just like anyone can access any website.
Whenever the tenant wants to enter their apartment, they will provide some form of identification to the security guard. In this case, the tenant’s face is the equivalent of the username and the password is the secret message that only tenant and the security guard knows. Not even the building management know about it.
Once the security guard have seen the tenant’s face and they whispered into the security guard’s ears the secret message, the guard open the door for the tenant and let them in. In the event that someone else tries to access the tenant’s apartment, the security guard won’t let the stranger in if they don’t look like the actual tenant and knows the secret message.
The only advantage of implementing security like this is convenience.
However, this is not very secure.
Let’s say a stranger managed to 3D print a mask that look exactly like the target tenant. They put the mask on and could walk up to the security guard. Now, all the security guard need to do is to wait for the person to provide the secret message.
This analogy is akin to what happens during a data breach. Whoever hacks the site and gain access into the database system now has a partial idea of who we are. This means they could easily masquerade as any user to gain access into the account.
Making matter worse, many sites tend to implement some sort of password limitation such as:
- Maximum arbitrary password length
- Restricted symbol or character use
Such limitations is akin to having the security guard standing outside your apartment saying they could only remember the secret message of a certain length or they lack sufficient vocabulary to understand you.
It is not difficult to imagine what will happen.
Let’s say the security guard only knows basic English and the tenant decide to choose “apple” as the secret message. That means anyone else well-versed in English or carries a dictionary will be able to trick the security guard into letting them with a lifelike 3D mask and going through the list of English words they could think of. This is akin to a dictionary attack.
And what if the security guard underwent lots of education and have extremely good memory. With that, the tenant can now share with the security guard a complex secret message. In this case, let’s use “I am a person and likes to eat an apple” to represent a very complex password.
With such a “complex” message, it is very difficult, if not impossible, to figure out what is the secret message no matter how good the stranger is. Not only does the stranger have to know what are the words used, they have to figure out where each word go in the sequence.
And hopefully with this, you can understand why it is necessary to use a more complex password.
But, we should also remember that technology like is only going to improve further in terms of capabilities and performance. Figuring out complex password will only take shorter time with each passing year.
This is why we need to introduce another layer (also known as factor) of security. This is thus known as Two-Factor Authentication(2FA).
At the fundamental level, 2FA relies on exactly two factors to verify the authenticity. One factor is “what we know “. The next factor is “what we own or possess”
A good place where we see 2FA in action is during withdrawal of money from an ATM. We provide a bank card (what we own) and a pin (what we known) to the machine. Once the system verified who we are, we will be able to perform banking transactions.
You might have also come across the term Multi-factor Authentication(MFA). This refers to the use of several security mechanisms for a user to demonstrate their identity.
In the next section, let us first explore 2FA. Since there are many flavours of 2FA, the easiest flavour to implement is the use of SMS token. This is why it is commonly used by companies.
Further secure your account with SMS 2FA
Sites that use SMS 2FA will generally request that you provide your mobile number so that they can supply you with a one-time code that you can use on the site.
Let us go back to the apartment analogy to explore how SMS 2FA works and why it is the weakest of any 2FA implementation.
After a spate of break-ins, the building management decided to improve security and safety of the apartments by installing key-based locks on every door and changing the locks every day. This is in addition to the security guards standing outside the apartments. You might be thinking that installing and changing doors on each door every day is infeasible in reality but that is not the point of this analogy.
In order for the apartments to receive a new set of keys and locks, the building management set up a Security Room in the basement. Now, tenants (new or existing) are to register themselves once at the front desk and collect a name tag to identify them. This is to enable each tenant to receive the key that they can use to unlock their door every time they need to enter their apartment. This act of registering with the front desk is akin to users registering their mobile phone with the site after they have created their account.
Whenever the tenant wishes to enter their apartment, they exchange the secret message with the security guard. Then, the guard will contact the front office via walkie-talkie to get them to dispatch the key for the apartment.
The front desk will coordinate the key requests before contacting the Security Room keys to be delivered to the requesting tenants. The Security Room will send concierges with the correct key to meet with the tenants, identifying them by their name tag. This represents the SMS message containing the one-time password being delivered to your phone.
What the concierges will do is to search within the building for their tenant to hand the key over.
Generally, this handover process happen without issue. The tenant will receive their key just in time and could proceed to unlock their doors. Going back to reality, this means the account owner receives the sms message via their phone and could enter the one-time password into the site to log in to their account.
However, it is possible for the sms message to be lost due to network issue, or worse, routed to the wrong person due to a form of fraud called SIM swapping. Using our analogy, the former is the equivalent of the concierge losing their way and exited the building while the latter is equivalent to someone wearing the same name tag as you, knows the secret message and wears a mask that look like you. Now, tricking both the concierge and security guard becomes very easy.
The security of your account can be improved further. In the next part of this series, we will look into using token generation via a device you own for 2FA.