• Login with two-factor authentication. Two-factor authentication for cryptocurrency security

    User. Moreover, we are talking not only about the account, saved contacts and messages, but also about personal documents and files. The highest level of data protection is guaranteed by Apple's two-factor authentication, when to access personal data you need to enter two special numeric codes in a row.

    How does this work

    The main feature of Apple's new security system is to ensure that only you can log into your device, even if the password is known to others. With two-step verification, you can only sign in to your account from trusted iPhone, iPad, or Mac devices. In this case, two-factor authentication will require you to sequentially enter two types of passwords: a regular one and a six-digit verification code, which will automatically be displayed on the verified gadget.

    For example, let's say you have a Mac laptop and want to sign in to your account on your recently purchased iPad. To do this, you first enter your username and password, and then a verification code that automatically appears on the screen of your laptop.

    After this, Apple's two-factor authentication will “remember” your device and allow access to personal data without additional verification. You can also make the browser of any PC trusted by setting this option when logging into your account for the first time.

    Trusted devices

    You can only make a gadget trusted by Apple. Moreover, the operating system installed on it must be no lower than iOS 9 for mobile devices and no lower than OS X El Capitan for laptops and personal computers. “Two-factor authentication” explains this by saying that only in this case can Apple guarantee that the laptop you are using belongs to you.

    Six-digit verification codes can be sent not only to trusted devices, but also to mobile device numbers. At the same time, the method of confirming the number and gadget is no different. It is also worth remembering that in any case, no matter what method you use to obtain a verification code, two-factor authentication will require you to know your own Apple ID. Learn it by heart, otherwise you risk not being able to access your account.

    New level of protection

    Each time you sign in to your user account, your location is sent to trusted devices. In cases where it coincides with your actual location, you can allow entry by pressing the highlighted button.

    If two-factor authentication offers to allow login on another device, although the current location of the device does not coincide with yours, then you should prohibit this action. This indicates unauthorized access to your gadget, and can also serve as a signal about the location of the attacker who stole your phone.

    Disabling two-factor protection

    It is strongly recommended not to perform any manipulations with the device that could disable Apple's two-factor authentication; this will reduce the level of security of your gadget. However, in some cases it is simply not required. For example, you constantly use both a laptop and a smartphone. There is no need to confirm your identity and, moreover, the procedure is very tiring.

    There are two ways to disable Apple's two-factor authentication. In the first case, you need to log into your account, select the “Edit” menu and select the appropriate option in the “Security” menu item. By confirming your date of birth and answering the security questions, you will turn off two-factor protection.

    Disable email authentication

    If you discover that two-step protection is activated on your device without your knowledge, you can disable it remotely using the email you provided at the time of registration or a backup address. How to disable two-factor authentication using email?

    To do this, you need to open the letter that will arrive in your mailbox immediately after activating the protection system. At the bottom of the message you will see the treasured “Turn off...” item. Click on it once, and the previous settings for protecting your personal data will be restored.

    You must follow the link within two weeks of receiving the message, otherwise it will become invalid. Now you won't have to wonder how to disable two-factor authentication, and you know a few more Apple secrets.

    Any more or less experienced Internet user has encountered 2FA. But few people understand how two-factor authentication works. To make the most of this powerful data protection tool, it's worth learning more about it.

    The first factor is a permanent password

    Two-factor authentication begins with a regular password, familiar from registration on any website. It is usually selected by the user himself when creating his account. By itself, a reusable password is not very secure and can only provide a basic level of account protection. In two-factor authentication, it serves as the first factor, the first “key” that unlocks the account.

    However, a reusable password, especially if chosen wisely, is an important part of the two-factor authentication process because it is a knowledge factor. PIN codes can also be classified as knowledge factors.

    What follows after entering a password? There may be different options here.

    Three factors of authentication: what we know; what we have; what is inherent to us.

    Factor number two - possible varieties

    As the second factor of two-factor authentication, two types of authentication methods can be used:

    1. What we have.

    Hardware identifiers in the form of smart cards, digitally signed certificates, tokens that generate one-time passwords. These means of user authentication require a physical connection and usually knowledge of a PIN code. And on the computer from which you log in, you need to install special software to interact with such an identifier. This method seems not entirely convenient to some users, because authenticators of this type need to be carried with them at all times and monitored for their safety. If the smart card or OTP token is stolen or lost, client authentication will become impossible.

    1. What is inherent to us.

    This group includes the inherent biometric characteristics of a person. These could be fingerprints, a pattern of the retina, the outline of a face, or the sound of a voice. Identifiers of this type do not use cryptographic methods or means. Most often, biometrics-based authentication is used to control access to premises or equipment - for example, at the entrances of enterprises and organizations.

    For use in remote environments between the person being checked and the person checking (as happens on the Internet), one-time passwords additionally protected by a PIN code are the most convenient and reliable. The good thing about a temporary password is that it is only valid for one session. Even if attackers intercept the OTP password, it will be useless if they try to reuse it.

    Methods for generating one-time passwords

    In order to understand how two-factor authentication works, it is important to understand where temporary passwords come from and how they become known to a legitimate user logging into the system.

    There are several ways to deliver the password to the recipient:

    • send by email;
    • send SMS to phone;
    • issue a list of passwords in advance for one-time use of each of them;
    • generate “on the spot” using software or hardware tokens.

    The stability of a one-time password is primarily achieved by using complex algorithms for its generation, which are constantly being improved. Three of them are the main ones in the solutions offered by the company.

    1. HOTP - by event. The basis for creating an OTP is the number of authentication procedures passed by a specific user and the secret key known in advance to both parties. These same values ​​are taken into account when authenticating on the server.
    2. TOTP - by time. This authentication algorithm generates a password given a time parameter. Typically, it is not a specific number that is used, but a current interval with predetermined boundaries.
    3. OCRA is a challenge-response system. This algorithm generates one-time passwords using a random value received from the server as input. It can also be supplemented with a data signing function, which helps strengthen the security of the authentication procedure. This function allows you to include in the calculations specific parameters of the current transaction when creating and checking a password, including not only time, but also recipient, currency, and transfer amount. Due to its high reliability, the OCRA algorithm is best suited for use in the most critical areas of a data transmission and storage system.

    How one-time passwords are generated

    The HOTP and TOTP algorithms serve for one-way authentication - that is, the server verifies the authenticity of the client. When using OCRA, mutual two-way authentication of the user and the site to which he is accessing can be carried out. This point is very important to eliminate the threat of data substitution and auto-flooding, which are especially dangerous in banking transactions.

    Benefits of two-factor authentication

    The main advantage of two-factor authentication is the mutual support of one factor by another. If attackers manage to take possession of the login and permanent password, the inability to enter a temporary password can prevent unauthorized access to the account. If the OTP token ends up in the hands of fraudsters, then authentication will not occur without knowing the main password. This type of authentication is powerful precisely because the disadvantages of one factor can be offset by the advantages of another. And this is what makes two-factor authentication so powerful and reliable.

    Two-factor authentication or 2FA is a method of identifying a user in a service that uses two different types of authentication data. The introduction of an additional level of security provides more effective protection of your account from unauthorized access.

    Two-factor authentication requires the user to have two of three types of identification information.

    These are the types:

    • Something he knows;
    • Something he has;
    • Something inherent to him (biometrics).
    Obviously, the first point includes various passwords, PIN codes, secret phrases, and so on, that is, something that the user remembers and enters into the system when requested.

    The second point is a token, that is, a compact device that is owned by the user. The simplest tokens do not require a physical connection to a computer - they have a display that displays the number that the user enters into the system to log in - more complex ones connect to computers via USB and Bluetooth interfaces.

    Today, smartphones can act as tokens because they have become an integral part of our lives. In this case, the so-called one-time password is generated either using a special application (for example Google Authenticator), or sent via SMS - this is the simplest and most user-friendly method, which some experts rate as less reliable.

    In the course of the study, which involved 219 people of different genders, ages and professions, it became known that more than half of the respondents use two-factor SMS authentication on social networks (54.48%) and when working with finances (69.42%) .

    However, when it comes to work issues, tokens are preferred (45.36%). But what’s interesting is that the number of respondents who use these technologies both voluntarily and by order of their superiors (or due to other compelling circumstances) is approximately the same.

    Graph of the popularity of various technologies by field of activity

    Graph of respondents' interest in 2FA

    Tokens include time-synchronized one-time passwords and one-time passwords based on a mathematical algorithm. Time-synchronized one-time passwords are constantly and periodically changed. Such tokens store in memory the number of seconds that have passed since January 1, 1970, and display part of this number on the display.

    In order for the user to log in, there must be synchronization between the client token and the authentication server. The main problem is that they can become desynchronized over time, but some systems, such as RSA's SecurID, provide the ability to re-sync the token with the server by entering multiple access codes. Moreover, many of these devices do not have replaceable batteries and therefore have a limited service life.

    As the name suggests, mathematical algorithm passwords use algorithms (such as hash chains) to generate a series of one-time passwords based on a secret key. In this case, it is impossible to predict what the next password will be, even knowing all the previous ones.

    Sometimes 2FA is implemented using biometric devices and authentication methods (third point). These could be, for example, facial, fingerprint or retinal scanners.

    The problem here is that such technologies are very expensive, although they are accurate. Another problem with using biometric scanners is that it is not obvious to determine the required degree of accuracy.

    If you set the resolution of the fingerprint scanner to maximum, then you risk not being able to access a service or device if you get a burn or your hands are simply frozen. Therefore, to successfully confirm this authenticator, an incomplete match of the fingerprint to the standard is sufficient. It is also worth noting that it is physically impossible to change such a “biopassword”.

    How secure is two-factor authentication?

    This is a good question. 2FA is not impenetrable to attackers, but it does make their lives much more difficult. “By using 2FA, you eliminate a fairly large category of attacks,” says Jim Fenton, director of security at OneID. To break two-factor authentication, the bad guys will have to steal your fingerprints or gain access to cookies or codes generated by the tokens.

    The latter can be achieved, for example, through phishing attacks or malware. There is another unusual method: the attackers gained access to the account of Wired journalist Matt Honnan using the account recovery function.

    Account recovery acts as a tool to bypass two-factor authentication. Fenton, after Matt's story, personally created a Google account, activated 2FA, and pretended to "lost" his login information. “It took a while to restore my account, but three days later I received an email saying 2FA had been disabled,” notes Fenton. However, this problem also has solutions. At least they are working on them.

    “I think biometrics is one of those,” says Duo Security CTO Jon Oberheide. – If I lose my phone, it won’t take me forever to restore all my accounts. If a good biometric method existed, it would be a reliable and useful recovery mechanism.” Essentially, John suggests using one form of 2FA for authentication and another for recovery.

    Where is 2FA used?

    Here are some of the main services and social networks that offer this feature: Facebook, Gmail, Twitter, LinkedIn, Steam. Their developers offer a choice of: SMS authentication, a list of one-time passwords, Google Authenticator, etc. Instagram recently introduced 2FA to protect all your photos.

    However, there is an interesting point here. It's worth keeping in mind that two-factor authentication adds an extra step to the authentication process, and depending on the implementation, this can cause either minor (or no) login issues or major problems.

    For the most part, the attitude towards this depends on the user’s patience and desire to increase the security of the account. Fenton said: “2FA is a good thing, but it can make life difficult for users. Therefore, it makes sense to enter it only for those cases when the login is from an unknown device.”

    Two-factor authentication is not a panacea, but it can greatly improve your account security with minimal effort. Making life more difficult for hackers is always a good thing, so you can and should use 2FA.

    What's next for 2FA?

    Security methods based on multi-factor authentication techniques are now trusted by a large number of companies, including organizations from the high technology sector, financial and insurance sectors of the market, large banking institutions and public sector enterprises, independent expert organizations, as well as research firms.

    Oberheid notes that many users who were skeptical about two-factor authentication soon discovered that it wasn't that complicated. Today, 2FA is experiencing a real boom, and any popular technology is much easier to improve. Despite the difficulties, she has a bright future ahead of her.

    P.S. By the way, we recently introduced two-factor authentication to increase the security of your 1cloud personal account. After activating this method, to log into the control panel the user needs not only to enter an email address and password, but also a unique code received via SMS.

    To protect your personal data in today's world, you may need to consider increasing the level of security for your digital space using two-factor authentication.

    Various online technologies are increasingly being integrated into the life of a modern person. Most of us can no longer imagine ourselves without social networks, smartphones and the Internet in general. We leave a whole bunch of digital traces and personal data on the World Wide Web every day. At the same time, most users do not even think about what will happen if one day they lose access to their “digital world”, which ends up in the hands of attackers...

    Some would say that their modest persona is unlikely to interest hackers. However, even accounts from the most seedy social networks are sold on the “black market”. What can we say about, say, your Google account, which contains all your email correspondence, data from your phone and, possibly, links to bank cards?

    The saddest thing is that many people rely on “maybe” and use fairly simple passwords to access any serious accounts. And, by the way, there are entire special dictionaries containing thousands of popular passwords, like “1234qwerty” and the like, which allow you to be hacked in a matter of minutes! Therefore, conventional password protection is no longer reliable. It's time to use two-factor authentication!

    What is two-factor authentication?

    In various science fiction films of Hollywood, we can see how the main character (or villain) first enters a bunch of passwords to access secret data, then applies a special identification card to the reading device, and to top it all off, he also looks through the peephole, where the laser reads the pattern of his retina eyes. But this is no longer science fiction, but the so-called multi-factor authentication.

    The traditional multi-factor authentication model involves three main factors (each of which can be duplicated to increase the level of protection):

    1. Knowledge factor. It implies that the access control system receives certain data that only a specific user should know. For example, this could be a traditional “login-password” pair, a pin code, mother’s maiden name, or other information that, ideally, only we can know. Unfortunately, many users do not remember their passwords, but store them on scraps of paper right at their workplace. Therefore, it would not be difficult for a hypothetical attacker to steal them...
    2. Ownership factor. Provides that the user has a certain thing that others do not have. Such things may include a unique phone number, a plastic card with a unique barcode or data chip, a USB token or other cryptographic device. Theoretically, it is also possible to steal it, but it is much more difficult. And, given that the ownership factor is usually supported by the knowledge factor (you must first enter a password), the chances of successfully using a stolen device are significantly reduced.
    3. Property factor. Uses certain personal qualities to identify the user. Some of the most unique ones include fingerprints, the face in general, the pattern of the iris, or even a DNA sample! Given the proper degree of sensitivity of the testing equipment, it is simply impossible to bypass such protection. However, biometric verification is still far from such perfection, so at the present stage it is usually supplemented with additional access control factors.

    In fact, multi-factor authentication is actually three-factor. Accordingly, two-step user verification involves discarding one of the factors. Typically, this is a property factor that requires special biometric equipment to confirm. Two-factor authentication does not require special investments, but can significantly increase the level of security!

    Today, the most common type of two-factor authentication on the Internet is linking an account to the user’s phone. In general, we traditionally enter a login with a password, after which we receive a special one-time PIN code on our phone via SMS or PUSH message, which we enter in a special form to access the site we need. Alternatively, instead of a message, you may receive a call from a robot that will ask you to press a particular number on the phone keypad.

    Authorization using USB tokens is less common (for example, in modern accounting services). Such a token contains an encrypted key corresponding to a password that is known to the user. When authorizing, you need to connect the token to the USB port of your computer, and then enter the password in a special field. If it matches the one encrypted on the token, authorization will occur.

    However, tokens cost money and require periodic key renewal, which is also not always free. Therefore, the most commonly used method of two-factor verification is still telephone verification. And here we will talk about it in more detail.

    Two-factor authentication in Windows

    Windows 10 is a modern operating system, therefore, by definition, it must contain modern security features. One of these is the mechanism of two-factor user verification. This function appeared and disappeared again in some versions of the system, going through a number of improvements, so if you want to use it, be sure to make sure that you have all the updates (especially the KB3216755 patch, which fixed the authentication in the Anniversary Update).

    Also, for two-step verification to work, you will need to have an account registered with Microsoft. That is, with a local “account”, alas, nothing will work out...

    Now you need to prepare your phone for the procedure. You need to install a special application on it that will receive Windows account login verification signals and confirm them. For Android smartphones, you can choose the official Microsoft Authenticator program, and for iOS devices, the unified Google Authenticator solution (also for Android) is suitable.

    After all the preliminary settings, you need to log into your Microsoft account and set it up for two-factor sign-in. The easiest way to do this is by calling in the snap-in "Options" chapter "Accounts". On the first "Email and Accounts" tab, click the link "Manage your Microsoft account", after which you should be redirected to the Microsoft account login page.

    A page with settings will open, among which you need to find the group "Two-Step Verification" and click on the link "Setting up two-step verification":

    You will see a step-by-step wizard for setting up two-factor authentication, following the prompts of which you can activate two-step user verification when logging into Windows:

    Two-factor authentication with Google

    After Windows, Android is in second place in popularity among modern users. And most Android devices, as we know, are “linked” to a Google account. It also wouldn't hurt to protect it further. Moreover, the two-factor authentication function for his accounts has been working successfully for quite a long time.

    To access the two-step verification settings, you need to log into your Google account, go to the special page and click the button "Begin":

    You may be asked to re-enter your account password to confirm access to your settings. After this, a step-by-step wizard will open that will help you set the necessary parameters for two-step account login verification:

    All you need to do is enter your phone number (it is most likely already “linked” to your account), receive an SMS with a one-time verification code, then enter the code in a special field and activate the procedure for all subsequent authorizations.

    However, logging in with your phone isn't the only two-factor authentication method Google offers. If you have a FIDO Universal 2nd Factor (U2F) token, you can also set up a login to your account using it. Read more about how to do this. Well, of course, you can receive verification codes not only in the form of SMS, but also PUSH messages in the Google Authenticator application we already mentioned above.

    Two-factor authentication on social networks

    Following general trends, the developers of some large social networks have also taken care of two-factor authentication.

    DFA on Facebook

    Facebook, being one of the most popular social networks in the West, like Google, has long been offering its users a two-step account login verification function. Moreover, access codes can be received both via SMS and in universal authorization applications. Of these, Google Authenticator and Duo Mobile are supported.

    You can enable two-factor authentication on Facebook by going to the settings section

    To figure out what it is two-factor authentication and how it is usually implemented, you should find out what authentication is in general. To keep it simple, authentication is the process where a user proves that he is exactly who he said he is.

    For example, when you log in, you enter your username and your password and thereby prove that you know the secret key, which means you confirm that you are you and not a stranger. In this case, knowing the password is the so-called “authentication factor”.

    But the password can be very simple, and an attacker can easily guess it, or it can simply be on a piece of paper under the keyboard (which, of course, is wrong). Entering a password will allow an attacker to prove to the system that he knows the password, and therefore has the right to use this system.

    Therefore, in order to protect the system from such situations, it is customary to use two authentication factors simultaneously: for example, a password and a smart card. In this case, the second authentication factor will be the fact of possessing a smart card. The system will check your password and smart card, and if everything is correct, it will let you into the system.

    Two-factor authentication and electronic digital signature

    Quite often, two-factor authentication is used for electronic signatures. A digital signature on a document is usually similar to a handwritten signature on a paper document, so it is very important that your electronic signature cannot be put by attackers instead of you.

    Most often, in order to secure your electronic signature, it is written (more precisely, an electronic signature certificate) onto a token. Token is a special device that is often used to store electronic signature certificates. Your electronic signature on the token is password protected, so even if it is stolen, attackers will not be able to use it. In this case, the first authentication factor will be the fact of owning the token, and the second will be knowledge of the password to access the electronic signature on the token.

    To store electronic signature certificates, we recommend the following token models:

    Two-factor authentication for login

    Often, organizations store very important data on their computers, which may constitute a trade secret, which, of course, can be hunted by competitors and other attackers. And using regular passwords is not enough to guarantee the security of information.

    In order to protect data on the computers of your employees, two authentication approaches are used:

    • protect the login process

    As part of this approach, a software product is installed on the computer, which begins to require a token when logging in, and also ensures that the token is inserted at all times. If you remove the token, the computer will immediately lock.

    This method is good to use where the premises are protected and no one can physically steal the computer or its hard drive.

    • protect all data on your computer

    There is also a way to encrypt all data on a computer and, when the computer boots, require the user to enter a password and insert a token. If the password is incorrect or the token is incorrect, then the data simply will not be decrypted, and even if stolen, the attacker will not be able to use the information from the computer.

    Read more: