Cyber Security News

Defending Your Data: Which Two-Factor Authentication Method Suits You Best?

Two-factor authentication, commonly referred to as 2FA, is a vital layer of cyber security designed to ensure that you're the only person who can access your account, even if someone else knows your password.

If you're new to the world of two-factor authentication then you should probably start by reading our first article HERE before going deeper, below.

What is clear is that by implementing this additional layer of protection, 2FA significantly decreases the likelihood of unauthorised access to your data and sensitive information, thereby providing enhanced cyber security protection in our increasingly digital world.

But not all forms of 2FA are equal...

In this article, we're going to explain the pros and cons of the different types of 2FA so that you can decide which is the best fit for you personally, and your organisation.

  1. Something You Are (Inherence Factors): This involves biometric data of the user. It includes:
    • Fingerprint Scanners: Commonly found on smartphones and laptops.
    • Facial Recognition: Used by systems like Apple's Face ID.
    • Voice Recognition: Less common, but still used in some systems.
    • Iris or Retina Scans: Mostly used in high-security systems.
  2. Location-based Factors: In some systems, the location from which you are trying to access your account can also be a form of 2FA.
  3. Behavioral Factors: This is a newer type of 2FA that involves analyzing user behavior, like keystroke dynamics or mouse movement patterns.
  4. Push Notification: With this method, after you enter your password, a notification is sent to a trusted device, and you must approve the login attempt.

Each type of 2FA has its strengths and weaknesses. For instance, while biometric data is difficult to fake, it's also not something you can change if it gets compromised. Meanwhile, SMS codes can be intercepted, especially if the attacker has control over the phone number to which the code is sent. Thus, when implementing 2FA, it's essential to consider the unique needs and security requirements of the situation.


Something You Know (Knowledge Factors)

This is one of the key components of two-factor authentication (2FA).

This type of authentication is based on information that only the user should know. The most common example is a password or a PIN (Personal Identification Number).

When you create an account on a website or an app, you're often required to create a unique password. This password is something that you know, and ideally, no one else does. Similarly, a PIN is a numeric or alphanumeric code that you're asked to create for some systems.

Knowledge factors can also include answers to "security questions" that you set up, like your mother's maiden name or the name of your first pet.

The strength of this type of factor lies in its secrecy. If someone else finds out your password, PIN, or the answers to your security questions, they could potentially access your accounts, which is why it's crucial to keep this information confidential and combine it with other types of 2FA for enhanced cyber security protection.


Something You Have (Possession Factors)

This type of 2FA relies on a user having a specific device or object that can be used to confirm their identity.

Some common examples include:

  • SMS Codes: With SMS-based two-factor authentication, after entering your password on a website or app, a unique, typically time-sensitive code is sent to your registered mobile number. This code is then required to be entered into the platform to gain access. For instance, if you're logging into your Gmail account from a new device, Google may send an SMS with a verification code to your linked mobile number. However, this method has its drawbacks, such as reliance on network availability and potential cybersecurity concerns if the SMS is intercepted or the phone is lost or stolen.
  • Authenticator Apps: Authenticator apps like Google Authenticator, Microsoft Authenticator, or Authy add another layer of cybersecurity. These apps generate Time-based One-Time Passwords (TOTPs), which are usually valid for only a short period of time, like 30 seconds to a minute. For example, if you've set up 2FA with your Facebook account using Google Authenticator, each time you log in, you'll need to open the Google Authenticator app on your mobile device and enter the code it displays for Facebook. This method does not rely on network coverage and the codes are not as easily intercepted as SMS codes.
  • Security Tokens/Hardware Tokens: Security tokens are physical devices that generate a code for two-factor authentication. A well-known example is the YubiKey. To use a YubiKey, you first register it with the online service you want to secure. When you later log in to that service, after entering your password, you'll be prompted to insert your YubiKey into your device and tap a button on the YubiKey to provide the second factor. The advantage of hardware tokens like the YubiKey is that they are not connected to a network and thus are immune to remote cyberattacks.
  • Software Tokens: Software tokens are software-based equivalents of hardware tokens. They are applications installed on a device that generates a one-time password for authentication. Software tokens can be used in the same way as hardware tokens but don't require the user to carry a separate device. They are common in high-security environments like banking or corporate networks. An example of this is RSA's SecurID Software Token, which, when registered with the respective service, generates a new access code at fixed intervals that you'll use as your second authentication factor. The code is stored on the device itself, thus eliminating the risk of interception over the network.

While possession factors significantly enhance security, they should be used in conjunction with other cybersecurity measures for maximum protection.


Something You Are (Inherence Factors)

This refers to biometric data used in two-factor authentication (2FA).

This type of authentication involves something inherent to the user's biological makeup or behaviour. Biometrics provide a strong level of cybersecurity protection because they're unique to each individual and are extremely hard to fake or steal.

Here are some examples:

  1. Fingerprint Scanners: Fingerprint scanning is a common biometric method used in many devices, particularly smartphones and laptops. Each individual has unique fingerprint patterns, making this a reliable form of identification. For instance, iPhones use the Touch ID feature to authenticate a user based on their fingerprint.
  2. Facial Recognition: Facial recognition technology identifies an individual by analysing patterns in their facial features. It's used in devices like smartphones, tablets, and laptops. Apple's Face ID on newer iPhones and iPads is a prominent example.
  3. Voice Recognition: Voice recognition, while less common, is another biometric method. It analyses an individual's unique voice pattern to verify their identity. This technology is often used in virtual assistant applications, call centres, and some banking applications.
  4. Iris or Retina Scans: Iris or retina scans are used in high-security systems, and sometimes in smartphones, as a form of biometric authentication. These scans analyse unique patterns in the iris or retinal blood vessels.
  5. Behavioural Biometrics: These include more innovative and less commonly used methods like keystroke dynamics (the way you type on a keyboard), mouse movement patterns, or even the way you walk (gait analysis). These methods are usually used in more specialised or high-security applications.
  6. Vein Recognition: This technology analyses vein patterns in an individual's palm, finger, or eye, which are unique to each person. It's generally used in high-security settings.

Remember, while biometrics provide a high level of security, they also raise privacy concerns, as they involve collecting and storing sensitive personal data.

Furthermore, unlike passwords, biometric data can't be changed if it's compromised, which is why it's important to protect such data with the highest cyber security standards.