Hello ladies and gentlemen, you are probably here to understand what is 2FA, what are its types, and what is your best fit for your stakeholders, customers, partners who will be using your applications or services. We will get into those details, but in the first section, I would love to address the hesitancy of your stakeholders, customers, partners, and or being critics of 2FA.
- SMS (Simple Messaging Service)
- OTP (One Time Password)
- TOTP (Time-based One Time Password)
- 2FA (Second Factor Authentication)
- B2C (Business to Customers)
- B2B (Business to Business)
Why Don’t You Log Me in with just a Username and Password?
This is precisely your question repetitively, especially in recent times wherein you have to enter your username and password followed by waiting for an SMS or email-based OTP code, a voice call, a push may be, entering a code from a different app which you might have been forced to download, confirm your fingerprint, face-recognition, or maybe carry a small device/card with you, so you can make use of it to successfully sign-in on your work-machine, on your any of the mobile apps, any of yours enterprise’s software you may want to access, etc. All this hustle even after you have an IQ of a genius to remember your username and password for anything that you may want to sign in to? Trust me, this world is not fair to you!
What is 2FA?
- 2FA otherwise known as second (2) factor authentication is a type of authentication which is carried out second to your username-password authentication. The introduction of 2FA has been to secure your identity, your access or your account in a greater way so you can be sure it is only you trying to access when you are signing in.
- Traditionally username and password are something only you knew (unless you are forced to share it with your partner). But with increasing computation power today it is very easy to crack a password with brute force.
- Therefore, 2FA helps you protect your access while confirming with something you have or possess, example, OTP codes, fingerprints, face-recognition or other 2FA hardware.
- This ensures that someone else (apart from your partner of course) also knows the password they can simply login, but since now you have 2FA on your phone the login does not necessarily succeed unless they put in 2FA challenge which can be again OTP code, biometrics or 2FA hardware.
OK, but I still do not know WHY 2FA?
- Username and Passwords has secured us for a long period of time now and with the growing number of applications, services, you may be accessing each day, it is become tougher and tougher day by day to manage so many username and password for each of the application or services you may want to access. Considering you being you and you are accessing so many apps and services, your genius level IQ now starts creating passwords which are as good as ________ (yes, nothing). Also, again your intelligence now spreads over all of the applications and services you may be accessing; so now, you also use same password across all of them.
- Also, even say if you manage to come up with one password per app or service you use policy, it is very much difficult to remember all of them, then your genius inside starts writing them down on a colorful little sticky notes and put it in a designed fashion on the face of your monitor, so anyone sitting at your workstation can pretty much do anything they want to with your life.
- Also, you will be the first one to be pissed off if you are asked to keep your password at least 15 characters (upper, lower case, special characters and numbers) and change it every 90 days for all the applications and services you may be using.
Therefore, 2FA are here to save you from a bad actor accessing any of your account on your behalf. Because once a bad actor is in your account, the ramifications can be enormous, because you know and if not already, think on what all they get access to based on what data/information are in those apps and services you are currently using.
Alright, now that we have addressed that, let us now see what the different types of 2FA which are you can deploy for your stakeholders, customers (B2C) or partners (B2B) who will be using your services or applications.
1. OTP based 2FA
This is the most basic type of 2FA which can be implemented using SMS or email services. This is where after entering username and their password, user gets an OTP (One Time Password) on their phone by SMS on their registered phone number or getting an email with an OTP on their registered email account.
One other type of 2FA which falls under this category is OTP code over voice call. In this, the end-user gets a call and are usually asked to dial a number on keypad while on the call to do 2FA.
- Ease of implementation.
- Ease for end-user as they get OTP with SMS or Email services.
- OTP code lifetime is usually 5 minutes, considering service provider network coverage and email services may take some time to deliver OTP, it gives a larger window for an attacker to attack. Rule of thumb being, larger the OTP lifetime, larger should be the number of digits your OTP should have.
- Sometimes due to lack of network coverage by service provider, SMS based OTP may not be received by the end-user, thus cannot perform 2FA. This also applies to the voice based 2FA, wherein due to lack of network coverage by the service provider, the user may never get a call.
- If the end-user lost their phone, they cannot do SMS based 2FA neither can do call based 2FA.
2. TOTP based 2FA
This is a variant of OTP which is Time-based and hence Time-based One Time Password (TOTP). To deploy this, you will have to ask you end users to install other applications such as Google Authenticator, DUO, etc. to get these TOTP codes. The flow is, after entering their username and password, when the user is prompted to enter their 2FA code, user has to go either to one of these apps and they will see the code which should be entered on the 2FA screen.
One other perks of these additional authenticator apps which you will have your users installed is that users can also do a push based 2FA when they are prompted for 2FA. The flow for this is when users get to 2FA screen after entering their username and password, on the 2FA screen they will see an option to “PUSH”, when they click on that, the TOTP application on their phone will show them a prompt on their screen or in their notifications, where they can simply “Approve” or “Deny” the push, which basically translates to approval or denial of 2FA by the user. This makes it much simpler and faster for the user and also user does not have to open the authenticator app, look for the TOTP code and type it in on the 2FA screen.
- Faster, easier on the end-user, as explained, push is also supported by most of these authenticator apps.
- There is no network coverage dependency and also code is always being available in the authenticator applications.
- Time-based One Time Password are also very secured because as the name suggests the codes are timed to change every 30 seconds, thus, reducing the attack window to a very large extend.
- Cross platform support, some of the authenticator applications can support multiple platforms where the user is enrolled with TOTP based 2FA.
- Cannot support feature phones where the authenticator applications cannot be installed, thus a limitation for subset of users.
- User has to download the authenticator application there is no work-around.
With the rise in technology and smartphones able to support multiple biometrics scanners such as fingerprint and face-recognition, this is one the secured 2FA that you can support. Also, these technologies are now starting to replace passwords altogether and you will soon see passwordless logins soon around you and you will rather be logging in with your biometric scans on your smartphone.
The flow for this is very similar to the other flow which we have seen, after entering username or password and getting on the 2FA screen, the user will be prompted to rather scan their fingerprint or face-recognition on the device’s scanners.
- Faster and easier on end-users as they just have to scan their biometrics on their respective scanners.
- Most secure 2FA which can be carried out compared to others.
- There is no network coverage dependency as required for OTP based 2FA.
- Users also do not have to install any of the authenticator apps as all the smart devices now readily support biometric scanners.
- This can again be supported on cross-platforms.
- Handling the biometric data is a privacy concern.
- Smart devices with these biometric scanners are required to carry this out.
4. Hardware based 2FA
This is another type of 2FA that basically requires you to have a hardware usually a card or USB-based device which may be required while you are challenged with 2FA. The flow for this is; after entering your username and password when the user is on the 2FA screen, the user is then required to either scan the card they may have on the device’s reader or may have to insert the USB hardware for this purpose in the USB port.
- One of the most secured way of 2FA.
- This does not require a user to have internet coverage.
- This has some overhead in terms of costs, as it is expensive involving all the hardware and maintaining those hardware devices.
- End-user can easily misplace the hardware or it can also be stolen.
So, which One is your Best Fit?
This decision is best taken when you have all the stones turned. This is what the purpose of this was to give you all the information on what the different types are, what or not you get while adopting one over other and what are the trade-offs. You should also be considering your end-users what they have access to and what not, also, with how much latency or delay (TOTP vs OTP) you want to log users in.
We also do provide our expertise and help you take the right decision on what suits your end-users best based on the infrastructure you may already have or may be looking to deploy. We do also implement such solutions on any scale you may want us to in your enterprise, for your B2C customers as well as your B2B partners. We look forward to hearing from you and working with you on implementing and securing your infrastructure for any of your IAM needs.