A lot has been written about two-factor authentication, but, unfortunately, not everyone appreciates the fragility of the standard login + password combination.
Currently, all important information – from personal photos, works of art, people’s health and medical information to financial and business documents – is kept in the electronic format. And that often plays into fraudsters’ hands.
Armed robberies are a thing of the past. There are more convenient and secure ways of obtaining other people’s money without being caught. The most dangerous thing is that any advanced coder knows all these methods. Phishing, data spoofing, Trojans, data modification malware – this list is endless.
Obviously, a simple combination of login and password is no longer sufficient to ensure secure protection of important information. It is not difficult to figure out what password a person would use; multiple studies of behavioral factors prove this beyond any doubt. We often use the same password to protect different accounts without realizing how dangerous it is – if an intruder obtains illegal access to one resource, it will give him access to our other resources as well. A complex and difficult password is not a reliable solution either – it is easy to forget, or if it is written on a piece of paper, in an application or a file, it can be easily copied or stolen.
Two-factor authentication is the only reliable data protection solution
Fortunately, it is not only online fraudsters that develop and implement new technologies. All mankind is united in its quest for the most effective data protection method. Currently, the best solution available is two-factor authentication or 2FA.
This user authentication method consists of two stages:
- Entering a login and password.
- Entering a one-time password generated by a hardware token or a mobile application, or received via an SMS message.
The essence of two-factor authentication is that even if a fraudster manages to obtain your login and password, only one factor will be compromised, because one-time password (OTP) generation requires a special device called ‘token’ that only you have. There is no point in trying to intercept one-time passwords as they have a limited validity period, and every new password generated has nothing to do with the previous one. It is impossible to calculate any consistent patterns in OTP generation; it requires the knowledge of the secret key, which is stored only on the server and in the token itself.
Two-factor authentication is considered to be even more reliable than biometric authentication. Think about it: a fraudster only needs to obtain your fingerprint or voice recording once, and you will never be able to use this security method again. If a token were to be lost, you can easily and quickly block and replace it.
Google Authenticator: panacea or a piece of cheese in a mousetrap?
Google Authenticator is perhaps the most well-known and popular 2FA solution. This OTP generator owes its popularity to its accessibility, since Google Authenticator two-factor authentication is a solution offered completely free of charge. And yet, everyone knows that only cheese in a mousetrap is completely free of charge. We decided to find out whether the Google solution is reliable and review its strengths and weaknesses.
Advantages:
- It is offered completely free of charge.
- It has been tested with millions authentications worldwide.
- It is an open source software application.
- It is possible to independently customize the functionality depending on a company’s specific needs.
But, this token was developed only to be used for authentication in the Google services. Hence, its shortcomings:
- Customization is possible, but all modifications will have to be made by you at your own expense and at your own risk.
- There are no guarantees that after introducing modifications there will be no vulnerabilities in the application; in case of a system compromise, you will bear all the responsibility.
- Perhaps, the most significant drawback of Google 2FA is the fact that it is only a token, and to implement two-factor authentication a server is required, so you will have to develop the server part on your own. To eliminate the possibility of any person outside your company obtaining the secret key, the authentication system should be deployed on your company’s servers, which involves additional expenses.
- There is no data signing feature, which gives hackers absolute freedom and makes the authentication system vulnerable to new threats such as data modification or Trojan fraud malware.
What is data modification, and what protection is there against it?
Data modification is one of the most cunning types of online fraud. Hackers spent a lot of time trying to figure out how to bypass two-factor authentication and came to a conclusion that the best way would be not to try to bypass it but to do something much easier – make a user transfer funds to a fraudster’s account via deception and manipulations with the user’s browser.
This process can be performed in different ways. Here is the description of one of the possible scenarios. A user logs into his account and sees a message saying that money has been transferred to their account by mistake. The message will also say that the account will be locked until the user returns the required amount of money to the sender that erroneously made the transfer. It all looks very realistic; the user can see that there is more money in his account and verifies the transaction with the password received via an SMS message. The user believes that he is doing the right thing, and after that the user sees their account’s initial balance amount reflected on the screen. The fraud will be discovered only after the funds are insufficient for a legitimate transaction.
How can this problem be solved? It would seem that two-factor user authentication is useless, and most of the companies operating in the market today cannot tackle such a task.
But Protectimus offers its own method to ensure protection against data modification, Trojans, data spoofing, and other hacking tricks. The Protectimus two-factor authentication system successfully eliminates this threat due to a new function called data signing or CWYS.
How does CWYS (data signing) ensure protection against data modification?
The acronym CWYS stands for ‘Confirm What You See’. The essence of this function is the use of certain details about a transaction to generate a one-time password.
Consequently, if there is one set of (fraudulent) transaction data on the user’s end, and the server sees completely different (authentic) information, the one-time passwords generated by the token and the server will be different, authentication will not be successfully completed, and the user will be warned that he is the target of a hacking attack.
Typically, the data signing function is supported only by tokens that work based on the OCRA algorithm (OATH Challenge-Response Algorithm). But, Protectimus has taken it a step further. In one of our products, namely in the software token called Protectimus SMART, all one-time password generation algorithms are available; the user chooses the most convenient algorithm, but the data signing function remains available for any of the algorithms supported. Moreover, the CWYS function also works for the other token types (Protectimus ULTRA, Protectimus SMS, and Protectimus MAIL). The OCRA (Challenge-Response) algorithm is reliable in and of itself, but by using CWYS we have managed to reach a new level of security!