“Since the COVID pandemic, there has been a 47% jump in the severity of ransomware attacks, a 35% increase in funds transfer fraud, and a 67% increase in business email attack”, to cite just a few statistics. This blog post is written to give you insight into the various ways of protecting yourself from cyber attacks.
There are three widely-accepted methods of authenticating yourself:
- Knowledge – Something you know. Passwords, PINs, and patterns to unlock your smartphone all fall into this category. It’s a simple yet not very secure method. Much has been written about the problems with “strong” passwords, people using the same password for different services, and similar issues, so at this point, I just want to emphasise that passwords can be problematic.
- Possession – Something you own. Smart cards, tokens, similar devices, and in simplified terms, also your phone. These types of authentication are commonly a part of the multifactor authentication process.
- Inherence – Something you are. Biometric types of authentication fall into this field –fingerprints, facial scans, retinal scans, voice patterns, etc. The jury is still out on the pros and cons of this type of authentication, mainly because it opens a whole new field of privacy issues, poses high costs, and is still not 100% hack-proof.
To protect our personal information, we need to make sure that only we can access it. This is done through “authentication”. You need to prove your identity to the service you are using. This is usually done using credentials such as a user name/email and password combination, but this method can be “hacked”. Hackers can brute force your different varieties, and with time, they would gain access to your account. This is what lead to the invention of Two-Factor authentication.
As the name suggests, two-factor authentication or dual-factor authentication is a way of authentication/security process in which the user has to provide two different authentication factors, two-factor authentication or dual-factor authentication identify/verify themselves. Only after the user provides these factors, they can gain access to their account. The first factor is usually the user name/email and password combination. The second factor, which obviously should not be brute force-able, is typically a security token or a biometric factor, such as a facial scan or fingerprint.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts because, even if the victim’s password is hacked, a password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data. Online service providers are increasingly using 2FA to protect their users’ credentials from being used by hackers who stole a password database or used phishing campaigns to obtain user passwords.
There are various two-factor authentication methods:
- Email OTP
- SMS OTP
- Time-based OTP
- Security Key
You would’ve already come across Email and SMS OTP. It is where the service sends you an OTP over Email or SMS respectively. Security Key is a physical device, usually, a pen drive/ hard drive, which stores the encrypted key and the service will automatically recognise the key once it’s connected to the machine. What you may not have heard about are Time-based OTPs and how they are generated. What’s special about Time-based OTPs is that they are generated after every certain period of time (usually a few seconds), and after a new one is generated the old one is invalid.
Time-based or TOTP is a standardised method for generating a regularly changing code based on a shared secret (that is to say, shared by our server and your phone; no one else!). Because it’s a standard, you can get many different (and mostly free) authenticator apps for your mobile phone that support it. Some of the most popular ones are Google Authenticator, Authy, Duo, and 1Password.
When you set up TOTP, the service for which you are setting up 2FA generates a secret key – a bunch of random numbers and letters. You then save this key to your phone, normally by scanning a QR code with your authenticator app, in case the QR doesn’t get recognised for some reason, you can type in a passkey which is given by the service, into the authenticator application.
Now your phone and our server both have a copy of this secret key. When you want to log in, you need to prove that you have the key. To do this, your app combines the key with the current time (to the nearest 30 seconds) to produce an access code. It does this using something called a “secure hash function” (for the crypto-heads out there, it uses HMAC-SHA-1). In layman’s terms, it mixes the time and your key together to produce an output that’s unique (if the time or the key are different in even the slightest way then the output is completely different), but impossible to reverse (knowing the output doesn’t help you guess the secret key). To make it easier to type, the access code is shortened to a 6-digit number.
The 2FA application also gives you recovery codes, which you must make a note of (could be in a physical notebook/save it locally). Each of these codes can recover your account back, in case you lose your phone/delete your 2FA app. 2FA applications do provide a way of shifting your current TOTPs to a new phone, in case you change your phone. But these recovery codes shouldn’t be stored at a place where someone could gain access as it provides entire access to your account.
I hope this article encourages you to set up some sort of 2FA and secure yourself from hackers who try to steal your information. You can check out the security section of any service you use, they should have some sort of 2FA, I personally would suggest you set up a TOTP-based authentication.
– By Tharun K, Third Year Department of Information Technology