With the billions of passwords floating around and password re-use attacks forever on the rise, it is time for everyone to consider multi-factor authentication. Recently, a Google engineer revealed that 90% of active Gmail accounts do not make use of two-factor authentication (2FA) even though they offer a free service. Yet, if we look at the thousands of Gmail accounts that were compromised over the last quarter alone, it is clear that multi-factor authentication should no longer be considered optional, but compulsory. Gone are the days that a password alone, no matter how strong, will protect you from being compromised.
What is multi-factor authentication and how can it protect you from having your account compromised? Every day, we ingest thousands of dumped account credentials with passwords, many of which have been stolen from literally thousands of insecure websites. With 2FA, even if your credentials are stolen, a second measure of authentication known as Type 2 authentication or “something you have” effectively prevents unauthorised individuals from accessing your account.
Any website service that holds your sensitive data should offer 2FA functionality, and most do! The problem is that not enough people are taking advantage of it. It is easy and free. As mentioned earlier, Google offers an excellent service – it is called the Google Authenticator and it can be downloaded as an app to your mobile device. When signing into your Gmail account for example, you will be asked for your password, and then for a 6-digit number which expires every 30 seconds. Both pieces of data – “something you know” and “something you have" – are necessary to authenticate you to the account.
And then there’s Type 3 – “something you are” or biometric authentication. There has been some excellent research in this space, and now Type 3 authentication is as readily available as Type 2. Fingerprints, iris and retina scans, facial and voice recognition, and now even typing patterns can enable biometric technology authentication.
A startup called TypingDNA has been working on a new tool that will enable one to authenticate using a typing pattern that is specific to the individual. The service is available as a Chrome-based extension and essentially takes a snapshot of your typing pattern to be used as authentication to your account. Even if someone were to capture your credentials, they would not be able to log into your account if they do not match your typing pattern signature.
The trouble with 2FA is that it becomes very cumbersome and inconvenient. An advantage to TypingDNA’s method is that you do not need your mobile device to authenticate, but it is arguably not as secure as using one-time passwords. With biometrics, there is always the chance of false acceptance, which is the allowance of an individual who should not have access.
Regardless, it is undeniable that we are fast approaching the end of days for the password as a sole means of authentication and very soon it may be obsolete. Last April, Microsoft released an app that allows you sign directly into your account using a one-time password similar to the Google authenticator, but without also having to provide a set password. This is one of the first steps by the software giant towards cutting out the antiquated method of account authentication.
Ultimately, no matter the choice, choosing some form of multifactor authentication will make it more difficult for an adversary to compromise your account; and with so many choices, most of which are free, the decision to switch to 2FA should be a no-brainer.