Security isn’t a simple matter of caring or spending time reading manuals or being told what you can or can’t do. Security is understanding how to view the world from a different perspective: instead of functional does it work, viewing it as how can I break it. In our personal lives, it's how can someone misuse this? Be it our social media pictures, accounts, and so on. This is a skill that people build over time, and it’s completely appropriate to start out small. If you can do nothing else, consider the access to your accounts, professional, banking, and social media. Consider how hard a malicious actor needs to work to gain access to these. Then layer on restrictions to limit the likelihood. What do I mean by “layering”? Consider someone looking to steal a vehicle.
- A vehicle unlocked and parked on the street can easily be picked up in an opportunistic attack. This is how I would view an account with a poor or easily guessable password. This is because, whilst it may have a password, there are automated tools that can test a list of common passwords against it. If it is found in a breach: it may already know the password/username combination to use.
- A vehicle that’s locked and parked on a quiet street, whilst still vulnerable, is more secure than the first. This is how I would view a secure password.
- A vehicle that’s locked and stored in a secure garage requires knowledge and skill to steal. It also requires motivation for that specific vehicle. This is how I would view an account using a secure password and a second form of authentication.
What Is the Difference Between Two-Factor Authentication and Two-Step Verification?
To understand this, you need to understand what multi-factor is: something you have, something you know, and something you are. Those are the three separate pieces that together prove who you are. The more pieces that are used as validation, the lower the likelihood that someone else will be able to authenticate themselves as you. There are further options available, but these three are the most commonly used. A form of multi-factor authentication is two-factor authentication, which requires only two of the following: something you know, something you have, and something you are. Some examples of “something you know”:
- Password/passphrase
- Answer to a security question
- PIN
Some examples of “something you have”:
- SMS: Have you received SMS text messages containing a verification code? This is a form of multi-factor authentication! Whilst there are limitations on the security of this option, remember the car examples. It is better than no second piece.
- App: There are many options out there, both paid (Duo, for example) and free (Authy/Google Authenticator). These apps give you two options after password entry: first, you can use them to generate a verification code for a synced account; and second, you can request a push notification, at which point you can ‘approve’ or ‘decline’ sign-in.
- Physical token: if you have ever heard of Yubikey, it’s one of those most well-known forms of physical- or hardware token-based authentication. Using this option, you enter a password and then plug in the device (or touch it to something) to authenticate yourself. Usually, your account has an additional option approved, such as an app or SMS, in case you lose the token.
- Device: Apple and Google both provide options to ‘approve’ or ‘decline’ sign-in from devices already enrolled to do so after you have entered the password.
A few examples of “something you are”:
- Fingerprint ID
- Face ID
- Voice ID
Two-step verification is similar to two-factor authentication, however, instead of using two different means of authentication, you make use of two pieces from the same categories identified above. Like entering two separate passwords, one needs to be validated as correct before the second password is requested; but they are both something you know.
Choosing the Right Option for Me
Oftentimes, I’m asked how to choose between the above options. I want to preface my advice with the fact that even if not perfect, any additional form of authentication, be it SMS-based, multi-factor, or two-step verification is a positive move forward.
- Are you confident you can keep track of your devices and keep it up to date? You can choose which you prefer. That being said, app- and token-based are considered the industry standard.
- Do you have a limited budget and expect to be changing between devices often? You may consider token or SMS-based, as from what I have seen, multi-device, app-based authentication may require a subscription.
- Do you expect to be changing devices soon? Consider token- or SMS-based MFA. SMS isn't as secure, there are known issues with it, but as a minimal adding layer does help, at least to give time for you to change the password if found to be in a breach.
- Do you struggle with keeping track of your devices? Both token- or app-based may not be the best solution for you (unless syncing is available in that app). Consider SMS-based, again, with the awareness of the limitations.
The above are just a few examples for personal and/or family use. There are additional considerations for individuals who want to choose what option is right for them. If you are an organization, it is your responsibility to provide industry-standard authentication to employees to help them protect their accounts, your infrastructure, and ultimately be a part of both the security and privacy program. If you’re an application provider, it is your responsibility to provide a variety of options for consumers - I would argue both by design and by default, at no additional cost.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.